contrast-agent 7.3.1 → 7.4.0

data/lib/contrast/config/diagnostics/tools.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/utils/object_share'
 require 'contrast/config/diagnostics/effective_config_value'
+require 'contrast/config/diagnostics/singleton_tools'
 require 'contrast/utils/duck_utils'
 
 module Contrast
@@ -11,79 +12,11 @@ module Contrast
       # Diagnostics tools to be included in config components.
       module Tools
         CHECK = 'd'
-        CONTRAST_MARK = 'CONTRAST_'
-        class << self
-          # Creates new config instances for each read config entry from the flat generated configs.
-          #
-          # @param flats [Array] of flatten configs produced by #flatten_settings
-          # @param source [Boolean] flag to set the desired value class, it may be a effective or source value.
-          # @param cli [Boolean] flag to check if the value comes from cli.
-          # @return [Array<Contrast::Config::Diagnostics::SourceConfigValue>]
-          def to_config_values flats, source: false, cli: false
-            config_value_klass = if source
-                                   Contrast::Config::Diagnostics::SourceConfigValue
-                                 else
-                                   Contrast::Config::Diagnostics::EffectiveConfigValue
-                                 end
-            settings = []
-            flats.each do |entry|
-              entry.each do |key, value|
-                efc_value = config_value_klass.new.tap do |config_value|
-                  config_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key unless cli
-                  if cli && key.to_s.include?(CONTRAST_MARK)
-                    config_value.canonical_name = key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
-                                                           Contrast::Utils::ObjectShare::PERIOD).downcase
-                  end
-                  config_value.key = key
-                  config_value.value = value_to_s(value)
-                end
-                settings << efc_value if efc_value
-              end
-            end
-            settings
-          end
-
-          # Flattens out the read settings from file, env or contrast ui.
-          # example: {"agent.polling.server_settings_ms"=>"50000"}
-          #
-          # If cli is set we avoid adding the path and additional '.' to the key.
-          #
-          #  @param data [Hash, nil]
-          #  @param path  [String] where to look for settings.
-          #  @param config [Hash] symbolized config to fetch keys from.
-          #  @param cli [Boolean] does the config come from cli.
-          def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config, cli: false
-            return [] unless data
-
-            data.each_with_object([]) do |(k, v), entries|
-              if v.cs__is_a?(Hash)
-                entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
-              else
-                entries << { k.to_s => config.dig(*path, k).to_s } if cli
-                entries << { "#{ path.join('.') }.#{ k }" => config.dig(*path, k).to_s } unless cli
-              end
-            end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
-          end
 
-          # Recursively converts each value to string.
-          #
-          # @param value [Hash, nil]
-          def value_to_s value
-            return if value.nil?
-            return value if value.cs__is_a?(String)
-
-            value&.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
-              m[k] = if v.cs__is_a?(Hash)
-                       value_to_s(v)
-                     elsif v.cs__is_a?(Array)
-                       v.map(&:to_s)
-                     else
-                       v.to_s
-                     end
-            end
-          end
-        end
+        extend Contrast::Config::Diagnostics::SingletonTools
 
+        # TODO: RUBY-2113 deprecate name_prefix
+        #
         # Converts current configuration from array of values to effective config values class and appends them to
         # EffectiveConfig class. Must be used inside Config Components only.
         #
@@ -91,13 +24,15 @@ module Contrast
         # @param config_values [] array of the names of values.
         # @param canonical_prefix [String] starting of the path to config => api.proxy...
         # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
-        def add_effective_config_values effective_config, config_values, canonical_prefix, name_prefix
+        def add_effective_config_values(effective_config,
+                                        config_values,
+                                        canonical_prefix,
+                                        name_prefix = canonical_prefix)
           return if config_values.to_s.empty?
 
           config_values.each do |config_value_name|
             Contrast::Config::Diagnostics::EffectiveConfigValue.new.tap do |new_effective_value|
-              next if Contrast::Utils::DuckUtils.empty_duck?((config_value = send(config_value_name.to_sym)))
-
+              config_value = send(config_value_name.to_sym)
               fill_effective_value(new_effective_value, config_value, config_value_name, canonical_prefix, name_prefix)
               effective_config.values << new_effective_value
             rescue StandardError => e
@@ -107,6 +42,8 @@ module Contrast
           end
         end
 
