RubyGems - contrast-agent - Versions diffs - 7.0.0 → 7.2.0 - Mend

contrast-agent 7.0.0 → 7.2.0

Files changed (90) hide show

data/lib/contrast/utils/net_http_base.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'net/http'
+require 'resolv'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'socket'
@@ -10,8 +11,25 @@ module Contrast
   module Utils
     # This module creates a Net::HTTP client base to be used by different services
     # All HTTP clients reporting to Telemetry or TS should inherit from this
-    class NetHttpBase
+    class NetHttpBase # rubocop:disable Metrics/ClassLength
       include Contrast::Components::Logger::InstanceMethods
+      class << self
+        # Last recorded error
+        # @return [StandardError]
+        def last_error
+          @_last_error
+        end
+        # @param [StandardError]
+        def last_error= error
+          @_last_error = error
+        end
+      end
+      # @return [String]
+      attr_reader :client_name
       # This method initializes the Net::HTTP client we'll need. it will validate
       # the connection and make the first request. If connection is valid and response
       # is available then the open connection is returned.
@@ -23,29 +41,22 @@ module Contrast
       # self signed certificates provided by config [default = false]
       # @return [Net::HTTP, nil] Return open connection or nil
       def initialize_connection service_name, url, use_proxy: false, use_custom_cert: false
-        return unless url
-        addr = URI(url)
-        return if addr.host.nil? || addr.port.nil?
-        return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
-        # the proxy is enabled only if there is provided url even if the enable is set to true
-        proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
-        net_http_client = initialize_client(addr, proxy_addr, use_proxy, use_custom_cert)
-        return if net_http_client.nil?
-        net_http_client.start
-        return unless net_http_client.started?
+        Contrast::Utils::NetHttpBase.last_error = nil
+        @client_name = service_name
+        return unless (addr = retrieve_address(url))
+        return unless (net_http_client = configure_new_client(addr, use_proxy, use_custom_cert))
+        return unless client_started?(net_http_client)
-        logger.debug("Starting #{ service_name } connection test")
+        logger.debug("Starting #{ client_name } connection test")
         return unless connection_verified?(net_http_client, url)
-        logger.debug('Client verified', service: service_name, url: url)
+        logger.debug('Client verified', service: client_name, url: url)
         net_http_client
       rescue StandardError => e
-        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
-        #   an infinite loop w/ telemetry
-        logger.debug('Connection failed', e, service: service_name, url: url)
+        Contrast::Utils::NetHttpBase.last_error = e
+        return if client_name == Contrast::Agent::Telemetry::Client::SERVICE_NAME
+        logger.error('Connection failed', e, service: client_name, url: url)
         nil
       end
@@ -74,14 +85,51 @@ module Contrast
              Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
              Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
-        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
-        #   an infinite loop w/ telemetry
-        logger.debug("#{ service_name } connection failed", e.message)
-        false
+        Contrast::Utils::NetHttpBase.last_error = e
+        unless client_name == Contrast::Agent::Telemetry::Client::SERVICE_NAME
+          logger.error("#{ client_name } connection failed", e.message)
+        end
+        @_connection_verified = false
       end
       private
+      # Starts connection and return started status.
+      #
+      # @param client [Net::HTTP] client instance.
+      # @return [Boolean] status indicates whether connection has started.
+      def client_started? client
+        return false unless client
+        client.start
+        client.started?
+      end
+      # @param url
+      # @return [URI::Generic, nil]
+      def retrieve_address url
+        return unless (addr = URI(url))
+        return if addr.host.nil? || addr.port.nil?
+        return if addr.scheme != 'https' && !addr.host.to_s.include?('localhost')
+        addr
+      end
+      # Assigns proxy and custom certificates if enabled, and initializes new client.
+      #
+      # @param addr [URI::Generic, nil]
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # @return client [Net::HTTP, nil] initialized client.
+      def configure_new_client addr, use_proxy, use_custom_cert
+        # the proxy is enabled only if there is provided url even if the enable is set to true
+        proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
+        net_http_client = initialize_client(addr, proxy_addr, use_proxy, use_custom_cert)
+        return if net_http_client.nil?
+        net_http_client
+      end
       # Resolves the address of the assigned domain to array of corresponding IPs (if more than one)
       # and runs a matcher to see if current connection IP is in the list.
       # This is called within #verify_connection, if called on it's own there will be no
@@ -114,9 +162,10 @@ module Contrast
           client.key = OpenSSL::PKey::RSA.new(File.read(Contrast::API.certification_key_file)).to_s
         end
       rescue Errno::ENOENT => e
-        # TODO: RUBY-2033 we cannot log the error above debug level here b/c it results in
-        #   an infinite loop w/ telemetry
-        logger.debug('Custom certificates failed', e.message)
+        Contrast::Utils::NetHttpBase.last_error = e
+        unless client_name == Contrast::Agent::Telemetry::Client::SERVICE_NAME
+          logger.error('Custom certificates failed', e.message)
+        end
       end
       # sets default setting for client validation of certificates and

