contrast-agent 7.3.0 → 7.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e64852411fae5dd5c52973361e7f54cdf60813105423ed81cd6455c6ec212330
-  data.tar.gz: d7d6a1ef01242d97b36f1b8fc4767829d300ec2f3ce1dcb21df7fe05aebc22b1
+  metadata.gz: 4223bb2218df4bdf98b2600c77c4fa148e71b830575e938a968d41e89138fb81
+  data.tar.gz: cc559a6b364c5019d9c50d8ee6b8237486ac1596ec8ade76d8e6ae4e51e1b906
 SHA512:
-  metadata.gz: 86626808971cfc1fcd74febe8cdf2d41be668a78cc02d41d4bf7f6a488e550fef9f2a8fe3230eea7ea9ed63824d09e61956878d34d99375dd3595b77d3a9755f
-  data.tar.gz: 9fb15e1733095b1f7c2a9d5d4bfce96a3a2e9d5f956d77f0cd6c1fb810c44166a7bf0e2b89966a63ca80aa34514dd82e6f87e619a782d5024854d84c1ed93183
+  metadata.gz: 6b88f94ad140a8dd0e8099e2d4f3a396f2221de6ba9a3cbdfaa7e9327644703b7dc275c369ffe4efa29109619bf9eb182f2a0f7b85103c67e2a83246c49c137a
+  data.tar.gz: eaf65ba9546f37ace248a29657e690966deaf02aa26426b169f1f3e9639aa3f7b355ea858afd4ef0a5787bd9e2549d7927b3db89894eb6ef4bcd26daf01382e9

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -16,6 +16,7 @@ module Contrast
         class PolicyNode < Contrast::Agent::Patching::Policy::PolicyNode
           include Contrast::Components::Logger::InstanceMethods
           include PolicyNodeUtils
+
           JSON_TAGS = 'tags'
           JSON_DATAFLOW = 'dataflow'
           # The keys used to read from policy.json to create the individual
@@ -48,6 +49,9 @@ module Contrast
           ].cs__freeze
           TO_S = %w[to_s to_str].cs__freeze
 
+          # Here are all Responses that will be tracked as sources, or methods they use, like body.
+          RESPONSE_SOURCES = %w[Net::HTTPResponse Rack::Response Sinatra::Response].cs__freeze
+
           def initialize policy_hash = {}
             super(policy_hash)
             @source_string = policy_hash[JSON_SOURCE]
@@ -57,13 +61,14 @@ module Contrast
             @targets = convert_policy_markers(target_string)
             @_use_original_object = ORIGINAL_OBJECT_METHODS.include?(@method_name)
             @_use_original_on_bang_method = assign_on_bang_check(policy_hash)
+            @_use_response_as_source = RESPONSE_SOURCES.include?(@class_name)
           end
 
+          # If we have KEEP action on String, and the method is to_s, that method would return self:
+          # String#to_s => self or string. This method is included here to cover the situations such as
+          # String.to_s.html_safe, where normally the dynamic sources properties get lost. To solve this
+          # we will simply return the original object here.
           def assign_on_bang_check policy_hash
-            # If we have KEEP action on String, and the method is to_s, that method would return self:
-            # String#to_s => self or string. This method is included here to cover the situations such as
-            # String.to_s.html_safe, where normally the dynamic sources properties get lost. To solve this
-            # we will simply return the original object here.
             return true if @_use_original_object && TO_S.include?(policy_hash[JSON_METHOD_NAME])
 
             @_use_original_object &&
@@ -166,7 +171,7 @@ module Contrast
           # that the method is without bang - it does not change the source, but rather
           # creates a copy of it.
           #
-          # @return true | false
+          # @return [Boolean]
           def use_original_object?
             @_use_original_object && Contrast::ASSESS.track_original_object?
           end
@@ -175,10 +180,24 @@ module Contrast
           # that the target return is the same as object - a bang method modifying the
           # source.
           #
-          # @return true | false
+          # @return [Boolean]
           def use_original_on_bang_method?
             @_use_original_on_bang_method && Contrast::ASSESS.track_original_object?
           end
+
+          # This method will check if policy is fit to use response as source.
+          #
+          # @return [Boolean]
+          def use_response_as_source?
+            Contrast::ASSESS.track_response_as_source?
+          end
+
+          # This method will check if the policy node is for response method.
+          #
+          # @return [Boolean]
+          def response_source_node?
+            @_use_response_as_source
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/propagator/response.rb