+        # TODO: RUBY-2113 deprecate name_prefix
+        #
         # Converts current configuration from single value to effective config values class and appends them to
         # EffectiveConfig class. Must be used inside Config Components only.
         #
@@ -115,10 +52,12 @@ module Contrast
         # @param config_value [String, Boolean] value of the config.
         # @param canonical_prefix [String] starting of the path to config => api.proxy...
         # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
-        def add_single_effective_value effective_config, config_name, config_value, canonical_prefix, name_prefix
+        def add_single_effective_value(effective_config,
+                                       config_name,
+                                       config_value,
+                                       canonical_prefix,
+                                       name_prefix = canonical_prefix)
           Contrast::Config::Diagnostics::EffectiveConfigValue.new.tap do |new_effective_value|
-            break if Contrast::Utils::DuckUtils.empty_duck?(config_value)
-
             fill_effective_value(new_effective_value, config_value, config_name, canonical_prefix, name_prefix)
             effective_config.values << new_effective_value
           rescue StandardError => e
@@ -139,7 +78,11 @@ module Contrast
         # @return filled_new_effective_config [Contrast::Config::Diagnostics::EffectiveConfigValue]
         def fill_effective_value new_effective_value, config_value, config_value_name, canonical_prefix, name_prefix
           find_source(new_effective_value, canonical_prefix, assign_name(config_value_name), name_prefix)
-          new_effective_value.value = config_value
+          if Contrast::Config::Diagnostics::SingletonTools::API_CREDENTIALS.include?(config_value_name.to_s)
+            new_effective_value.value = Contrast::Configuration::EFFECTIVE_REDACTED
+            return new_effective_value
+          end
+          new_effective_value.value = config_value.cs__is_a?(Array) ? config_value.join(',') : config_value.to_s
           new_effective_value
         end
 
@@ -174,14 +117,10 @@ module Contrast
           # For files we keep the whole path as source.
           source = Contrast::CONFIG.sources.get(new_effective_value.canonical_name)
           new_effective_value.assign_filename(source)
-          new_source = if source.include?(Contrast::Config::LocalSourceValue::YAML_EXT) ||
-                source.include?(Contrast::Config::LocalSourceValue::YML_EXT)
-
+          new_source = if Contrast::CONFIG.sources.configuration_file_source?(new_effective_value.canonical_name)
                          Contrast::Components::Config::Sources::APP_CONFIGURATION_FILE
-                       else
-                         Contrast::Components::Config::Sources::DEFAULT_VALUE
                        end
-          new_effective_value.source = new_source
+          new_effective_value.source = new_source || source
           new_effective_value
         end
 

data/lib/contrast/config/request_audit_configuration.rb

@@ -50,7 +50,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, "#{ CONTRAST }.#{ CANON_NAME }")
+        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME)
       end
     end
   end

data/lib/contrast/config/server_configuration.rb

@@ -54,21 +54,9 @@ module Contrast
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
         super
-        add_single_effective_value(effective_config,
-                                   'type',
-                                   Contrast::APP_CONTEXT.server_type,
-                                   CANON_NAME,
-                                   "#{ CONTRAST }.#{ CANON_NAME }")
-        add_single_effective_value(effective_config,
-                                   'name',
-                                   Contrast::APP_CONTEXT.server_name,
-                                   CANON_NAME,
-                                   "#{ CONTRAST }.#{ CANON_NAME }")
-        add_single_effective_value(effective_config,
-                                   'path',
-                                   Contrast::APP_CONTEXT.server_path,
-                                   CANON_NAME,
-                                   "#{ CONTRAST }.#{ CANON_NAME }")
+        add_single_effective_value(effective_config, 'type', Contrast::APP_CONTEXT.server_type, CANON_NAME)
+        add_single_effective_value(effective_config, 'name', Contrast::APP_CONTEXT.server_name, CANON_NAME)
+        add_single_effective_value(effective_config, 'path', Contrast::APP_CONTEXT.server_path, CANON_NAME)
       end
     end
   end

data/lib/contrast/configuration.rb

@@ -63,6 +63,7 @@ module Contrast
     CONFIG_BASE_PATHS = %w[./ config/ /etc/contrast/ruby/ /etc/contrast/ /etc/].cs__freeze
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
+    EFFECTIVE_REDACTED = '****'
 
     DEPRECATED_PROPERTIES = %w[
       CONTRAST__AGENT__SERVICE__ENABLE CONTRAST__AGENT__SERVICE__LOGGER__LEVEL
@@ -146,8 +147,10 @@ module Contrast
 
         paths = []
         # Environment paths takes precedence here. Look first through them.
-        paths << ENV['CONTRAST_CONFIG_PATH']     if ENV['CONTRAST_CONFIG_PATH']
-        paths << ENV['CONTRAST_SECURITY_CONFIG'] if ENV['CONTRAST_SECURITY_CONFIG']
+        config_path = ENV.fetch('CONTRAST_CONFIG_PATH', nil)
+        security_path = ENV.fetch('CONTRAST_SECURITY_CONFIG', nil)
+        paths << config_path if config_path
+        paths << security_path if security_path
 
         extensions.each do |ext|
           places = CONFIG_BASE_PATHS.product(["#{ basename }.#{ ext }"])

data/lib/contrast/framework/manager.rb

@@ -29,6 +29,7 @@ module Contrast
       ].cs__freeze
 
       def initialize
+        @_frameworks = []
         return if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
 
         @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
@@ -90,9 +91,7 @@ module Contrast
       #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
-        if Contrast::Utils::DuckUtils.empty_duck?(@_frameworks)
-          return Contrast::Framework::Rack::Support.retrieve_request(env)
-        end
+        return Contrast::Framework::Rack::Support.retrieve_request(env) if @_frameworks.empty?
 