data/lib/contrast/utils/request_utils.rb CHANGED Viewed

@@ -5,6 +5,20 @@ module Contrast
   module Utils
     # used in Contrast::Agent::Request
     module RequestUtils
+      # TOKENS:
+      NUM_ = '/{n}/'
+      ID_ = '{ID}'
+      # PATTERNS:
+      NUM_PATTERN = %r{/\d+/}.cs__freeze
+      END_PATTERN = %r{/\d+$}.cs__freeze
+      STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
+      UUID_PATTERN = Regexp.new('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}').cs__freeze # rubocop:disable Metrics/LineLength
+      # Regular expression to match any type of hash pattern that is 16 bytes like uuid with no
+      # slashes, md5, sha1, sha256, etc
+      HASH_PATTERN = Regexp.new('([a-fA-F0-9]{2}){16,}').cs__freeze
+      WIN_PATTERN = Regexp.new('S-1-5-((32-\d+)|(21-\d+-\d+-\d+-\d+))').cs__freeze
+      MEDIA_TYPE_MARKERS = %w[image/ text/css text/javascript].cs__freeze
       # Return a flattened hash of params with realized paths for keys, in
       # addition to a separate, valueless, entry for each nest key.
       # See RUBY-621 for more details.

data/resources/assess/policy.json CHANGED Viewed

@@ -1258,6 +1258,17 @@
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
     },
+    {
+      "class_name": "Rails::HTML::Concern::ComposedSanitize",
+      "method_name": "sanitize",
+      "method_visibility": "public",
+      "instance_method": true,
+      "source": "P0",
+      "target": "R",
+      "action": "REMOVE",
+      "tags":["HTML_ENCODED"],
+      "untags":["HTML_DECODED"]
+    },
     {
       "class_name": "Rails::Html::SafeListSanitizer",
       "method_name": "sanitize",

