contrast-agent 7.0.0 → 7.2.0

data/lib/contrast/configuration.rb

@@ -15,6 +15,8 @@ require 'contrast/components/protect'
 require 'contrast/components/assess'
 require 'contrast/components/config/sources'
 require 'contrast/config/server_configuration'
+require 'contrast/config/configuration_files'
+require 'contrast/utils/hash_utils'
 
 module Contrast
   # This is how we read in the local settings for the Agent, both ENV/ CMD line
@@ -57,7 +59,8 @@ module Contrast
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
     CONVERSION = {}.cs__freeze
-    CONFIG_BASE_PATHS = ['', 'config/', '/etc/contrast/ruby/', '/etc/contrast/', '/etc/'].cs__freeze
+    # Precedence of paths, shift if config file values needs to go up the chain.
+    CONFIG_BASE_PATHS = %w[./ config/ /etc/contrast/ruby/ /etc/contrast/ /etc/].cs__freeze
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
 
@@ -65,9 +68,7 @@ module Contrast
       @default_name = default_name
 
       # Load config_kv from file
-      config_kv = deep_symbolize_all_keys(load_config)
-      config_sources = assign_source_to(config_kv, Contrast::Components::Config::Sources::YAML)
-
+      config_kv = Contrast::Utils::HashUtils.deep_symbolize_all_keys(load_config)
       unless cli_options
         cli_options = {}
         ENV.each do |key, value|
@@ -76,19 +77,22 @@ module Contrast
           cli_options[key] = value
         end
       end
+
       # Overlay CLI options - they take precedence over config file
-      cli_options = deep_symbolize_all_keys(cli_options)
+      cli_options = Contrast::Utils::HashUtils.deep_symbolize_all_keys(cli_options)
       if cli_options
-        config_kv = deep_merge(cli_options, config_kv)
-        config_sources = deep_merge(assign_source_to(cli_options, Contrast::Components::Config::Sources::CLI),
-                                    config_sources)
+        config_kv = Contrast::Utils::HashUtils.precedence_merge(cli_options, config_kv)
+        @_source_file_extensions = Contrast::Utils::HashUtils.
+            precedence_merge(assign_source_to(cli_options,
+                                              Contrast::Components::Config::Sources::COMMAND_LINE),
+                             @_source_file_extensions)
       end
 
       # Some in-flight rewrites to maintain backwards compatibility
       config_kv = update_prop_keys(config_kv)
       @loaded_config = config_kv
 
-      @sources = Contrast::Components::Config::Sources.new(config_sources)
+      @sources = Contrast::Components::Config::Sources.new(@_source_file_extensions)
 
       @api = Contrast::Components::Api::Interface.new(config_kv[:api])
       @enable = config_kv[:enable]
@@ -107,6 +111,11 @@ module Contrast
       convert_to_hash.to_yaml
     end
 
+    # @return [Hash] map of all extensions for each config key.
+    def source_file_extensions
+      @_source_file_extensions ||= {}
+    end
+
     # @return [Contrast::Components::Api::Interface]
     def api
       @api ||= Contrast::Components::Api::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
@@ -142,27 +151,36 @@ module Contrast
       @protect ||= Contrast::Components::Protect::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
     end
 
-    protected
-
-    # TODO: RUBY-546 move utility methods to auxiliary classes
+    # Base paths to check for the contrast configuration file, sorted by
+    # reverse order of precedence (first is most important).
+    def configuration_paths
+      @_configuration_paths ||= begin
+        basename = default_name.split('.').first
+        # Order of extensions comes from here:
+        extensions = Contrast::Components::Config::Sources::APP_CONFIGURATION_EXTENSIONS
 
-    def load_config
-      config = {}
-      configuration_paths.find do |path|
-        next unless File.exist?(path)
+        paths = []
+        # Environment paths takes precedence here. Look first through them.
+        paths << ENV['CONTRAST_CONFIG_PATH']     if ENV['CONTRAST_CONFIG_PATH']
+        paths << ENV['CONTRAST_SECURITY_CONFIG'] if ENV['CONTRAST_SECURITY_CONFIG']
 