@@ -0,0 +1,64 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/policy/propagator/select'
+require 'contrast/utils/duck_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target at the point of insertion. The target's
+          # preexisting tags are shifted to account for this insertion.
+          class Response < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # This will path the Net::HTTP.request method. It takes two parameters:
+              #  - req: Net::HTTPGenericRequest
+              #  - body: String
+              # As body may be optional, we need to check if it's nil or not.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+              # @param preshift [Contrast::Agent::Assess::Preshift]
+              # @param ret [Object] Return targer from method invocation.
+              # @param _block [nil, {}] block passed.
+              def net_response_keep propagation_node, preshift, ret, _block
+                return unless Contrast::ASSESS.track_response_as_source?
+
+                # Check to see if the argument is of correct type, and whether the body is tracked or not.
+                # if it's tracked and the body is not nil, then copy the properties from the source's body
+                # to the target's body.
+                source_body = if preshift.args.length == 2
+                                preshift.args[1]
+                              else
+                                preshift.args[0]&.body
+                              end
+                copy_body_tags(propagation_node, source_body, ret)
+              end
+
+              private
+
+              # Copy the properties form source body to the response body, if one is present.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+              # @param source_body [String] the tracked body to copy from.
+              # @param ret [String] the return target from method invocation.
+              # @return [String, nil]
+              def copy_body_tags propagation_node, source_body, ret
+                return if Contrast::Utils::DuckUtils.empty_duck?(source_body)
+                return unless ret&.body&.cs__is_a?(String)
+                return unless source_body&.cs__is_a?(String)
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret.body))
+
+                # KEEP
+                properties.copy_from(source_body, ret.body, 0, propagation_node.untags)
+                ret
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator.rb

@@ -31,6 +31,7 @@ module Contrast
           require 'contrast/agent/assess/policy/propagator/substitution'
           require 'contrast/agent/assess/policy/propagator/trim'
           require 'contrast/agent/assess/policy/propagator/buffer'
+          require 'contrast/agent/assess/policy/propagator/response'
         end
       end
     end

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -46,6 +46,11 @@ module Contrast
                 # Exclusions makes method slow:
                 return if excluded_by_url?
 
+                # Check to see if the source node is to be used for response as source.
+                if method_policy.source_node.response_source_node? && !method_policy.source_node.use_response_as_source?
+                  return
+                end
+
                 # used to hold the object and ret
                 source_data = Contrast::Agent::Assess::Events::EventData.new(nil, nil, object, ret, nil)
 

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -3,6 +3,7 @@
 
 require 'rack'
 require 'contrast/utils/hash_digest'
+require 'contrast/utils/duck_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/agent/assess/rule/response/base_rule'
 
@@ -44,21 +45,35 @@ module Contrast
             # @param element_start_str [String] element to find in html section
             # @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
             def html_elements section, element_start_str = '', capture_overflow: false
+              return [] unless section
+              return [] unless (potentials = potential_elements(section, element_start_str).flatten).any?
+
               elements = []
               section_start = 0
-              return [] unless section
 
-              potential_elements(section, element_start_str).flatten.each do |potential_element|
+              potentials.each do |potential_element|
                 next unless potential_element
                 next unless element_openings.any? { |opening| potential_element.start_with?(opening) }
 
-                section_start = section.index(element_start_str, section_start)
-                next unless section_start
+                start = section&.index(element_start_str, section_start)
+                next if Contrast::Utils::DuckUtils.empty_duck?(start)
+
+                stop = potential_element.index('>').to_i
+                next if Contrast::Utils::DuckUtils.empty_duck?(stop)
 
