contrast-agent 7.2.0 → 7.3.1

data/lib/contrast/utils/assess/event_limit_utils.rb

@@ -70,13 +70,13 @@ module Contrast
           if current_count == event_max
             return if event_limit_counts.key?(get_event_limit_key(method_policy, context))
 
-            logger.warn('Event Limit Reached:',
-                        {
-                            count: current_count,
-                            max: event_max,
-                            policy: method_policy.method_name,
-                            node: method_policy
-                        })
+            logger.debug('Event Limit Reached:',
+                         {
+                             count: current_count,
+                             max: event_max,
+                             policy: method_policy.method_name,
+                             node: method_policy
+                         })
             # increment to be over count for logging purposes
             increment_event_count(method_policy)
             increment_event_limit_logs(method_policy, context)
@@ -87,12 +87,12 @@ module Contrast
             return if event_limit_counts.key?(get_event_limit_key(method_policy, context))
 
             # increment to be over count for logging purposes
-            logger.warn('Event Limit Exceeded:',
-                        {
-                            count: current_count,
-                            policy: method_policy.method_name,
-                            node: method_policy
-                        })
+            logger.debug('Event Limit Exceeded:',
+                         {
+                             count: current_count,
+                             policy: method_policy.method_name,
+                             node: method_policy
+                         })
             increment_event_limit_logs(method_policy, context)
             return true
           end

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -18,6 +18,7 @@ module Contrast
         REPLACE_ACTION = 'REPLACE'
         REMOVE_ACTION = 'REMOVE'
         REVERSE_ACTION = 'REVERSE'
+        RESPONSE_ACTION = 'RESPONSE'
         SPLAT_ACTION = 'SPLAT'
         SPLIT_ACTION = 'SPLIT'
         DB_WRITE_ACTION = 'DB_WRITE'
@@ -37,6 +38,7 @@ module Contrast
             REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
             REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
             REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            RESPONSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Response,
             SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
             SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
         }.cs__freeze

data/lib/contrast/utils/metrics_hash.rb

@@ -17,7 +17,7 @@ module Contrast
         'The key extends the allowed length.',
         'The provided value is not the right data type'
       ].cs__freeze
-      KEY_REGEXP = /[a-zA-Z0-9_-]{1,63}/.cs__freeze
+      KEY_REGEXP = /[a-zA-Z0-9._-]{1,63}/.cs__freeze
 
       def initialize data_type, *several_variants
         super

data/lib/contrast/utils/object_share.rb

@@ -38,7 +38,8 @@ module Contrast
       AT =            '@'
       LEFT_ANGLE =    '<'
       COLON_SLASH_SLASH = '://'
-      DOLLAR_SIGN =    '$'
+      DOLLAR_SIGN = '$'
+      AMPERSAND = '&'
       CARROT =         '^'
       BANG =           '!'
 

data/lib/contrast/utils/os.rb

@@ -8,7 +8,7 @@ module Contrast
   module Utils
     # Simple utility used to make OS calls and determine state. For that state
     # which will not change at runtime, such as the operating system, the
-    # Utility memozies to avoid multiple lookups.
+    # Utility memoizes to avoid multiple lookups.
     module OS
       extend Contrast::Components::Scope::InstanceMethods
 
@@ -25,14 +25,6 @@ module Contrast
           @_mac = RUBY_PLATFORM.include?('darwin') if @_mac.nil?
           @_mac
         end
-
-        def unix?
-          !windows?
-        end
-
-        def linux?
-          (unix? and !mac?)
-        end
       end
     end
   end

data/lib/contrast/utils/response_utils.rb

@@ -19,6 +19,7 @@ module Contrast
       def extract_body body
         return unless body
         return if body_is_file?(body)
+        return if body_is_sprockets?(body)
 
         return handle_rack_body_proxy(body) if body.is_a?(Rack::BodyProxy)
         return extract_body(body.body) if sub_extractable?(body)
@@ -74,6 +75,17 @@ module Contrast
 
         false
       end
+
+      # Detects Rails' Sprockets asset pipeline objects passed as body.
+      # Returns false if Sprockets is passed as body, the Agent does not
+      # support Sprockets::Asset for body extraction.
+      #
+      # @param body [String, Rack::File, Rack::BodyProxy]
+      def body_is_sprockets? body
+        return body.cs__is_a?(Sprockets::Asset) if defined?(Sprockets) && defined?(Sprockets::Asset)
+
+        false
+      end
     end
   end
 end