-        unless File.readable?(path)
-          log_file_read_error(path)
-          next
+        extensions.each do |ext|
+          places = CONFIG_BASE_PATHS.product(["#{ basename }.#{ ext }"])
+          paths += places.map!(&:join)
         end
-        config = yaml_to_hash(path) || {}
-        @config_file = path
-        break
+        paths
       end
+    end
 
-      config
+    # List of all read configuration files.
+    #
+    # @return [Contrast::Config::ConfigurationFiles] of paths
+    def origin
+      @_origin ||= Contrast::Config::ConfigurationFiles.new
     end
 
+    protected
+
     def yaml_to_hash path
       if path && File.readable?(path)
         begin
@@ -179,6 +197,46 @@ module Contrast
       {}
     end
 
+    # TODO: RUBY-546 move utility methods to auxiliary classes
+
+    # Read through all the paths we know config may live. Merge all values from all files found.
+    # Priority is given to yaml over yml. If same keys are found on two configs with different extensions,
+    # the Agent will read first from the yaml file and ignore the values for same key on the yml file.
+    #
+    # @return config [Hash] All source configurations from files.
+    def load_config
+      config = {}
+      @_source_file_extensions = {}
+      configuration_paths.each do |path|
+        next unless File.exist?(path)
+
+        unless File.readable?(path)
+          log_file_read_error(path)
+          next
+        end
+        origin.add_source_file(path, (yaml_to_hash(path) || {}))
+      end
+      # Legacy usage: Assign main configuration file for reference.
+      @config_file = origin.main_file
+      # merge all settings keeping the top yaml files values as priority.
+      # If in top file a key exists it's value won't be changed if same key has different value in one
+      # of the other config files. Only unique values will be taken in consideration.w
+      # precedence of paths: see Contrast::Configuration::CONFIG_BASE_PATHS
+      extensions_maps = []
+      origin.source_files.each do |file|
+        config = Contrast::Utils::HashUtils.precedence_merge(config, file.values)
+        # assign source values extentions:
+        extensions_maps << assign_source_to(Contrast::Utils::HashUtils.deep_symbolize_all_keys(file.values), file.path)
+      end
+
+      # merge all origin paths to be used as extension classification to preserve the precedence of config files:
+      extensions_maps.each do |path|
+        @_source_file_extensions = Contrast::Utils::HashUtils.precedence_merge!(@_source_file_extensions, path)
+      end
+
+      config
+    end
+
     # We're updating properties loaded from the configuration files to match the new agreed upon standard configuration
     # names, so that one file works for all agents
     def update_prop_keys config
@@ -203,39 +261,6 @@ module Contrast
       config
     end
 
-    # Base paths to check for the contrast configuration file, sorted by
-    # reverse order of precedence (first is most important).
-    def configuration_paths
-      @_configuration_paths ||= begin
-        basename = default_name.split('.').first
-        names = %w[yml yaml].map { |suffix| "#{ basename }.#{ suffix }" }
-
-        paths = []
-        paths << ENV['CONTRAST_CONFIG_PATH']     if ENV['CONTRAST_CONFIG_PATH']
-        paths << ENV['CONTRAST_SECURITY_CONFIG'] if ENV['CONTRAST_SECURITY_CONFIG']
-
-        tmp = CONFIG_BASE_PATHS.product(names)
-        paths += tmp.map!(&:join)
-        paths
-      end
-    end
-
-    def deep_merge cli_config, file_config
-      cli_config.merge(file_config) do |_key, cli_value, file_value|
-        cli_value.is_a?(Hash) && file_value.is_a?(Hash) ? deep_merge(cli_value, file_value) : cli_value
-      end
-    end
-
-    def deep_symbolize_all_keys hash
-      return if hash.nil?
-
-      new_hash = {}
-      hash.each do |key, value|
-        new_hash[key.to_sym] = value.is_a?(Hash) ? deep_symbolize_all_keys(value) : value
-      end
-      new_hash
-    end
-
     private
 
     # We cannot use all access components at this point, unfortunately, as they
@@ -333,7 +358,7 @@ module Contrast
       KEYS_TO_REDACT.include?(key.to_sym)
     end
 