-                element_stop = potential_element.index('>').to_i
-                next unless element_stop
+                section_close = start + 6 + stop
+                # Now we have valid tag section with start and stop.
+                # Save new boundaries. This is to make sure that If
+                # on previous iteration there were non valid section,
+                # the start_section will be assigned to nil, thus making
+                # the detection of new section not possible, and throwing
+                # an error. To that end old values are kept safe.
+                #
+                # Assign new start index.
+                section_start = start
+                # Assign new end index.
+                element_stop = stop
 
-                section_close = section_start + 6 + element_stop
                 elements << capture(section, section_start, section_close, element_stop, overflow: capture_overflow)
                 section_start = section_close
               end

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -70,7 +70,10 @@ module Contrast
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Array<Hash<String,String>]
             def cache_meta_tags response
-              html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR).
+              head_tag = response.body&.split(HEAD_TAG)&.last
+              return [] unless head_tag
+
+              html_elements(head_tag, META_START_STR, capture_overflow: false).
                   select { |tag| cache_control_tag?(tag[HTML_PROP]) }
             end
 

data/lib/contrast/agent/telemetry/exception/obfuscate.rb

@@ -16,9 +16,10 @@ module Contrast
           # is the same.
           CYPHER = CHARS.chars.shuffle.join.cs__freeze
           VERSION_MATCH = '[^0-9].-'
+          RUBY_EXT = /\.(?:rb|gemspec)$/i
 
           # List of known places after witch a user name might appear:
-          KNOWN_DIRS = %w[app application project projects git github users home user].cs__freeze
+          KNOWN_DIRS = %w[app application lib project projects git github users home user].cs__freeze
 
           class << self
             # Returns paths for known gems.
@@ -65,8 +66,8 @@ module Contrast
                                         name.tr(VERSION_MATCH, Contrast::Utils::ObjectShare::EMPTY_STRING).downcase)
 
                 obscure(name)
-                # obscure username (next dir in line)
-                obscure(dirs[idx + 1]) if dirs[idx + 1]
+                # obscure username (next dir in line), skip if it's a file name.
+                obscure(dirs[idx + 1]) if dirs[idx + 1] && (dirs[idx + 1] !~ RUBY_EXT)
               end
               cypher = dirs.join(Contrast::Utils::ObjectShare::SLASH)
               return cypher if cypher

data/lib/contrast/agent/telemetry/identifier.rb

@@ -12,7 +12,7 @@ module Contrast
       # Gets info about the instrumented application required to build unique identifiers,
       # used in the agent's Telemetry.
       module Identifier
-        MAC_REGEX = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
+        MAC_REGEXP = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/.cs__freeze
         LINUX_OS_REG = /hwaddr=.*?(([A-F0-9]{2}:){5}[A-F0-9]{2})/im.cs__freeze
         MAC_OS_PRIMARY = 'en0'.cs__freeze
         LINUX_PRIMARY = 'enp'.cs__freeze
@@ -87,7 +87,7 @@ module Contrast
               mac = retrieve_mac(addr)
               next unless mac
 
-              result = mac if mac&.match?(MAC_REGEX)
+              result = mac if mac.match?(MAC_REGEXP)
               break if result
             end
             result
@@ -118,33 +118,20 @@ module Contrast
             nil
           end
 
-          # Returns array of network interfaces.
-          # This is OS dependent search.
+          # Returns array of network interfaces belonging to the expected pfamily of this OS.
           #
-          # @return interfaces [Array] Returns an array of interface addresses.
-          # Socket::Ifaddr - represents a result of getifaddrs().
+          # @return interfaces [Array<Socket::Ifaddr>]
           def interfaces
-            @_interfaces ||= []
-
-            return @_interfaces unless @_interfaces.empty?
+            @_interfaces ||= Socket.getifaddrs.select { |interface| interface.addr&.pfamily == check_family }
+          end
 
