contrast-agent 7.1.0 → 7.2.0

data/lib/contrast/configuration.rb

@@ -81,11 +81,11 @@ module Contrast
       # Overlay CLI options - they take precedence over config file
       cli_options = Contrast::Utils::HashUtils.deep_symbolize_all_keys(cli_options)
       if cli_options
-        config_kv = Contrast::Utils::HashUtils.deep_merge(cli_options, config_kv)
+        config_kv = Contrast::Utils::HashUtils.precedence_merge(cli_options, config_kv)
         @_source_file_extensions = Contrast::Utils::HashUtils.
-            deep_merge(assign_source_to(cli_options,
-                                        Contrast::Components::Config::Sources::COMMAND_LINE),
-                       @_source_file_extensions)
+            precedence_merge(assign_source_to(cli_options,
+                                              Contrast::Components::Config::Sources::COMMAND_LINE),
+                             @_source_file_extensions)
       end
 
       # Some in-flight rewrites to maintain backwards compatibility
@@ -157,7 +157,7 @@ module Contrast
       @_configuration_paths ||= begin
         basename = default_name.split('.').first
         # Order of extensions comes from here:
-        extensions = Contrast::Components::Config::Sources::APP_CONFIGURATION_FILE.map(&:downcase)
+        extensions = Contrast::Components::Config::Sources::APP_CONFIGURATION_EXTENSIONS
 
         paths = []
         # Environment paths takes precedence here. Look first through them.
@@ -216,7 +216,6 @@ module Contrast
         end
         origin.add_source_file(path, (yaml_to_hash(path) || {}))
       end
-
       # Legacy usage: Assign main configuration file for reference.
       @config_file = origin.main_file
       # merge all settings keeping the top yaml files values as priority.
@@ -225,13 +224,15 @@ module Contrast
       # precedence of paths: see Contrast::Configuration::CONFIG_BASE_PATHS
       extensions_maps = []
       origin.source_files.each do |file|
-        # config.merge!(file.values) { |_key, oldval, _newval| oldval = oldval }
-        precedence_merge!(config, file.values)
+        config = Contrast::Utils::HashUtils.precedence_merge(config, file.values)
         # assign source values extentions:
         extensions_maps << assign_source_to(Contrast::Utils::HashUtils.deep_symbolize_all_keys(file.values), file.path)
       end
+
       # merge all origin paths to be used as extension classification to preserve the precedence of config files:
-      extensions_maps.each { |path| @_source_file_extensions = precedence_merge!(@_source_file_extensions, path) }
+      extensions_maps.each do |path|
+        @_source_file_extensions = Contrast::Utils::HashUtils.precedence_merge!(@_source_file_extensions, path)
+      end
 
       config
     end
@@ -357,7 +358,7 @@ module Contrast
       KEYS_TO_REDACT.include?(key.to_sym)
     end
 
-    def assign_source_to hash, source = Contrast::Components::Config::Sources::APP_CONFIGURATION_FILE[0]
+    def assign_source_to hash, source = Contrast::Components::Config::Sources::APP_CONFIGURATION_FILE
       hash.transform_values do |value|
         if value.is_a?(Hash)
           assign_source_to(value, source)
@@ -366,14 +367,5 @@ module Contrast
         end
       end
     end
-
-    # Merges two hashes, first hash will preserve it's values and will only add unique values.
-    #
-    # @param hsh [Hash]
-    # @param other_hsh [Hash]
-    # @return [Hash]
-    def precedence_merge! hsh, other_hsh
-      hsh.merge!(other_hsh) { |_key, old_val, _new_val| old_val }
-    end
   end
 end

data/lib/contrast/framework/grape/support.rb

@@ -72,8 +72,7 @@ module Contrast
 
           # @param request [Contrast::Agent::Request] a contrast tracked request.
           # @param controller [::Grape::API] optionally use this controller instead of global ::Grape::API.
-          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
-          # matched to the request if a match was found.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
           def current_route_coverage request, controller = ::Grape::API, full_route = nil
             return unless grape_controller?(controller)
 

data/lib/contrast/framework/manager.rb

@@ -37,6 +37,9 @@ module Contrast
           logger.info('Framework detected. Enabling support.', framework: framework_klass.detection_class)
           framework_klass
         end
+
+        # Delete Rack if we have more than one framework detected
+        @_frameworks.delete(Contrast::Framework::Rack::Support) if @_frameworks.length > 1
         @_frameworks.compact!
       end
 
@@ -87,16 +90,22 @@ module Contrast
       #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
-        # If we're mounted on Rails, use Rails.
-        if @_frameworks.include?(Contrast::Framework::Rails::Support)
-          return Contrast::Framework::Rails::Support.retrieve_request(env)
+        if Contrast::Utils::DuckUtils.empty_duck?(@_frameworks)
+          return Contrast::Framework::Rack::Support.retrieve_request(env)
         end
 
