contrast-agent 7.0.0 → 7.2.0

data/lib/contrast/agent/protect/rule/xxe/xxe.rb

@@ -37,7 +37,7 @@ module Contrast
           # @raise [Contrast::SecurityException] Security exception if an XXE
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
 
             result = find_attacker(context, xml, framework: framework)
             return unless result

data/lib/contrast/agent/reporting/client/interface.rb

@@ -0,0 +1,132 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/client/interface_base'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Client
+        # Interface to safely manage connections across threads.
+        class Interface < Contrast::Agent::Reporting::Client::InterfaceBase
+          # Execute startup routine and
+          def startup
+            with_monitor { reporter_client.startup!(reporting_connection) }
+          end
+
+          # @param event [Contrast::Agent::Reporting::ReportingEvent]
+          # @return [Net::HTTPResponse]
+          def send_event event
+            with_monitor { reporter_client.send_event(event, reporting_connection) }
+          end
+
+          # return [Boolean]
+          def sleep?
+            with_monitor { reporter_client.sleep? }
+          end
+
+          # Retry once than discard the event. This is trigger on too many events of
+          # same kind error.
+          #
+          # @param event [Contrast::Agent::Reporting::ReportingEvent]
+          def handle_resend event
+            with_monitor do
+              reporter_client.handle_resend(event, reporting_connection)
+            end
+          end
+
+          # Check to see if client exists and there is connection
+          #
+          # @return [Boolean
+          def connected?
+            with_monitor do
+              return true if reporter_client && reporting_connection
+
+              false
+            end
+          end
+
+          # Check to see if statup connections are sent or not
+          def startup_messages_sent?
+            with_monitor { reporter_client.status.startup_messages_sent? }
+          end
+
+          # Check to see if event need to be resend
+          #
+          # @return [Boolean, nil]
+          def resending?
+            with_monitor { reporter_client.mode.status == reporter_client.mode.resending }
+          end
+
+          # Return timeout in ms
+          def timeout
+            with_monitor { reporter_client.timeout } || Contrast::Agent::Reporting::ResponseHandler::TIMEOUT
+          end
+
+          # @return headers [Contrast::Agent::Reporting::Headers]
+          def headers
+            with_monitor { reporter_client.headers }
+          end
+
+          # Response_handler
+          #
+          # @return [Contrast::Agent::Reporting::ResponseHandler]
+          def response_handler
+            with_monitor { reporter_client.response_handler }
+          end
+
+          def status
+            with_monitor { reporter_client.status }
+          end
+
+          private
+
+          # @return [Contrast::Agent::Reporting::ReporterClient]
+          def reporter_client
+            @_reporter_client ||= Contrast::Agent::Reporting::ReporterClient.new
+          end
+
+          # @return [Net::HTTP, nil] Return open connection or nil
+          def reporting_connection
+            @_reporting_connection ||= reporter_client.initialize_connection
+          end
+        end
+      end
+
+      module Telemetry
+        # Interface to safely manage connections across threads.
+        class Interface < Contrast::Agent::Reporting::Client::InterfaceBase
+          URL = 'https://telemetry.ruby.contrastsecurity.com/'
+
+          # Check to see if client exists and there is connection
+          #
+          # @return [Boolean
+          def connected?
+            with_monitor do
+              return true if telemetry_client && telemetry_connection
+
+              false
+            end
+          end
+
+          # Starts telemetry request.
+          def request_with_response event
+            with_monitor do
+              telemetry_client.handle_response(telemetry_client.send_request(event, telemetry_connection))
+            end
+          end
+
+          private
+
+          def telemetry_client
+            @_telemetry_client ||= Contrast::Agent::Telemetry::Client.new
+          end
+
+          def telemetry_connection
+            @_telemetry_connection ||= telemetry_client.initialize_connection(URL)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/client/interface_base.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'monitor'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Client
+        # Common methods for Client interface.
+        class InterfaceBase
+          # Execute calls to connection with thread safety.
+          def with_monitor &block
+            monitor.synchronize(&block)
+          end
+
+          private
+
+          # @return [Monitor]
+          def monitor
+            @_monitor ||= Monitor.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/connection_status.rb

@@ -10,7 +10,6 @@ module Contrast
           @last_success = nil
           @last_failure = nil
           @startup_messages_sent = false
-          @_startup_server_message_sent = false
         end
 