-            arr = Socket.getifaddrs
-            idx = 0
-            check_family = 0
-            while idx < arr.length
-              # We need only network adapters MACs. Checking for pfamily of every socket address:
-              # 18 for Mac OS and 17 for Linux.
-              # family should be an address family such as: :INET, :INET6, :UNIX, etc.
-              check_family = 18 if Contrast::Utils::OS.mac?
-              check_family = 17 if Contrast::Utils::OS.linux?
-              if arr[idx].addr.pfamily != check_family
-                idx += 1
-                next
-              end
-              @_interfaces << arr[idx]
-              idx += 1
-            end
-            @_interfaces
+          # We need only network adapters MACs. Checking for pfamily of every socket address:
+          # 18 for Mac OS and 17 for Linux. Family should be an address family such as: :INET, :INET6, :UNIX, etc.
+          # It corresponds to the Addrinfo.pfamily value.
+          #
+          # @return [Integer]
+          def check_family
+            @_check_family ||= Contrast::Utils::OS.mac? ? 18 : 17
           end
         end
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.3.0'
+    VERSION = '7.3.1'
   end
 end

data/lib/contrast/components/assess.rb

@@ -17,14 +17,26 @@ module Contrast
 
         # @return [Boolean, nil]
         attr_accessor :enable
-        # @return [Array, nil]
-        attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces, :tags
+        # @return [Boolean, nil]
+        attr_writer :enable_scan_response
+        # @return [Boolean, nil]
+        attr_writer :enable_dynamic_sources
+        # @return [Contrast::Components::Sampling::Interface]
+        attr_writer :sampling
+        # @return [Contrast::Components::AssessRules::Interface]
+        attr_writer :rules
+        # @return [String, nil]
+        attr_writer :stacktraces
+        # @return [Array<String>, nil]
+        attr_writer :tags
         # @return [String]
         attr_reader :canon_name
-        # @return [Array]
+        # @return [Array<String>]
         attr_reader :config_values
         # @return [Boolean]
         attr_writer :enable_original_object
+        # @return [Boolean]
+        attr_writer :enable_response_as_source
         # @return [Integer]
         attr_writer :max_context_source_events
         # @return [Integer]
@@ -46,6 +58,7 @@ module Contrast
           enable_scan_response
           enable_original_object
           enable_dynamic_sources
+          enable_response_as_source
           stacktraces
           max_context_source_events
           max_propagation_events
@@ -63,27 +76,33 @@ module Contrast
           @enable_scan_response = hsh[:enable_scan_response]
           @enable_dynamic_sources = hsh[:enable_dynamic_sources]
           @enable_original_object = hsh[:enable_original_object]
+          @enable_response_as_source = hsh[:enable_response_as_source]
           @sampling = Contrast::Components::Sampling::Interface.new(hsh[:sampling])
           @rules = Contrast::Components::AssessRules::Interface.new(hsh[:rules])
           @stacktraces = hsh[:stacktraces]
           assign_limits(hsh)
         end
 
-        # @return [Boolean, true]
+        # @return [Boolean]
         def enable_scan_response
           @enable_scan_response.nil? ? true : @enable_scan_response
         end
 
-        # @return [Boolean, true]
+        # @return [Boolean]
         def enable_dynamic_sources
           @enable_dynamic_sources.nil? ? true : @enable_dynamic_sources
         end
 
-        # @return [Boolean, true]
+        # @return [Boolean]
         def enable_original_object
           @enable_original_object.nil? ? true : @enable_original_object
         end
 
+        # @return [Boolean]
+        def enable_response_as_source
+          @enable_response_as_source.nil? ? false : @enable_response_as_source
+        end
+
         # @return [Contrast::Components::Sampling::Interface]
         def sampling
           @sampling ||= Contrast::Components::Sampling::Interface.new
@@ -209,6 +228,13 @@ module Contrast
           @_track_original_object
         end
 
+        def track_response_as_source?
+          @track_response_as_source = !false?(enable_response_as_source) if
+            @track_response_as_source.nil?
+
+          @track_response_as_source
+        end
+
         # The id for this process, based on the session metadata or id provided by the user, as indicated in
         # application startup.
         def session_id
@@ -234,6 +260,7 @@ module Contrast
         end
 