data/lib/contrast/utils/timer.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'time'
+
 module Contrast
   module Utils
     # Timer is class that can track state about when an event starts and how long it takes

data/lib/contrast.rb

@@ -61,10 +61,12 @@ require 'contrast/components/sampling'
 require 'contrast/components/scope'
 require 'contrast/components/settings'
 require 'contrast/utils/routes_sent'
-require 'contrast/agent/telemetry/hash'
+require 'contrast/agent/telemetry/exception_hash'
 require 'contrast/agent/telemetry/telemetry'
 require 'contrast/agent/telemetry/exception/event'
 require 'contrast/agent_lib/interface'
+require 'contrast/agent/telemetry/cache_hash'
+require 'contrast/agent/telemetry/base64_hash'
 
 module Contrast # :nodoc:
   CONFIG = Contrast::Components::Config::Interface.new
@@ -82,7 +84,12 @@ module Contrast # :nodoc:
 end
 
 module Contrast
-  TELEMETRY_EXCEPTIONS = (Contrast::Agent::Telemetry::Hash.new if Contrast::Agent::Telemetry.exceptions_enabled?)
+  TELEMETRY_EXCEPTIONS = (if Contrast::Agent::Telemetry.exceptions_enabled?
+                            Contrast::Agent::Telemetry::ExceptionHash.new
+                          end)
+  TELEMETRY_IA_CACHE = (Contrast::Agent::Telemetry::CacheHash.new if Contrast::Agent::Telemetry::Base.enabled?)
+  TELEMETRY_BASE64_HASH = (Contrast::Agent::Telemetry::Base64Hash.new if Contrast::Agent::Telemetry::Base.enabled? &&
+    Contrast::PROTECT.normalize_base64?)
   ROUTES_SENT = Contrast::Utils::RoutesSent.new
 end
 

data/resources/assess/policy.json

@@ -8,7 +8,35 @@
       "target":"R",
       "type":"PARAMETER",
       "tags":["CROSS_SITE"]
-    }, {
+    },
+    {
+     "class_name":"Net::HTTPResponse",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    },
+    {
+     "class_name":"Rack::Response",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    },
+    {
+     "class_name":"Sinatra::Response",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    },
+    {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
@@ -990,7 +1018,35 @@
       "source": "P0",
       "target": "R",
       "action": "SPLAT"
-    }, {
+    },
+    {
+      "class_name": "ActiveSupport::JSON",
+      "method_name": "encode",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT"
+    },
+    {
+      "class_name": "JSON",
+      "method_name": "generate",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT"
+    },
+    {
+      "class_name": "JSON",
+      "method_name": "pretty_generate",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT"
+    },
+    {
       "class_name": "Zlib::Deflate",
       "method_name": "deflate",
       "instance_method": false,
@@ -1082,7 +1138,28 @@
       "source": "P0",
       "target": "R",
       "action": "SPLAT"
-    }, {
+    },
+    {
+      "class_name":"Net::HTTPRequest",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body=",
+      "source":"P0",
+      "target":"O",
+      "action":"KEEP"
+    },
+    {
+      "class_name":"Net::HTTP",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"request",
+      "action": "CUSTOM",
+      "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Response",
+      "patch_method": "net_response_keep",
+      "source": "O,P1",
+      "target": "R"
+    },
+    {
       "class_name": "URI::Generic",
       "method_name": "initialize",
       "instance_method": true,

data/ruby-agent.gemspec

@@ -121,7 +121,7 @@ def self.add_dependencies spec
   spec.add_dependency 'rack', '~> 2.0'
 
   # bind this directly as we've had issues w/ build changes on bug release
-  spec.add_dependency 'contrast-agent-lib',  '1.1.0'
+  spec.add_dependency 'contrast-agent-lib',  '1.1.1'
 end
 