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.0.0
+  version: 7.2.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-04-03 00:00:00.000000000 Z
+date: 2023-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -1051,6 +1051,8 @@ files:
 - lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb
 - lib/contrast/agent/reporting/attack_result/response_type.rb
 - lib/contrast/agent/reporting/attack_result/user_input.rb
+- lib/contrast/agent/reporting/client/interface.rb
+- lib/contrast/agent/reporting/client/interface_base.rb
 - lib/contrast/agent/reporting/connection_status.rb
 - lib/contrast/agent/reporting/details/bot_blocker_details.rb
 - lib/contrast/agent/reporting/details/cmd_injection_details.rb
@@ -1069,7 +1071,6 @@ files:
 - lib/contrast/agent/reporting/details/xxe_details.rb
 - lib/contrast/agent/reporting/details/xxe_match.rb
 - lib/contrast/agent/reporting/details/xxe_wrapper.rb
-- lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb
 - lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb
 - lib/contrast/agent/reporting/input_analysis/input_analysis.rb
 - lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb
@@ -1079,6 +1080,7 @@ files:
 - lib/contrast/agent/reporting/masker/masker_utils.rb
 - lib/contrast/agent/reporting/report.rb
 - lib/contrast/agent/reporting/reporter.rb
+- lib/contrast/agent/reporting/reporting_events/agent_effective_config.rb
 - lib/contrast/agent/reporting/reporting_events/agent_startup.rb
 - lib/contrast/agent/reporting/reporting_events/application_activity.rb
 - lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb
@@ -1129,6 +1131,7 @@ files:
 - lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb
+- lib/contrast/agent/reporting/reporting_utilities/resend.rb
 - lib/contrast/agent/reporting/reporting_utilities/response.rb
 - lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb
 - lib/contrast/agent/reporting/reporting_utilities/response_handler.rb
@@ -1180,6 +1183,7 @@ files:
 - lib/contrast/agent/telemetry/exception/event.rb
 - lib/contrast/agent/telemetry/exception/message.rb
 - lib/contrast/agent/telemetry/exception/message_exception.rb
+- lib/contrast/agent/telemetry/exception/obfuscate.rb
 - lib/contrast/agent/telemetry/exception/stack_frame.rb
 - lib/contrast/agent/telemetry/hash.rb
 - lib/contrast/agent/telemetry/identifier.rb
@@ -1224,11 +1228,17 @@ files:
 - lib/contrast/config/api_proxy_configuration.rb
 - lib/contrast/config/base_configuration.rb
 - lib/contrast/config/certification_configuration.rb
-- lib/contrast/config/config.rb
-- lib/contrast/config/diagnostics.rb
-- lib/contrast/config/diagnostics_tools.rb
-- lib/contrast/config/effective_config.rb
-- lib/contrast/config/effective_config_value.rb
+- lib/contrast/config/configuration_files.rb
+- lib/contrast/config/diagnostics/command_line.rb
+- lib/contrast/config/diagnostics/config.rb
+- lib/contrast/config/diagnostics/contrast_ui.rb
+- lib/contrast/config/diagnostics/effective_config.rb
+- lib/contrast/config/diagnostics/effective_config_value.rb
+- lib/contrast/config/diagnostics/environment_variables.rb
+- lib/contrast/config/diagnostics/monitor.rb
+- lib/contrast/config/diagnostics/source_config_value.rb
+- lib/contrast/config/diagnostics/tools.rb
+- lib/contrast/config/diagnostics/user_configuration_file.rb
 - lib/contrast/config/env_variables.rb
 - lib/contrast/config/exception_configuration.rb
 - lib/contrast/config/protect_rule_configuration.rb
@@ -1297,12 +1307,14 @@ files:
 - lib/contrast/utils/findings.rb
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/hash_digest_extend.rb
+- lib/contrast/utils/hash_utils.rb
 - lib/contrast/utils/head_dump_utils_extend.rb
 - lib/contrast/utils/heap_dump_util.rb
 - lib/contrast/utils/input_classification_base.rb
 - lib/contrast/utils/invalid_configuration_util.rb
 - lib/contrast/utils/io_util.rb
 - lib/contrast/utils/job_servers_running.rb
+- lib/contrast/utils/json.rb
 - lib/contrast/utils/log_utils.rb
 - lib/contrast/utils/lru_cache.rb
 - lib/contrast/utils/metrics_hash.rb

data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb DELETED Viewed

@@ -1,27 +0,0 @@
-# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/agent/reporting/input_analysis/details/protect_rule_details'
-module Contrast
-  module Agent
-    module Reporting
-      # Bot blocker IA result details info.
-      class BotBlockerDetails < ProtectRuleDetails
-        # @return [String]
-        attr_accessor :bot
-        # User agent header value
-        #
-        # @return [String]
-        attr_accessor :user_agent
-        def to_controlled_hash
-          {
-              bot: bot,
-              userAgent: user_agent
-          }
-        end
-      end
-    end
-  end
-end