         # Sets Event limits from configuration and converts string numbers to integers.
+        # @param hsh [Hash] the configuration hash
         def assign_limits hsh
           return unless hsh
 

data/lib/contrast/components/base.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/config/diagnostics/tools'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Components
@@ -89,12 +90,13 @@ module Contrast
         add_effective_config_values(effective_config, config_values, canon_name, "#{ CONTRAST }.#{ canon_name }")
       end
 
-      # attempts to stringifys the config value if it is an array with the join char
+      # attempts to stringify the config value if it is an array with the join char
+      #
       # @param val[Object] val to stringify
       # @param join_char[String, ','] join character defaults to ','
       # @return [String, Object] the stringified val or the object as is
       def stringify_array val, join_char = ','
-        return val.join(join_char) if val.cs__is_a?(Array)
+        return val.join(join_char) if val.cs__is_a?(Array) && val.any?
 
         val
       end

data/lib/contrast/components/config.rb

@@ -24,7 +24,6 @@ module Contrast
     # it should break LOUDLY.  Better to waste half an hour of the sysadmin's
     # time than to silently fail to deliver functionality.
     module Config
-      CONTRAST_ENV_MARKER = 'CONTRAST__'
       CONTRAST_LOG = 'contrast.log'
       CONTRAST_NAME = 'Contrast Agent'
       DATE_TIME = '%Y-%m-%dT%H:%M:%S.%L%z'
@@ -180,7 +179,8 @@ module Contrast
           # For env variables resembling CONTRAST__WHATEVER__NESTED_VALUE
           # override raw.whatever.nested_value
           ENV.each do |env_key, env_value|
-            next unless env_key.to_s.start_with?(CONTRAST_ENV_MARKER)
+            next unless env_key.to_s.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER)
+            next if Contrast::Configuration::DEPRECATED_PROPERTIES.include?(env_key.to_s)
 
             config_item = Contrast::Utils::EnvConfigurationItem.new(env_key, env_value)
             assign_value_to_path_array(self, config_item.dot_path_array, config_item.value)

data/lib/contrast/config/diagnostics/command_line.rb

@@ -13,9 +13,9 @@ module Contrast
         class << self
           def command_line_settings
             cli = Contrast::Config::Diagnostics::Tools.flatten_settings(Contrast::CONFIG.sources.
-              for(Contrast::Components::Config::Sources::COMMAND_LINE))
+              for(Contrast::Components::Config::Sources::COMMAND_LINE), cli: true)
 
-            Contrast::Config::Diagnostics::Tools.to_config_values(cli, source: true)
+            Contrast::Config::Diagnostics::Tools.to_config_values(cli, source: true, cli: true)
           end
         end
       end

data/lib/contrast/config/diagnostics/environment_variables.rb

@@ -21,7 +21,7 @@ module Contrast
           # @return [Array] array of all the values needed to be written.
           def environment_settings env
             env_hash = env.select do |e|
-              e.to_s.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
+              e.to_s.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
             end
             environment_settings = []
             env_hash.each do |key, value|
@@ -41,6 +41,7 @@ module Contrast
                                                         Contrast::Utils::ObjectShare::EMPTY_STRING)
                 end
                 effective_value.value = Contrast::Config::Diagnostics::Tools.value_to_s(value)
+                effective_value.key = key
               end
               environment_settings << efc_value if efc_value
             end