         # Whether we have sent startup message to TeamServer. True after successfully sending startup messages to

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
-require 'contrast/agent/reporting/input_analysis/details/protect_rule_details'
+require 'contrast/agent/reporting/details/protect_rule_details'
 
 module Contrast
   module Agent
@@ -112,14 +112,16 @@ module Contrast
 
         # Additional per rule details containing more specific info.
         #
-        # @param protect_rule_details [Contrast::Agent::Reporting::ProtectRuleDetails]
+        # @param protect_rule_details [Contrast::Agent::Reporting::Details::ProtectRuleDetails]
         def details= protect_rule_details
-          @_details = protect_rule_details if protect_rule_details.is_a?(Contrast::Agent::Reporting::ProtectRuleDetails)
+          return unless protect_rule_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
+
+          @_details = protect_rule_details
         end
 
         # Additional per rule details containing more specific info.
         #
-        # @return [Contrast::Agent::Reporting::ProtectRuleDetails, nil]
+        # @return [Contrast::Agent::Reporting::Details::ProtectRuleDetails, nil]
         def details
           @_details
         end

data/lib/contrast/agent/reporting/reporter.rb

@@ -6,14 +6,17 @@ require 'contrast/agent/reporting/report'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/reporting_events/agent_startup'
 require 'contrast/agent/telemetry/exception'
+require 'contrast/agent/reporting/client/interface'
 
 module Contrast
   module Agent
     # This module will hold everything essential to reporting to TeamServer
-    class Reporter < WorkerThread
+    class Reporter < WorkerThread # rubocop:disable Metrics/ClassLength
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Utils::ObjectShare
 
+      # How many tries to reconnect the Reporter should make.
+      RETRY_ATTEMPTS = 10
       MAX_QUEUE_SIZE = 1000
 
       class << self
@@ -27,20 +30,19 @@ module Contrast
       end
 
       def client
-        @_client ||= Contrast::Agent::Reporting::ReporterClient.new
-      end
-
-      def connection
-        @_connection ||= client.initialize_connection
+        @_client ||= Contrast::Agent::Reporting::Client::Interface.new
       end
 
       def start_thread!
+        return unless attempt_to_start?
         return if running?
 
-        client.startup!(connection)
+        @connection_attempts = 0
         @_thread = Contrast::Agent::Thread.new do
           logger.debug('[Reporter] Starting background Reporter thread.')
+          client.startup
           loop do
+            break unless attempt_to_start?
             next unless connected?
 
             process_event(queue.pop)
@@ -55,12 +57,7 @@ module Contrast
       #
       # @param event [Contrast::Agent::Reporting::ReportingEvent] Freshly pop-ed event.
       def handle_resend event
-        sleep(client.timeout) if client.sleep?
-        # Retry once than discard the event. This is trigger on too many events of
-        # same kind error.
-        client.send_event(event, connection) if client.mode.status == client.mode.resending
-        client.mode.reset_mode
-        client.wake_up
+        client.handle_resend(event)
       end
 
       # @param event [Contrast::Agent::Reporting::ReportingEvent]
@@ -93,8 +90,9 @@ module Contrast
           return
         end
         return unless event
+        return unless connected?
 
-        client.send_event(event, connection)
+        client.send_event(event)
       rescue StandardError => e
         logger.error('[Reporter] Could not send message to TeamServer from reporting queue.', e)
       end
@@ -118,23 +116,24 @@ module Contrast
         @_queue ||= Queue.new
       end
 
-      # TODO: RUBY-99999
-      # The client and connection are being used in multiple threads/ concurrently, and that's not okay. We need
-      # to figure out why that is and lock it so that it isn't.
-      #
       # @return [Boolean]
       def connected?
-        return true if client && connection
+        return true if client.connected?
 
-        logger.debug('[Reporter] No client/connection; sleeping...', client: client, connection: connection)
-        sleep(5)
+        logger.debug('[Reporter] No client/connection; sleeping...')
+        @connection_attempts += 1
+        if @connection_attempts >= RETRY_ATTEMPTS
+          logger.debug('[Reporter] shutting down..')
+          Contrast::AGENT.disable!
+        end
+        sleep(5) unless Contrast::AGENT.disabled?
         false
       end
 
       # @param event [Contrast::Agent::Reporting::ReportingEvent]
       def process_event event
-        client.send_event(event, connection)
-        handle_resend(event) if client.mode.status == client.mode.resending
+        client.send_event(event)
+        handle_resend(event) if client.resending?
       rescue StandardError => e
         logger.error('[Reporter] Could not send message to TeamServer from reporting queue.', e)
       end
@@ -156,6 +155,7 @@ module Contrast
                              stack_trace[1].path.delete_prefix(Dir.pwd)
                            end
         stack_frame_function = stack_trace.nil? || stack_trace[1].nil? ? 'none' : stack_trace[1].label
+        stack_frame_type = Contrast::Agent::Telemetry::Exception::Obfuscate.obfuscate_path(stack_frame_type)
         Contrast::Agent::Telemetry::Exception::StackFrame.build(stack_frame_function, stack_frame_type, nil)
       end
     end