data/lib/contrast/config/diagnostics_tools.rb DELETED Viewed

@@ -1,99 +0,0 @@
-# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/utils/object_share'
-require 'contrast/config/effective_config_value'
-module Contrast
-  module Agent
-    module DiagnosticsConfig
-      # Diagnostics tools to be included in config components.
-      module DiagnosticsTools
-        CHECK = 'd'
-        # Converts current configuration for array of values to effective config values class and appends them to
-        # EffectiveConfig class. Must be used inside Config Components only.
-        #
-        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
-        # @param config_values [Array<String>] array of the names of values.
-        # @param canonical_prefix [String] starting of the path to config => api.proxy...
-        # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
-        def add_effective_config_values effective_config, config_values, canonical_prefix, name_prefix
-          return if config_values.to_s.empty?
-          config_values.each do |config|
-            Contrast::Agent::DiagnosticsConfig::EffectiveConfigValue.new.tap do |value|
-              next if (config_val = send(config.to_sym)).to_s.empty?
-              config_name = assign_name(config)
-              value.canonical_name = "#{ canonical_prefix }.#{ config_name }"
-              value.name = "#{ name_prefix }.#{ config_name }"
-              value.value = config_val
-              value.source = Contrast::CONFIG.sources.get(value.canonical_name)
-              if value.source == Contrast::Components::Config::Sources::YAML
-                value.filename = Contrast::CONFIG.config_file_path
-              end
-              effective_config.values << value
-            rescue StandardError => e
-              log_error(e)
-              next
-            end
-          end
-        end
-        # Converts current configuration for single value to effective config values class and appends them to
-        # EffectiveConfig class. Must be used inside Config Components only.
-        #
-        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
-        # @param config_name [String] name of the config.
-        # @param config_value [String, Boolean] value of the config.
-        # @param canonical_prefix [String] starting of the path to config => api.proxy...
-        # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
-        def add_single_effective_value effective_config, config_name, config_value, canonical_prefix, name_prefix
-          Contrast::Agent::DiagnosticsConfig::EffectiveConfigValue.new.tap do |value|
-            break if config_value.to_s.empty?
-            value.value = config_value
-            value.canonical_name = "#{ canonical_prefix }.#{ config_name }"
-            value.name = "#{ name_prefix }.#{ config_name }"
-            value.source = Contrast::CONFIG.sources.get(value.canonical_name)
-            if value.source == Contrast::Components::Config::Sources::YAML
-              value.filename = Contrast::CONFIG.config_file_path
-            end
-            effective_config.values << value
-          rescue StandardError => e
-            log_error(e)
-            next
-          end
-        end
-        private
-        # Assigns a proper name for the config removing '?' out of method names.
-        #
-        # @param config [String] name of the configuration
-        # @return [String]
-        def assign_name config
-          return Contrast::Utils::ObjectShare::EMPTY_STRING unless config
-          name = config.dup
-          if name.end_with?(Contrast::Utils::ObjectShare::QUESTION_MARK)
-            # check and remove '?' : start_bundled_service? => start_bundled_service
-            name.delete!(Contrast::Utils::ObjectShare::QUESTION_MARK)
-            name.chop! if name.end_with?(CHECK)
-            name
-          end
-          name
-        end
-        # Logs any caught error.
-        #
-        # @param error [StandardError]
-        def log_error error
-          Contrast::CONFIG.proto_logger.warn('Could not write effective config to file: ',
-                                             error: error, backtrace: error.backtrace)
-        end
-      end
-    end
-  end
-end