data/lib/contrast/config/diagnostics/tools.rb

@@ -11,13 +11,15 @@ module Contrast
       # Diagnostics tools to be included in config components.
       module Tools
         CHECK = 'd'
+        CONTRAST_MARK = 'CONTRAST_'
         class << self
           # Creates new config instances for each read config entry from the flat generated configs.
           #
           # @param flats [Array] of flatten configs produced by #flatten_settings
           # @param source [Boolean] flag to set the desired value class, it may be a effective or source value.
+          # @param cli [Boolean] flag to check if the value comes from cli.
           # @return [Array<Contrast::Config::Diagnostics::SourceConfigValue>]
-          def to_config_values flats, source: false
+          def to_config_values flats, source: false, cli: false
             config_value_klass = if source
                                    Contrast::Config::Diagnostics::SourceConfigValue
                                  else
@@ -27,7 +29,11 @@ module Contrast
             flats.each do |entry|
               entry.each do |key, value|
                 efc_value = config_value_klass.new.tap do |config_value|
-                  config_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key
+                  config_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key unless cli
+                  if cli && key.to_s.include?(CONTRAST_MARK)
+                    config_value.canonical_name = key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
+                                                           Contrast::Utils::ObjectShare::PERIOD).downcase
+                  end
                   config_value.key = key
                   config_value.value = value_to_s(value)
                 end
@@ -40,17 +46,21 @@ module Contrast
           # Flattens out the read settings from file, env or contrast ui.
           # example: {"agent.polling.server_settings_ms"=>"50000"}
           #
+          # If cli is set we avoid adding the path and additional '.' to the key.
+          #
           #  @param data [Hash, nil]
           #  @param path  [String] where to look for settings.
           #  @param config [Hash] symbolized config to fetch keys from.
-          def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config
+          #  @param cli [Boolean] does the config come from cli.
+          def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config, cli: false
             return [] unless data
 
             data.each_with_object([]) do |(k, v), entries|
               if v.cs__is_a?(Hash)
                 entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
               else
-                entries << { "#{ path.join('.') }.#{ k }" => config.dig(*path, k).to_s }
+                entries << { k.to_s => config.dig(*path, k).to_s } if cli
+                entries << { "#{ path.join('.') }.#{ k }" => config.dig(*path, k).to_s } unless cli
               end
             end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
           end
@@ -62,7 +72,7 @@ module Contrast
             return if value.nil?
             return value if value.cs__is_a?(String)
 
-            value.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
+            value&.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
               m[k] = if v.cs__is_a?(Hash)
                        value_to_s(v)
                      elsif v.cs__is_a?(Array)

data/lib/contrast/configuration.rb

@@ -64,44 +64,29 @@ module Contrast
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
 
-    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH # rubocop:disable Metrics/AbcSize
+    DEPRECATED_PROPERTIES = %w[
+      CONTRAST__AGENT__SERVICE__ENABLE CONTRAST__AGENT__SERVICE__LOGGER__LEVEL
+      CONTRAST__AGENT__SERVICE__LOGGER__PATH CONTRAST__AGENT__SERVICE__LOGGER__STDOUT
+    ].cs__freeze
+
+    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
       @default_name = default_name
 
       # Load config_kv from file
       config_kv = Contrast::Utils::HashUtils.deep_symbolize_all_keys(load_config)
-      unless cli_options
-        cli_options = {}
-        ENV.each do |key, value|
-          next unless key.to_s.start_with?(CONTRAST_ENV_MARKER)
 
-          cli_options[key] = value
-        end
-      end
-
-      # Overlay CLI options - they take precedence over config file
-      cli_options = Contrast::Utils::HashUtils.deep_symbolize_all_keys(cli_options)
-      if cli_options
-        config_kv = Contrast::Utils::HashUtils.precedence_merge(cli_options, config_kv)
-        @_source_file_extensions = Contrast::Utils::HashUtils.
-            precedence_merge(assign_source_to(cli_options,
-                                              Contrast::Components::Config::Sources::COMMAND_LINE),
-                             @_source_file_extensions)
-      end
+      # Load cli options from env
+      cli_options ||= cli_to_hash
+      config_kv = Contrast::Utils::HashUtils.precedence_merge(config_kv, cli_options)
+      update_sources_from_cli(cli_options)
 
       # Some in-flight rewrites to maintain backwards compatibility
       config_kv = update_prop_keys(config_kv)
+      @sources = Contrast::Components::Config::Sources.new(source_file_extensions)
       @loaded_config = config_kv
 