-    def assign_source_to hash, source = Contrast::Components::Config::Sources::YAML
+    def assign_source_to hash, source = Contrast::Components::Config::Sources::APP_CONFIGURATION_FILE
       hash.transform_values do |value|
         if value.is_a?(Hash)
           assign_source_to(value, source)

data/lib/contrast/framework/grape/support.rb

@@ -72,8 +72,7 @@ module Contrast
 
           # @param request [Contrast::Agent::Request] a contrast tracked request.
           # @param controller [::Grape::API] optionally use this controller instead of global ::Grape::API.
-          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
-          # matched to the request if a match was found.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
           def current_route_coverage request, controller = ::Grape::API, full_route = nil
             return unless grape_controller?(controller)
 

data/lib/contrast/framework/manager.rb

@@ -37,6 +37,9 @@ module Contrast
           logger.info('Framework detected. Enabling support.', framework: framework_klass.detection_class)
           framework_klass
         end
+
+        # Delete Rack if we have more than one framework detected
+        @_frameworks.delete(Contrast::Framework::Rack::Support) if @_frameworks.length > 1
         @_frameworks.compact!
       end
 
@@ -87,16 +90,22 @@ module Contrast
       #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
-        # If we're mounted on Rails, use Rails.
-        if @_frameworks.include?(Contrast::Framework::Rails::Support)
-          return Contrast::Framework::Rails::Support.retrieve_request(env)
+        if Contrast::Utils::DuckUtils.empty_duck?(@_frameworks)
+          return Contrast::Framework::Rack::Support.retrieve_request(env)
         end
 
-        # If we know the framework, use it.
-        return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
-
-        # Fall back on a regular Rack::Request
-        ::Rack::Request.new(env)
+        framework = @_frameworks[0]
+
+        case framework.cs__name
+        when 'Contrast::Framework::Rails::Support'
+          Contrast::Framework::Rails::Support.retrieve_request(env)
+        when 'Contrast::Framework::Grape::Support'
+          Contrast::Framework::Grape::Support.retrieve_request(env)
+        when 'Contrast::Framework::Sinatra::Support'
+          Contrast::Framework::Sinatra::Support.retrieve_request(env)
+        else
+          Contrast::Framework::Rack::Support.retrieve_request(env)
+        end
       rescue StandardError => e
         logger.warn('Unable to retrieve_request', e)
       end

data/lib/contrast/framework/rack/support.rb

@@ -14,7 +14,105 @@ module Contrast
         extend Contrast::Framework::Rack::Patch::Support
         class << self
           def detection_class
-            'rack -- don\'t let me be detected'
+            'Rack'
+          end
+
+          # @return [String] the Rack version
+          def version
+            ::Rack.version
+          rescue StandardError
+            ''
+          end
+
+          # @return [String] the Rack application name
+          def application_name
+            'Rack Application'
+          end
+
+          def application_root
+            Dir.pwd
+          end
+
+          # @return [String] the server type
+          def server_type
+            'Rack'
+          end
+
+          # Find all the predefined routes for this application
+          #
+          # Extracting the Rack application routes is not trivial. Routes are evaluated dynamically
+          # when a request comes in, so they are not loaded before and stored in a data structure
+          # available somewhere. This mean that route discovery is only available through the rack map,
+          # but this is limited as not showing the actual method (GET, POST, etc...). For now The Agent
+          # will use only the current_route_coverage for Rack applications.
+          #
+          # @return [Array<Contrast::Agent::Reporting::DiscoveredRoute>]
+          # @raise [NoMethodError] raises error if subclass does not implement this method
+          def collect_routes
+            # return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless defined?(Rack)
+            # Rack::URLMap is used for mapping different rack apps to different paths.
+            # The Rack app could be separated into smaller rack applications.
+            # Rack::Builder is another option.
+            # return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless rack_map
+
+            # This method is disabled for now, as it is not returning the actual routes. Code is left for as
+            # comment for future reference.
+            #
+            # routes = []
+            # rack_map.any? do |path, meta|
+            #   routes << Contrast::Agent::Reporting::DiscoveredRoute.from_rack_route(meta[1], meta[0], path)
+            # end
+            # routes
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
+          end
+
+          # Given the current request - return a RouteCoverage object
+
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param _controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
+          def current_route_coverage request, _controller = nil, full_route = nil
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            full_route ||= request.env[::Rack::PATH_INFO]
+            return unless full_route && method
+
+            route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
+            # We might not have controller, or even if there is defined one, it could not bare the name of the
+            # route to match as an object, it could be one router class with base controller with several methods
+            # describing each class, search for final controller might be resource heavy, and not efficient.
+            # For now to identify the controller the Agent will use the route name, this may lead to recording
+            # of false routes, but it is better than nothing. If route do no match a pattern it is a good practice
+            # to notify the user by displaying a not found page, in a sense this is a exercise of the application, but
+            # not correctly recorded controller name. Try to see if there is a define Rack::URLMap, and use it first.
+            mapped_controller = rack_map[full_route]&.last
+            final_controller = mapped_controller || full_route
+            route_coverage.attach_rack_based_data(final_controller, method, nil, full_route)
+            route_coverage
+          end
+
+          # Try and get map of Rack application { "path" => ["pattern", "controller"] }.
+          #
+          # @return [Hash<String, Array<String>>] the rack map
+          def rack_map
+            rack_map = {}
+            maps = ObjectSpace.each_object(::Rack::URLMap).to_a
+            maps.any? do |map|
+              mapping = map.instance_variable_get(:@mapping)
+              mapping.any? do |arr|
+                path = arr[1]
+                pattern = arr[2]
+                controller = arr[3]&.cs__class&.cs__name
+                rack_map[path] = [pattern, controller] if path&.cs__is_a?(String) && controller
+              end
+            end
+            rack_map
+          rescue StandardError
+            {}
+          end
+
+          def retrieve_request env
+            ::Rack::Request.new(env)
           end
         end
       end