data/lib/contrast/agent/reporting/reporting_events/agent_effective_config.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/reporting_event'
+require 'contrast/config'
+
+module Contrast
+  module Agent
+    module Reporting
+      #	AgentStartup Event which sends the agent data to TeamServer on the startup of a server or process,
+      # used to create a new Server entity there.
+      class AgentEffectiveConfig < Contrast::Agent::Reporting::ReportingEvent
+        # @param diagnostics [Contrast::Agent::DiagnosticsConfig::Diagnostics] current diagnostics
+        def initialize diagnostics
+          @event_method = :PUT
+          @event_endpoint = Contrast::Agent::Reporting::Endpoints.effective_config
+          @event_type = :effective_config
+          @diagnostics = diagnostics
+          super()
+        end
+
+        def file_name
+          'agent-effective-config'
+        end
+
+        def to_controlled_hash
+          @diagnostics.to_controlled_hash
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb

@@ -81,7 +81,7 @@ module Contrast
             safe_url = source_or_string(url || pattern)
 
             msg = new
-            msg.signature = "#{ controller }##{ method } #{ safe_pattern }"
+            msg.signature = "#{ controller }##{ method } #{ safe_pattern }" # rubocop:disable [Security/Object/Method]
             msg.verb = Contrast::Utils::StringUtils.force_utf8(method)
             msg.url = Contrast::Utils::StringUtils.force_utf8(safe_url)
             msg

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -55,17 +55,24 @@ module Contrast
         # @param event_name [String] the type portion of the file to which to write
         # @param data [any] The data to be written to the file
         def write_to_file type, event_name, data = nil
-          time = Time.now.to_i
+          time = Contrast::Utils::Timer.now_ms
           destination = type == :request ? path_for_requests : path_for_responses
           # If the feature is disabled or we have yet to create the directory structure, then we could have a nil
           # destination. In that case, take no action
           return unless destination
 
-          filename = "#{ time }_#{ Thread.current.object_id }_#{ event_name.gsub('::', '-') }_teamserver_#{ type }.json"
+          # Get process id and thread id to make sure we don't overwrite files
+          process_id = Process.pid
+          thread_id = Thread.current.object_id
+          event_title = event_name.gsub('::', '-')
+          filename = "#{ time }_#{ thread_id }_#{ process_id }_#{ event_title }_teamserver_#{ type }.json"
           filepath = File.join(destination, filename)
           logger.debug('Writing to file', eventname: event_name, filename: filename, filepath: filepath)
           # Here is use append mode, because of a slightly possibility of overwriting an existing file
-          File.open(filepath, 'a') { |f| f.write(Contrast::Utils::StringUtils.force_utf8(data)) }
+          File.open(filepath, 'a') do |f|
+            f.write(Contrast::Utils::StringUtils.force_utf8(data))
+            f.close
+          end
         rescue StandardError => e
           logger.warn('Saving audit failed', e: e)
         end

data/lib/contrast/agent/reporting/reporting_utilities/endpoints.rb

@@ -83,6 +83,13 @@ module Contrast
             end
           end
 
+          # @return [String, nil]
+          def effective_config
+            with_rescue do
+              "#{ application_endpoint }/effective-config".cs__freeze
+            end
+          end
+
           private
 
           # Returns the URL needed to connect to endpoints in TeamServer required for application related information.

data/lib/contrast/agent/reporting/reporting_utilities/headers.rb

@@ -11,7 +11,7 @@ module Contrast
       # This class will build the required headers for agent reporting to TS
       class Headers
         attr_reader :app_name, :api_key, :agent_version, :app_language, :app_path, :app_version, :authorization,
-                    :server_name, :server_path, :server_type, :content_type, :encoding, :compression
+                    :server_name, :server_path, :server_type, :content_type, :encoding, :compression, :session_id
 
         include Contrast::Utils::ObjectShare
         ENCODING = 'base64'
@@ -29,6 +29,7 @@ module Contrast
           @server_name = Base64.strict_encode64(Contrast::APP_CONTEXT.server_name)
           @server_path = Base64.strict_encode64(Contrast::APP_CONTEXT.server_path)
           @server_type = Base64.strict_encode64(Contrast::APP_CONTEXT.server_type)
+          @session_id = Contrast::CONFIG.session_id
           @content_type = CONTENT_TYPE
           @encoding = ENCODING
           @compression = COMPRESSION
@@ -46,6 +47,7 @@ module Contrast
               server_name: @server_name,
               server_path: @server_path,
               server_type: @server_type,
+              'Session-ID': @session_id,
               content_type: @content_type,
               encoding: @encoding,
               compression: @compression