-      @sources = Contrast::Components::Config::Sources.new(@_source_file_extensions)
-
-      @api = Contrast::Components::Api::Interface.new(config_kv[:api])
-      @enable = config_kv[:enable]
-      @agent = Contrast::Components::Agent::Interface.new(config_kv[:agent])
-      @application = Contrast::Components::AppContext::Interface.new(config_kv[:application])
-      @server = Contrast::Config::ServerConfiguration.new(config_kv[:server])
-      @assess = Contrast::Components::Assess::Interface.new(config_kv[:assess])
-      @inventory = Contrast::Components::Inventory::Interface.new(config_kv[:inventory])
-      @protect = Contrast::Components::Protect::Interface.new(config_kv[:protect])
+      # requires loaded_config:
+      create_config_components
     end
 
     # Get a loggable YAML format of this configuration
@@ -155,7 +140,7 @@ module Contrast
     # reverse order of precedence (first is most important).
     def configuration_paths
       @_configuration_paths ||= begin
-        basename = default_name.split('.').first
+        basename = default_name.split('.')[0]
         # Order of extensions comes from here:
         extensions = Contrast::Components::Config::Sources::APP_CONFIGURATION_EXTENSIONS
 
@@ -263,6 +248,18 @@ module Contrast
 
     private
 
+    # Creates and updates the config components with the loaded config values.
+    def create_config_components
+      @api = Contrast::Components::Api::Interface.new(loaded_config[:api])
+      @enable = loaded_config[:enable]
+      @agent = Contrast::Components::Agent::Interface.new(loaded_config[:agent])
+      @application = Contrast::Components::AppContext::Interface.new(loaded_config[:application])
+      @server = Contrast::Config::ServerConfiguration.new(loaded_config[:server])
+      @assess = Contrast::Components::Assess::Interface.new(loaded_config[:assess])
+      @inventory = Contrast::Components::Inventory::Interface.new(loaded_config[:inventory])
+      @protect = Contrast::Components::Protect::Interface.new(loaded_config[:protect])
+    end
+
     # We cannot use all access components at this point, unfortunately, as they
     # may not have been initialized. Instead, we need to access the logger
     # directly.
@@ -367,5 +364,40 @@ module Contrast
         end
       end
     end
+
+    # Update the source mapping to reflect the cli values passed. Using raw string rather than path values.
+    #
+    # @param cli_options[Hash<Symbol, String>]
+    def update_sources_from_cli cli_options
+      @_source_file_extensions = Contrast::Utils::HashUtils.
+          precedence_merge(assign_source_to(cli_options,
+                                            Contrast::Components::Config::Sources::COMMAND_LINE),
+                           @_source_file_extensions)
+    end
+
+    # Find all the set Contrast environment variables and cast them to their hash form. Keys will be split on __ and
+    # converted to symbols to match parsing of the YAML file
+    #
+    # @return [Hash<Symbol, (Hash, String)>]
+    def cli_to_hash
+      cli_options ||= ENV.select do |name, _value|
+        name.to_s.start_with?(CONTRAST_ENV_MARKER) && !DEPRECATED_PROPERTIES.include?(name.to_s)
+      end
+
+      converted = {}
+      cli_options&.each do |key, value|
+        # Split the env key into path components
+        path = key.to_s.split(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE)
+        # Remove the `CONTRAST` start
+        path&.shift
+        # Convert it to hash form, with lowercase symbol keys
+        as_hash = path&.reverse&.reduce(value) do |assigned_value, path_segment|
+          { path_segment.downcase.to_sym => assigned_value }
+        end
+        # And join it w/ the parsed keys
+        Contrast::Utils::HashUtils.precedence_merge!(converted, as_hash)
+      end
+      converted
+    end
   end
 end

data/lib/contrast/logger/application.rb

@@ -17,8 +17,8 @@ module Contrast
         ENV.each do |env_key, env_value|
           env_key = env_key.to_s
           next unless ENV_KEYS.include?(env_key) ||
-              (env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) &&
-                  !env_key.start_with?("#{ Contrast::Components::Config::CONTRAST_ENV_MARKER }API"))
+              (env_key.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER) &&
+                  !env_key.start_with?("#{ Contrast::Configuration::CONTRAST_ENV_MARKER }API"))
 
           info('Environment settings', key: env_key, value: env_value)
         end
@@ -30,7 +30,7 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
-          env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
+          env_key&.to_s&.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
         env_translations = env_items.each_with_object({}) do |conversion, hash|