data/lib/contrast/framework/rails/support.rb

@@ -51,8 +51,7 @@ module Contrast
           # Find the current route, based on the provided Request wrapper
           #
           # @param request[Contrast::Agent::Request]
-          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
-          # matched to the request if a match was found.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
           def current_route_coverage request
             return unless ::Rails.cs__respond_to?(:application)
 

data/lib/contrast/framework/sinatra/support.rb

@@ -68,8 +68,7 @@ module Contrast
 
           # @param request [Contrast::Agent::Request] a contrast tracked request.
           # @param _controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
-          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
-          # matched to the request if a match was found.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
           def current_route_coverage request, _controller = ::Sinatra::Base, full_route = nil
             method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
             route = _cleaned_route(request)

data/lib/contrast/logger/aliased_logging.rb

@@ -72,13 +72,11 @@ module Contrast
       def build_exception type, message = nil, exception = nil, data = nil
         return unless buildable?
 
-        stack_trace = wrapped_caller_locations
-        caller_idx = stack_trace&.find_index { |stack| stack.to_s.include?(type) } || 0
-        # The caller_stack is the method in which the error occurred, so has to be above this method
+        caller_idx = wrapped_caller_locations&.find_index { |stack| stack.to_s.include?(type) } || 0
         caller_idx += 1
-        caller_frame = stack_trace[caller_idx]
-        stack_frame_type = caller_frame.path.delete_prefix(Dir.pwd)
-        stack_frame_function = caller_frame.label
+        caller = wrapped_caller_locations[caller_idx]
+        stack_frame_type = obfuscate_type(caller)
+        stack_frame_function = caller.label
         key = "#{ stack_frame_type }|#{ stack_frame_function }|#{ message }"
         if Contrast::TELEMETRY_EXCEPTIONS[key]
           Contrast::TELEMETRY_EXCEPTIONS.increment(key)
@@ -92,7 +90,7 @@ module Contrast
                                        stack_frame_type, message_exception_type,
                                        data, exception,
                                        message)
-        build_stack(event_message, stack_trace, caller_idx)
+        build_stack(event_message, wrapped_caller_locations, caller_idx)
         TELEMETRY_EXCEPTIONS[key] = event_message
       rescue StandardError => e
         debug('[Telemetry] Unable to report exception', e)
@@ -141,8 +139,11 @@ module Contrast
         caller_stack.each_with_index do |caller, idx|
           next unless idx > caller_idx
 