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -5,14 +5,16 @@ require 'json'
 require 'net/http'
 require 'contrast/components/logger'
 require 'contrast/utils/net_http_base'
+require 'contrast/config/diagnostics/monitor'
 require 'contrast/agent/reporting/connection_status'
-require 'contrast/agent/reporting/reporting_utilities/response_handler'
-require 'contrast/agent/reporting/reporting_utilities/reporter_client_utils'
-require 'contrast/agent/reporting/reporting_utilities/endpoints'
 require 'contrast/agent/reporting/reporting_utilities/headers'
+require 'contrast/agent/reporting/reporting_utilities/endpoints'
 require 'contrast/agent/reporting/reporting_events/server_settings'
+require 'contrast/agent/reporting/reporting_utilities/response_handler'
 require 'contrast/agent/reporting/reporting_events/application_settings'
-require 'contrast/config/diagnostics'
+require 'contrast/agent/reporting/reporting_events/agent_effective_config'
+require 'contrast/agent/reporting/reporting_utilities/reporter_client_utils'
+require 'contrast/agent/reporting/reporting_utilities/resend'
 
 module Contrast
   module Agent
@@ -57,6 +59,7 @@ module Contrast
         # @param connection [Net::HTTP] open connection
         def startup! connection
           return if status.startup_messages_sent?
+          return unless connection
 
           send_agent_startup(connection)
         end
@@ -70,17 +73,17 @@ module Contrast
         def send_event event, connection
           return unless connection
 
+          response = nil
           logger.debug('[Reporter] Preparing to send reporting event', event_class: event.cs__class)
-
           request = build_request(event)
           response = connection.request(request)
-          audit&.audit_event(event, response) if ::Contrast::API.request_audit_enable
+          audit.audit_event(event, response) if ::Contrast::API.request_audit_enable
           process_settings_response(response, event)
-          record_configuration(response, event)
           process_preflight_response(event, response, connection)
+          report_configuration(response, event)
           response
         rescue StandardError => e
-          handle_error(event, e)
+          handle_response_error(event, connection, e)
         end
 
         # Write effective config to file:
@@ -90,7 +93,7 @@ module Contrast
         #
         # @param response [Contrast::Agent::Reporting::Response, nil]
         # @param event [Contrast::Agent::Reporting::ReportingEvent]
-        def record_configuration response, event
+        def report_configuration response, event
           return unless response
 
           diagnostics.config.determine_config_status(response_handler.last_response_code || response.code)
@@ -99,6 +102,11 @@ module Contrast
 
           logger.info('[Reporter Diagnostics] last response code:', response_code: response_handler.last_response_code)
           diagnostics.write_to_file
+          config_event = Contrast::Agent::Reporting::AgentEffectiveConfig.new(diagnostics)
+          Contrast::Agent.reporter.send_event(config_event)
+        rescue StandardError => e
+          #  Don't let this error bubble up and stop the agent reporting, with resending triggered.
+          logger.error('[Reporter] Error while reporting configuration', error: e, event_type: event&.cs__class)
         end
 
         def status
@@ -110,13 +118,50 @@ module Contrast
         end
 
         def diagnostics
-          @_diagnostics ||= Contrast::Agent::DiagnosticsConfig::Diagnostics.new(Contrast::LOGGER.path)
+          @_diagnostics ||= Contrast::Config::Diagnostics::Monitor.new(Contrast::LOGGER.path)
         end
 
+        # Compress data with Zlib
+        #
+        # @param event [Contrast::Agent::Reporting::ReportingEvent]
+        # @param level [Integer] compression level
+        # @param strategy [Integer] compression strategy
+        # @return [String] compressed data
+        def compress_event event, level = Zlib::DEFAULT_COMPRESSION, strategy = Zlib::DEFAULT_STRATEGY
+          compressed_data = StringIO.new.set_encoding(STRING_ENCODING)
+          gzip = Zlib::GzipWriter.new(compressed_data, level, strategy)
+          gzip.write(event.event_json)
+          gzip.close
+          gzip = nil
+          compressed_event = compressed_data.string.dup
+          compressed_data.close
+          compressed_data = nil
+          compressed_event
+        ensure
+          gzip&.close
+          compressed_data&.close
+          compressed_event
+        end
+
+        # Reads compressed data
+        #
+        # @param compresed_data [String]
+        def decompress compresed_data
+          Zlib::GzipReader.wrap(StringIO.new(compresed_data), &:read)
+        end
+
+        ##############
+        # Forwarders #
+        ##############
+
         def sleep?
           response_handler.sleep?
         end
 
+        def put_to_sleep
+          response_handler.put_to_sleep
+        end
+
         def timeout
           response_handler.timeout
         end
@@ -125,8 +170,8 @@ module Contrast
           response_handler.mode
         end
 
-        def reset_mode
-          response_handler.reset_mode
+        def enter_run_mode
+          response_handler.enter_run_mode
         end
 
         def wake_up