data/lib/contrast/config/effective_config.rb DELETED Viewed

@@ -1,131 +0,0 @@
-# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-require 'contrast/config/effective_config_value'
-require 'contrast/config/diagnostics_tools'
-require 'contrast/utils/object_share'
-module Contrast
-  module Agent
-    module DiagnosticsConfig
-      # The current effective config received from all authorized configuration channels.
-      class EffectiveConfig
-        NON_COMMON_ENV = %w[CONTRAST_CONFIG_PATH CONTRAST_AGENT_TELEMETRY_OPTOUT].cs__freeze
-        # Value of effective agent configurations
-        #
-        # @return [Array]
-        attr_reader :values
-        def initialize
-          @values = []
-        end
-        def to_controlled_hash
-          {
-              effective_config: { values: @values&.map(&:to_controlled_hash) },
-              user_configuration_file: yaml_config_settings,
-              environment_variable: environment_settings(ENV).map(&:to_controlled_hash),
-              command_line: command_line_settings.map(&:to_controlled_hash),
-              contrast_ui: contrast_ui_settings.map(&:to_controlled_hash)
-          }
-        end
-        private
-        def yaml_config_settings
-          {
-              path: Contrast::CONFIG.config_file_path,
-              values: value_to_s(Contrast::CONFIG.sources.for(Contrast::Components::Config::Sources::YAML))
-          }
-        end
-        def command_line_settings
-          cli = flatten_settings(Contrast::CONFIG.sources.for(Contrast::Components::Config::Sources::CLI))
-          flat_settings(cli)
-        end
-        def contrast_ui_settings
-          ui = flatten_settings(Contrast::CONFIG.sources.for(Contrast::Components::Config::Sources::CONTRASTUI))
-          flat_settings(ui)
-        end
-        # @param flats [Array] of flatten configs produced by #flatten_settings
-        # @return [Array]
-        def flat_settings flats
-          ui_settings = []
-          flats.each do |entry|
-            entry.each do |key, value|
-              efc_value = Contrast::Agent::DiagnosticsConfig::EffectiveConfigValue.new.tap do |effective_value|
-                effective_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key
-                effective_value.name = key
-                effective_value.value = value_to_s(value)
-              end
-              ui_settings << efc_value if efc_value
-            end
-          end
-          ui_settings
-        end
-        def flatten_settings data, path = []
-          data.each_with_object([]) do |(k, v), entries|
-            if v.cs__is_a?(Hash)
-              entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
-            else
-              entries << { "#{ path.join('.') }.#{ k }" => Contrast::CONFIG.config.loaded_config.dig(*path, k).to_s }
-            end
-          end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
-        end
-        # This method will fill the canonical name for each env var and will check for any uncommon ones.
-        #
-        # @param env [Hash]
-        # @return [Array] array of all the values needed to be written.
-        def environment_settings env
-          env_hash = env.select do |e|
-            e.to_s.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
-          end
-          environment_settings = []
-          env_hash.each do |key, value|
-            efc_value = Contrast::Agent::DiagnosticsConfig::EffectiveConfigValue.new.tap do |effective_value|
-              next unless value
-              effective_value.canonical_name = if NON_COMMON_ENV.include?(key)
-                                                 key.gsub(Contrast::Utils::ObjectShare::UNDERSCORE,
-                                                          Contrast::Utils::ObjectShare::PERIOD).downcase
-                                               else
-                                                 key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
-                                                          Contrast::Utils::ObjectShare::PERIOD).downcase
-                                               end
-              if effective_value.canonical_name
-                effective_value.name =
-                  effective_value.canonical_name.gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
-                                                      Contrast::Utils::ObjectShare::EMPTY_STRING)
-              end
-              effective_value.value = value_to_s(value)
-            end
-            environment_settings << efc_value if efc_value
-          end
-          environment_settings
-        end
-        # Recursively converts each value to string.
-        #
-        # @param value [Hash]
-        def value_to_s value
-          return value if value.cs__is_a?(String)
-          value.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
-            m[k] = if v.cs__is_a?(Hash)
-                     value_to_s(v)
-                   elsif v.cs__is_a?(Array)
-                     v.map(&:to_s)
-                   else
-                     v.to_s
-                   end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/config/effective_config_value.rb DELETED Viewed

@@ -1,32 +0,0 @@
-# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-module Contrast
-  module Agent
-    module DiagnosticsConfig
-      # All In effect config values stored in a easy to write representation.
-      class EffectiveConfigValue
-        # @return [String] Name of the config starting form root of yaml config.
-        attr_accessor :canonical_name
-        # @return [String] Name of the config.
-        attr_accessor :name
-        # @return [String] Value set for the config.
-        attr_accessor :value
-        # @return [String] The source for the entry in the config.
-        attr_accessor :source
-        # @return [String,nil] The filename for the source of the config, if the source was "yaml".
-        attr_accessor :filename
-        def to_controlled_hash
-          {
-              canonical_name: canonical_name,
-              name: name, # rubocop:disable Security/Module/Name
-              value: value&.cs__is_a?(Array) ? value.map(&:to_s) : value.to_s,
-              source: source,
-              filename: filename
-          }.compact
-        end
-      end
-    end
-  end
-end