 # Enumerate the files required to build the Agent.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.2.0
+  version: 7.3.1
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-05-31 00:00:00.000000000 Z
+date: 2023-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -669,14 +669,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.1.1
 description: This gem instantiates a Rack middleware for rack-based web applications
   in order to provide Interactive Application Security Testing and Protection.
 email:
@@ -930,6 +930,7 @@ files:
 - lib/contrast/agent/assess/policy/propagator/rack_protection.rb
 - lib/contrast/agent/assess/policy/propagator/remove.rb
 - lib/contrast/agent/assess/policy/propagator/replace.rb
+- lib/contrast/agent/assess/policy/propagator/response.rb
 - lib/contrast/agent/assess/policy/propagator/reverse.rb
 - lib/contrast/agent/assess/policy/propagator/select.rb
 - lib/contrast/agent/assess/policy/propagator/splat.rb
@@ -1023,6 +1024,17 @@ files:
 - lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb
 - lib/contrast/agent/protect/rule/default_scanner.rb
 - lib/contrast/agent/protect/rule/deserialization/deserialization.rb
+- lib/contrast/agent/protect/rule/input_classification/base.rb
+- lib/contrast/agent/protect/rule/input_classification/base64_statistic.rb
+- lib/contrast/agent/protect/rule/input_classification/cached_result.rb
+- lib/contrast/agent/protect/rule/input_classification/encoding.rb
+- lib/contrast/agent/protect/rule/input_classification/encoding_rates.rb
+- lib/contrast/agent/protect/rule/input_classification/extendable.rb
+- lib/contrast/agent/protect/rule/input_classification/lru_cache.rb
+- lib/contrast/agent/protect/rule/input_classification/match_rates.rb
+- lib/contrast/agent/protect/rule/input_classification/rates.rb
+- lib/contrast/agent/protect/rule/input_classification/statistics.rb
+- lib/contrast/agent/protect/rule/input_classification/utils.rb
 - lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb
 - lib/contrast/agent/protect/rule/no_sqli/no_sqli.rb
 - lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb
@@ -1176,6 +1188,8 @@ files:
 - lib/contrast/agent/response/response.rb
 - lib/contrast/agent/scope/scope.rb
 - lib/contrast/agent/telemetry/base.rb
+- lib/contrast/agent/telemetry/base64_hash.rb
+- lib/contrast/agent/telemetry/cache_hash.rb
 - lib/contrast/agent/telemetry/client.rb
 - lib/contrast/agent/telemetry/event.rb
 - lib/contrast/agent/telemetry/exception.rb
@@ -1185,8 +1199,11 @@ files:
 - lib/contrast/agent/telemetry/exception/message_exception.rb
 - lib/contrast/agent/telemetry/exception/obfuscate.rb
 - lib/contrast/agent/telemetry/exception/stack_frame.rb
-- lib/contrast/agent/telemetry/hash.rb
+- lib/contrast/agent/telemetry/exception_hash.rb
 - lib/contrast/agent/telemetry/identifier.rb
+- lib/contrast/agent/telemetry/input_analysis_cache_event.rb
+- lib/contrast/agent/telemetry/input_analysis_encoding_event.rb
+- lib/contrast/agent/telemetry/input_analysis_event.rb
 - lib/contrast/agent/telemetry/metric_event.rb
 - lib/contrast/agent/telemetry/startup_metrics_event.rb
 - lib/contrast/agent/telemetry/telemetry.rb
@@ -1310,7 +1327,6 @@ files:
 - lib/contrast/utils/hash_utils.rb
 - lib/contrast/utils/head_dump_utils_extend.rb
 - lib/contrast/utils/heap_dump_util.rb
-- lib/contrast/utils/input_classification_base.rb
 - lib/contrast/utils/invalid_configuration_util.rb
 - lib/contrast/utils/io_util.rb
 - lib/contrast/utils/job_servers_running.rb