-          stack_frame = Contrast::Agent::Telemetry::Exception::StackFrame.build(caller.label,
-                                                                                caller.path.delete_prefix(Dir.pwd))
+          obfuscated_label = Contrast::Agent::Telemetry::Exception::Obfuscate.obfuscate_path(caller.label)
+          obfuscated_path =  Contrast::Agent::Telemetry::Exception::Obfuscate.
+              obfuscate_path(caller.path.delete_prefix(Dir.pwd))
+
+          stack_frame = Contrast::Agent::Telemetry::Exception::StackFrame.build(obfuscated_label, obfuscated_path)
           event_exception_message.push(stack_frame)
         end
       end
@@ -153,6 +154,14 @@ module Contrast
       def wrapped_caller_locations
         caller_locations
       end
+
+      # @param caller [Thread::Backtrace::Location, nil]
+      # @return [String]
+      def obfuscate_type caller
+        return '' unless caller.cs__respond_to?(:path)
+
+        Contrast::Agent::Telemetry::Exception::Obfuscate.obfuscate_path(caller.path.delete_prefix(Dir.pwd).to_s)
+      end
     end
   end
 end

data/lib/contrast/utils/hash_utils.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Module to hold various hash utils methods
+    module HashUtils
+      class << self
+        # Merges two hashes, first hash will preserve it's values and will only add unique values.
+        #
+        # @param hsh [Hash]
+        # @param other_hsh [Hash]
+        def precedence_merge hsh, other_hsh
+          hsh.merge(other_hsh) do |_key, old_value, new_value|
+            if old_value.is_a?(Hash) || new_value.is_a?(Hash)
+              Contrast::Utils::HashUtils.precedence_merge(old_value, new_value)
+            else
+              old_value
+            end
+          end
+        end
+
+        # Merges two hashes, first hash will preserve it's values and will only add unique values.
+        #
+        # @param hsh [Hash]
+        # @param other_hsh [Hash]
+        # @return [Hash]
+        def precedence_merge! hsh, other_hsh
+          hsh.merge!(other_hsh) do |_key, old_val, new_val|
+            if old_val.is_a?(Hash) || new_val.is_a?(Hash)
+              Contrast::Utils::HashUtils.precedence_merge!(old_val, new_val)
+            else
+              old_val
+            end
+          end
+        end
+
+        # Deep symbolizes all keys
+        # @param value [Hash]
+        # @return [Hash]
+        def deep_symbolize_all_keys value
+          new_hash = {}
+          value.each { |key, v| new_hash[key.to_sym] = map_value(v) }
+          new_hash
+        end
+
+        private
+
+        def map_value value
+          case value
+          when Hash
+            deep_symbolize_all_keys(value)
+          when Array
+            value.map { |v| map_value(v) }
+          else
+            value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/json.rb

@@ -0,0 +1,46 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'json'
+require 'contrast/utils/hash_utils'
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # Module to hold Agent's custom JSON.parse logic.
+    module Json
+      class << self
+        include Contrast::Components::Logger::InstanceMethods
+
+        # Add any known cases where parsing error might arise from older json parser:
+        # @return [Array<String>]
+        SPECIAL_CASES = ["\"\""].cs__freeze # rubocop:disable Style/StringLiterals
+
+        # Parses a string using JSON.parser. This method is used instead of standard JSON.parse to
+        # support older versions of json gem => not supporting key-value second parameter, which is
+        # supported after json 2.3.0.
+        #
+        # @param string [String]
+        # @param deep_symbolize [Boolean] flag to set if keys needs to be deep symbolized.
+        # @return [Hash]
+        def parse string, deep_symbolize: false
+          # The Agent receives empty responses from TS sometimes.
+          # There is a special case to handle this.
+          return {} if SPECIAL_CASES.include?(string)
+
+          symbolized_hash = {}
+          hash = JSON::Parser.new(string).parse
+          symbolized_hash = Contrast::Utils::HashUtils.deep_symbolize_all_keys(hash) if deep_symbolize
+          return hash unless deep_symbolize
+
+          symbolized_hash
+        rescue JSON::ParserError => e
+          # Any parsing error will produce empty {}. Since older JSON might pose support issues with newer Ruby,
+          # We might just log any miss-parsings and allow Agent to continue.
+          logger.warn("[JSON] parse error: #{ e }")
+          {}
+        end
+      end
+    end
+  end
+end