-        # If we know the framework, use it.
-        return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
-
-        # Fall back on a regular Rack::Request
-        ::Rack::Request.new(env)
+        framework = @_frameworks[0]
+
+        case framework.cs__name
+        when 'Contrast::Framework::Rails::Support'
+          Contrast::Framework::Rails::Support.retrieve_request(env)
+        when 'Contrast::Framework::Grape::Support'
+          Contrast::Framework::Grape::Support.retrieve_request(env)
+        when 'Contrast::Framework::Sinatra::Support'
+          Contrast::Framework::Sinatra::Support.retrieve_request(env)
+        else
+          Contrast::Framework::Rack::Support.retrieve_request(env)
+        end
       rescue StandardError => e
         logger.warn('Unable to retrieve_request', e)
       end

data/lib/contrast/framework/rack/support.rb

@@ -14,7 +14,105 @@ module Contrast
         extend Contrast::Framework::Rack::Patch::Support
         class << self
           def detection_class
-            'rack -- don\'t let me be detected'
+            'Rack'
+          end
+
+          # @return [String] the Rack version
+          def version
+            ::Rack.version
+          rescue StandardError
+            ''
+          end
+
+          # @return [String] the Rack application name
+          def application_name
+            'Rack Application'
+          end
+
+          def application_root
+            Dir.pwd
+          end
+
+          # @return [String] the server type
+          def server_type
+            'Rack'
+          end
+
+          # Find all the predefined routes for this application
+          #
+          # Extracting the Rack application routes is not trivial. Routes are evaluated dynamically
+          # when a request comes in, so they are not loaded before and stored in a data structure
+          # available somewhere. This mean that route discovery is only available through the rack map,
+          # but this is limited as not showing the actual method (GET, POST, etc...). For now The Agent
+          # will use only the current_route_coverage for Rack applications.
+          #
+          # @return [Array<Contrast::Agent::Reporting::DiscoveredRoute>]
+          # @raise [NoMethodError] raises error if subclass does not implement this method
+          def collect_routes
+            # return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless defined?(Rack)
+            # Rack::URLMap is used for mapping different rack apps to different paths.
+            # The Rack app could be separated into smaller rack applications.
+            # Rack::Builder is another option.
+            # return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless rack_map
+
+            # This method is disabled for now, as it is not returning the actual routes. Code is left for as
+            # comment for future reference.
+            #
+            # routes = []
+            # rack_map.any? do |path, meta|
+            #   routes << Contrast::Agent::Reporting::DiscoveredRoute.from_rack_route(meta[1], meta[0], path)
+            # end
+            # routes
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
+          end
+
+          # Given the current request - return a RouteCoverage object
+
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param _controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
+          def current_route_coverage request, _controller = nil, full_route = nil
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            full_route ||= request.env[::Rack::PATH_INFO]
+            return unless full_route && method
+
+            route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
+            # We might not have controller, or even if there is defined one, it could not bare the name of the
+            # route to match as an object, it could be one router class with base controller with several methods
+            # describing each class, search for final controller might be resource heavy, and not efficient.
+            # For now to identify the controller the Agent will use the route name, this may lead to recording
+            # of false routes, but it is better than nothing. If route do no match a pattern it is a good practice
+            # to notify the user by displaying a not found page, in a sense this is a exercise of the application, but
+            # not correctly recorded controller name. Try to see if there is a define Rack::URLMap, and use it first.
+            mapped_controller = rack_map[full_route]&.last
+            final_controller = mapped_controller || full_route
+            route_coverage.attach_rack_based_data(final_controller, method, nil, full_route)
+            route_coverage
+          end
+
+          # Try and get map of Rack application { "path" => ["pattern", "controller"] }.
+          #
+          # @return [Hash<String, Array<String>>] the rack map
+          def rack_map
+            rack_map = {}
+            maps = ObjectSpace.each_object(::Rack::URLMap).to_a
+            maps.any? do |map|
+              mapping = map.instance_variable_get(:@mapping)
+              mapping.any? do |arr|
+                path = arr[1]
+                pattern = arr[2]
+                controller = arr[3]&.cs__class&.cs__name
+                rack_map[path] = [pattern, controller] if path&.cs__is_a?(String) && controller
+              end
+            end
+            rack_map
+          rescue StandardError
+            {}
+          end
+
+          def retrieve_request env
+            ::Rack::Request.new(env)
           end
         end
       end