data/lib/contrast/utils/input_classification_base.rb

@@ -1,169 +0,0 @@
-# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/object_share'
-require 'contrast/agent/reporting/input_analysis/input_type'
-require 'contrast/agent/reporting/input_analysis/score_level'
-require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/components/logger'
-
-module Contrast
-  module Agent
-    module Protect
-      module Rule
-        # This module will include all the similar information for all input classifications
-        # between different rules
-        module InputClassificationBase
-          UNKNOWN_KEY = 'unknown'
-          THRESHOLD = 90.cs__freeze
-          WORTHWATCHING_THRESHOLD = 10.cs__freeze
-          include Contrast::Agent::Reporting::InputType
-          include Contrast::Agent::Reporting::ScoreLevel
-          include Contrast::Components::Logger::InstanceMethods
-
-          KEYS_NEEDED = [COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE].cs__freeze
-
-          # Input Classification stage is done to determine if an user input is
-          # DEFINITEATTACK or to be ignored.
-          #
-          # @param rule_id [String] Name of the protect rule.
-          # @param input_type [Symbol, Contrast::Agent::Reporting::InputType] The type of the user input.
-          # @param value [String, Array<String>] the value of the input.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-          #                                                       agent analysis from the current
-          #                                                       Request.
-          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
-          def classify rule_id, input_type, value, input_analysis
-            return unless (rule = Contrast::PROTECT.rule(rule_id))
-            return unless rule.applicable_user_inputs.include?(input_type)
-            return unless input_analysis.request
-
-            Array(value).each do |val|
-              Array(val).each do |v|
-                next unless v
-
-                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, v)
-                append_result(input_analysis, result)
-              end
-            end
-
-            input_analysis
-          rescue StandardError => e
-            logger.debug("An Error was recorded in the input classification of the #{ rule_id }")
-            logger.debug(e)
-            nil
-          end
-
-          # Creates new isntance of InputAnalysisResult with basic info.
-          #
-          # @param rule_id [String] The name of the Protect Rule.
-          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          # @param value [String, Array<String>] the value of the input.
-          # @param path [String] the path of the current request context.
-          #
-          # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-          def new_ia_result rule_id, input_type, path, value = nil
-            res = Contrast::Agent::Reporting::InputAnalysisResult.new
-            res.rule_id = rule_id
-            res.input_type = input_type
-            res.path = path
-            res.value = value
-            res
-          end
-
-          # This methods checks if input is value that matches a key in the input.
-          #
-          # @param request [Contrast::Agent::Request] the current request context.
-          # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
-          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          # @param value [String, Array<String>] the value of the input.
-          #
-          # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
-          def add_needed_key request, result, input_type, value
-            case input_type
-            when COOKIE_VALUE
-              result.key = request.cookies.key(value)
-            when PARAMETER_VALUE, URL_PARAMETER
-              result.key = request.parameters.key(value)
-            when HEADER
-              result.key = request.headers.key(value)
-            when UNKNOWN
-              result.key = UNKNOWN_KEY
-            else
-              result.key
-            end
-          rescue StandardError => e
-            logger.warn('Could not find proper key for input traced value', message: e)
-          end
-
-          # Some input types are not yet supported from the AgentLib.
-          # This will convert the type to the closet possible if viable,
-          # so that the input tracing could be done.
-          #
-          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          # @return [Integer<Contrast::AgentLib::Interface::INPUT_SET>]
-          def convert_input_type input_type
-            case input_type
-            when URI, URL_PARAMETER
-              Contrast::AGENT_LIB.input_set[:URI_PATH]
-            when BODY, DWR_VALUE, SOCKET, UNDEFINED_TYPE, UNKNOWN, REQUEST, QUERYSTRING
-              Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
-            when HEADER
-              Contrast::AGENT_LIB.input_set[:HEADER_VALUE]
-            when MULTIPART_VALUE, MULTIPART_FIELD_NAME
-              Contrast::AGENT_LIB.input_set[:MULTIPART_NAME]
-            when JSON_ARRAYED_VALUE
-              Contrast::AGENT_LIB.input_set[:JSON_KEY]
-            when PARAMETER_NAME
-              Contrast::AGENT_LIB.input_set[:PARAMETER_KEY]
-            else
-              Contrast::AGENT_LIB.input_set[input_type]
-            end
-          rescue StandardError => e
-            logger.debug('Protect Input classification could not determine input type, falling back to default',
-                         error: e)
-            Contrast::AGENT_LIB.input_set[:PARAMETER_VALUE]
-          end
-
-          private
-
-          # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
-          # key if needed and Creates new instance of InputAnalysisResult.
-          #
-          # @param request [Contrast::Agent::Request] the current request context.
-          # @param rule_id [String] The name of the Protect Rule.
-          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-          # @param value [String, Array<String>] the value of the input.
-          #
-          # @return res [Contrast::Agent::Reporting::InputAnalysisResult, nil]
-          def create_new_input_result request, rule_id, input_type, value
-            return unless Contrast::AGENT_LIB
-
-            input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                        convert_input_type(input_type),
-                                                        Contrast::AGENT_LIB.rule_set[rule_id],
-                                                        Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
-
-            ia_result = new_ia_result(rule_id, input_type, request.path, value)
-            score = input_eval&.score || 0
-            if score >= WORTHWATCHING_THRESHOLD
-              ia_result.score_level = WORTHWATCHING
-              ia_result.ids << self::WORTHWATCHING_MATCH
-            else
-              ia_result.score_level = IGNORE
-              return
-            end
-
-            add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
-            ia_result
-          end
-
-          def append_result ia_analysis, result
-            ia_analysis.results << result if result
-            ia_analysis
-          end
-        end
-      end
-    end
-  end
-end