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -18,6 +18,7 @@ module Contrast
         REPLACE_ACTION = 'REPLACE'
         REMOVE_ACTION = 'REMOVE'
         REVERSE_ACTION = 'REVERSE'
+        RESPONSE_ACTION = 'RESPONSE'
         SPLAT_ACTION = 'SPLAT'
         SPLIT_ACTION = 'SPLIT'
         DB_WRITE_ACTION = 'DB_WRITE'
@@ -37,6 +38,7 @@ module Contrast
             REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
             REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
             REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            RESPONSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Response,
             SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
             SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
         }.cs__freeze

data/lib/contrast/utils/os.rb

@@ -8,7 +8,7 @@ module Contrast
   module Utils
     # Simple utility used to make OS calls and determine state. For that state
     # which will not change at runtime, such as the operating system, the
-    # Utility memozies to avoid multiple lookups.
+    # Utility memoizes to avoid multiple lookups.
     module OS
       extend Contrast::Components::Scope::InstanceMethods
 
@@ -25,14 +25,6 @@ module Contrast
           @_mac = RUBY_PLATFORM.include?('darwin') if @_mac.nil?
           @_mac
         end
-
-        def unix?
-          !windows?
-        end
-
-        def linux?
-          (unix? and !mac?)
-        end
       end
     end
   end

data/resources/assess/policy.json

@@ -8,7 +8,35 @@
       "target":"R",
       "type":"PARAMETER",
       "tags":["CROSS_SITE"]
-    }, {
+    },
+    {
+     "class_name":"Net::HTTPResponse",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    },
+    {
+     "class_name":"Rack::Response",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    },
+    {
+     "class_name":"Sinatra::Response",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    },
+    {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
@@ -990,7 +1018,35 @@
       "source": "P0",
       "target": "R",
       "action": "SPLAT"
-    }, {
+    },
+    {
+      "class_name": "ActiveSupport::JSON",
+      "method_name": "encode",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT"
+    },
+    {
+      "class_name": "JSON",
+      "method_name": "generate",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT"
+    },
+    {
+      "class_name": "JSON",
+      "method_name": "pretty_generate",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT"
+    },
+    {
       "class_name": "Zlib::Deflate",
       "method_name": "deflate",
       "instance_method": false,
@@ -1082,7 +1138,28 @@
       "source": "P0",
       "target": "R",
       "action": "SPLAT"
-    }, {
+    },
+    {
+      "class_name":"Net::HTTPRequest",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body=",
+      "source":"P0",
+      "target":"O",
+      "action":"KEEP"
+    },
+    {
+      "class_name":"Net::HTTP",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"request",
+      "action": "CUSTOM",
+      "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Response",
+      "patch_method": "net_response_keep",
+      "source": "O,P1",
+      "target": "R"
+    },
+    {
       "class_name": "URI::Generic",
       "method_name": "initialize",
       "instance_method": true,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.3.0
+  version: 7.3.1
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-26 00:00:00.000000000 Z
+date: 2023-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -930,6 +930,7 @@ files:
 - lib/contrast/agent/assess/policy/propagator/rack_protection.rb
 - lib/contrast/agent/assess/policy/propagator/remove.rb
 - lib/contrast/agent/assess/policy/propagator/replace.rb
+- lib/contrast/agent/assess/policy/propagator/response.rb
 - lib/contrast/agent/assess/policy/propagator/reverse.rb
 - lib/contrast/agent/assess/policy/propagator/select.rb
 - lib/contrast/agent/assess/policy/propagator/splat.rb