data/lib/contrast/framework/rails/support.rb

@@ -51,8 +51,7 @@ module Contrast
           # Find the current route, based on the provided Request wrapper
           #
           # @param request[Contrast::Agent::Request]
-          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
-          # matched to the request if a match was found.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
           def current_route_coverage request
             return unless ::Rails.cs__respond_to?(:application)
 

data/lib/contrast/framework/sinatra/support.rb

@@ -68,8 +68,7 @@ module Contrast
 
           # @param request [Contrast::Agent::Request] a contrast tracked request.
           # @param _controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
-          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] a Dtm describing the route
-          # matched to the request if a match was found.
+          # @return [Contrast::Agent::Reporting::RouteCoverage, nil] the route coverage object or nil if no route
           def current_route_coverage request, _controller = ::Sinatra::Base, full_route = nil
             method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
             route = _cleaned_route(request)

data/lib/contrast/logger/aliased_logging.rb

@@ -72,13 +72,11 @@ module Contrast
       def build_exception type, message = nil, exception = nil, data = nil
         return unless buildable?
 
-        stack_trace = wrapped_caller_locations
-        caller_idx = stack_trace&.find_index { |stack| stack.to_s.include?(type) } || 0
-        # The caller_stack is the method in which the error occurred, so has to be above this method
+        caller_idx = wrapped_caller_locations&.find_index { |stack| stack.to_s.include?(type) } || 0
         caller_idx += 1
-        caller_frame = stack_trace[caller_idx]
-        stack_frame_type = caller_frame.path.delete_prefix(Dir.pwd)
-        stack_frame_function = caller_frame.label
+        caller = wrapped_caller_locations[caller_idx]
+        stack_frame_type = obfuscate_type(caller)
+        stack_frame_function = caller.label
         key = "#{ stack_frame_type }|#{ stack_frame_function }|#{ message }"
         if Contrast::TELEMETRY_EXCEPTIONS[key]
           Contrast::TELEMETRY_EXCEPTIONS.increment(key)
@@ -92,7 +90,7 @@ module Contrast
                                        stack_frame_type, message_exception_type,
                                        data, exception,
                                        message)
-        build_stack(event_message, stack_trace, caller_idx)
+        build_stack(event_message, wrapped_caller_locations, caller_idx)
         TELEMETRY_EXCEPTIONS[key] = event_message
       rescue StandardError => e
         debug('[Telemetry] Unable to report exception', e)
@@ -141,8 +139,11 @@ module Contrast
         caller_stack.each_with_index do |caller, idx|
           next unless idx > caller_idx
 
-          stack_frame = Contrast::Agent::Telemetry::Exception::StackFrame.build(caller.label,
-                                                                                caller.path.delete_prefix(Dir.pwd))
+          obfuscated_label = Contrast::Agent::Telemetry::Exception::Obfuscate.obfuscate_path(caller.label)
+          obfuscated_path =  Contrast::Agent::Telemetry::Exception::Obfuscate.
+              obfuscate_path(caller.path.delete_prefix(Dir.pwd))
+
+          stack_frame = Contrast::Agent::Telemetry::Exception::StackFrame.build(obfuscated_label, obfuscated_path)
           event_exception_message.push(stack_frame)
         end
       end
@@ -153,6 +154,14 @@ module Contrast
       def wrapped_caller_locations
         caller_locations
       end
+
+      # @param caller [Thread::Backtrace::Location, nil]
+      # @return [String]
+      def obfuscate_type caller
+        return '' unless caller.cs__respond_to?(:path)
+
+        Contrast::Agent::Telemetry::Exception::Obfuscate.obfuscate_path(caller.path.delete_prefix(Dir.pwd).to_s)
+      end
     end
   end
 end

data/lib/contrast/utils/hash_utils.rb

@@ -10,9 +10,28 @@ module Contrast
         #
         # @param hsh [Hash]
         # @param other_hsh [Hash]
-        def deep_merge hsh, other_hsh
+        def precedence_merge hsh, other_hsh
           hsh.merge(other_hsh) do |_key, old_value, new_value|
-            old_value.is_a?(Hash) || new_value.is_a?(Hash) ? deep_merge(old_value, new_value) : old_value
+            if old_value.is_a?(Hash) || new_value.is_a?(Hash)
+              Contrast::Utils::HashUtils.precedence_merge(old_value, new_value)
+            else
+              old_value
+            end
+          end
+        end
+
+        # Merges two hashes, first hash will preserve it's values and will only add unique values.
+        #
+        # @param hsh [Hash]
+        # @param other_hsh [Hash]
+        # @return [Hash]
+        def precedence_merge! hsh, other_hsh
+          hsh.merge!(other_hsh) do |_key, old_val, new_val|
+            if old_val.is_a?(Hash) || new_val.is_a?(Hash)
+              Contrast::Utils::HashUtils.precedence_merge!(old_val, new_val)
+            else
+              old_val
+            end
           end
         end
 

data/lib/contrast/utils/request_utils.rb

@@ -5,6 +5,20 @@ module Contrast
   module Utils
     # used in Contrast::Agent::Request
     module RequestUtils
+      # TOKENS:
+      NUM_ = '/{n}/'
+      ID_ = '{ID}'
+      # PATTERNS:
+      NUM_PATTERN = %r{/\d+/}.cs__freeze
+      END_PATTERN = %r{/\d+$}.cs__freeze
+      STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
+      UUID_PATTERN = Regexp.new('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}').cs__freeze # rubocop:disable Metrics/LineLength
+      # Regular expression to match any type of hash pattern that is 16 bytes like uuid with no
+      # slashes, md5, sha1, sha256, etc
+      HASH_PATTERN = Regexp.new('([a-fA-F0-9]{2}){16,}').cs__freeze
+      WIN_PATTERN = Regexp.new('S-1-5-((32-\d+)|(21-\d+-\d+-\d+-\d+))').cs__freeze
+      MEDIA_TYPE_MARKERS = %w[image/ text/css text/javascript].cs__freeze
+
       # Return a flattened hash of params with realized paths for keys, in
       # addition to a separate, valueless, entry for each nest key.
       # See RUBY-621 for more details.

data/resources/assess/policy.json

@@ -1258,6 +1258,17 @@
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
     },
+    {
+      "class_name": "Rails::HTML::Concern::ComposedSanitize",
+      "method_name": "sanitize",
+      "method_visibility": "public",
+      "instance_method": true,
+      "source": "P0",
+      "target": "R",
+      "action": "REMOVE",
+      "tags":["HTML_ENCODED"],
+      "untags":["HTML_DECODED"]
+    },
     {
       "class_name": "Rails::Html::SafeListSanitizer",
       "method_name": "sanitize",

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.1.0
+  version: 7.2.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-04-13 00:00:00.000000000 Z
+date: 2023-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -1051,6 +1051,8 @@ files:
 - lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb
 - lib/contrast/agent/reporting/attack_result/response_type.rb
 - lib/contrast/agent/reporting/attack_result/user_input.rb
+- lib/contrast/agent/reporting/client/interface.rb
+- lib/contrast/agent/reporting/client/interface_base.rb
 - lib/contrast/agent/reporting/connection_status.rb
 - lib/contrast/agent/reporting/details/bot_blocker_details.rb
 - lib/contrast/agent/reporting/details/cmd_injection_details.rb
@@ -1069,7 +1071,6 @@ files:
 - lib/contrast/agent/reporting/details/xxe_details.rb
 - lib/contrast/agent/reporting/details/xxe_match.rb
 - lib/contrast/agent/reporting/details/xxe_wrapper.rb
-- lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb
 - lib/contrast/agent/reporting/input_analysis/details/protect_rule_details.rb
 - lib/contrast/agent/reporting/input_analysis/input_analysis.rb
 - lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb
@@ -1130,6 +1131,7 @@ files:
 - lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb
 - lib/contrast/agent/reporting/reporting_utilities/reporting_storage.rb
+- lib/contrast/agent/reporting/reporting_utilities/resend.rb
 - lib/contrast/agent/reporting/reporting_utilities/response.rb
 - lib/contrast/agent/reporting/reporting_utilities/response_extractor.rb
 - lib/contrast/agent/reporting/reporting_utilities/response_handler.rb
@@ -1181,6 +1183,7 @@ files:
 - lib/contrast/agent/telemetry/exception/event.rb
 - lib/contrast/agent/telemetry/exception/message.rb
 - lib/contrast/agent/telemetry/exception/message_exception.rb
+- lib/contrast/agent/telemetry/exception/obfuscate.rb
 - lib/contrast/agent/telemetry/exception/stack_frame.rb
 - lib/contrast/agent/telemetry/hash.rb
 - lib/contrast/agent/telemetry/identifier.rb

data/lib/contrast/agent/reporting/input_analysis/details/bot_blocker_details.rb

@@ -1,27 +0,0 @@
-# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/reporting/input_analysis/details/protect_rule_details'
-
-module Contrast
-  module Agent
-    module Reporting
-      # Bot blocker IA result details info.
-      class BotBlockerDetails < ProtectRuleDetails
-        # @return [String]
-        attr_accessor :bot
-        # User agent header value
-        #
-        # @return [String]
-        attr_accessor :user_agent
-
-        def to_controlled_hash
-          {
-              bot: bot,
-              userAgent: user_agent
-          }
-        end
-      end
-    end
-  end
-end