         framework = @_frameworks[0]
 
@@ -115,6 +114,8 @@ module Contrast
       # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
       def streaming? env
         result = false
+        return result if @_frameworks.empty?
+
         @_frameworks.each do |framework|
           result = framework.streaming?(env)
           break if result

data/lib/contrast/framework/manager_extend.rb

@@ -29,7 +29,7 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        @_frameworks.flat_map { |framework| framework.send(method_name) }.
+        @_frameworks&.flat_map { |framework| framework.send(method_name) }&.
             compact
       end
 
@@ -39,6 +39,8 @@ module Contrast
       # @return [Object] - Determined by method to be invoked
       def first_framework_result method_name, default_value
         result = nil
+        return default_value if @_frameworks.empty?
+
         @_frameworks.each do |framework|
           result = framework.send(method_name)
           break if result

data/lib/contrast/framework/rack/support.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/framework/base_support'
 require 'contrast/framework/rack/patch/support'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Framework
@@ -10,6 +11,9 @@ module Contrast
       # Used when Rack is present to define framework specific behavior. For
       # now, the only part of this implemented is the Patch Support.
       module Support
+        RACK_REQUEST_PATH = 'REQUEST_PATH'
+        RACK_SERVER_NAME = 'SERVER_NAME'
+
         extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rack::Patch::Support
         class << self
@@ -74,8 +78,13 @@ module Contrast
           def current_route_coverage request, _controller = nil, full_route = nil
             method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
 
-            full_route ||= request.env[::Rack::PATH_INFO]
-            return unless full_route && method
+            full_route ||= request.env.fetch(::Rack::PATH_INFO, nil)
+            full_route = request.env.fetch(RACK_REQUEST_PATH, nil) if Contrast::Utils::DuckUtils.empty_duck?(full_route)
+            return unless method
+
+            # If we are here and have method but the route is "" we might be expecting the home page.
+            full_route = '/' if Contrast::Utils::DuckUtils.empty_duck?(full_route) &&
+                request.env.fetch(RACK_SERVER_NAME, nil)
 
             route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
             # We might not have controller, or even if there is defined one, it could not bare the name of the

data/lib/contrast/utils/log_utils.rb

@@ -12,7 +12,7 @@ module Contrast
     # Method utility used by Contrast::Logger::log
     module LogUtils
       DEFAULT_NAME     = 'contrast.log'
-      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
+      DEFAULT_LEVEL    = 'INFO'
       VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
       STDOUT_STR       = 'STDOUT'
       STDERR_STR       = 'STDERR'

data/lib/contrast/utils/reporting/application_activity_batch_utils.rb

@@ -23,9 +23,6 @@ module Contrast
           return unless activity
           return if activity.defend.attackers.empty?
 
-          activity_batch.query_count += activity.query_count
-          activity_batch.routes << activity.routes
-          activity_batch.routes.flatten!
           merge_attackers(activity)
           activity_batch.attach_inventory(activity.inventory) unless activity.inventory.empty?
         end

data/lib/contrast/utils/request_utils.rb

@@ -12,7 +12,7 @@ module Contrast
       NUM_PATTERN = %r{/\d+/}.cs__freeze
       END_PATTERN = %r{/\d+$}.cs__freeze
       STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
-      UUID_PATTERN = Regexp.new('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}').cs__freeze # rubocop:disable Metrics/LineLength
+      UUID_PATTERN = Regexp.new('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}').cs__freeze # rubocop:disable Layout/LineLength
       # Regular expression to match any type of hash pattern that is 16 bytes like uuid with no
       # slashes, md5, sha1, sha256, etc
       HASH_PATTERN = Regexp.new('([a-fA-F0-9]{2}){16,}').cs__freeze

data/lib/contrast/utils/timer.rb

@@ -29,7 +29,7 @@ module Contrast
       #
       # @return[String]
       def self.time_now
-        Time.now.utc.iso8601(7)
+        Time.now.utc.iso8601(2)
       end
 
       # Converts time given in ms format form TS to HttpDate.

data/lib/contrast.rb

@@ -75,7 +75,7 @@ module Contrast # :nodoc:
   API = CONFIG.api
   SETTINGS = Contrast::Components::Settings::Interface.new
   ASSESS = CONFIG.assess
-  PROTECT = Contrast::Components::Protect::Interface.new
+  PROTECT = CONFIG.protect
   INVENTORY = CONFIG.inventory
   AGENT = CONFIG.agent
   RUBY_INTERFACE = AGENT.ruby

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.3.1
+  version: 7.4.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-08-04 00:00:00.000000000 Z
+date: 2023-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -1058,6 +1058,7 @@ files:
 - lib/contrast/agent/protect/rule/xss/xss.rb
 - lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
 - lib/contrast/agent/protect/rule/xxe/xxe.rb
+- lib/contrast/agent/protect/state.rb
 - lib/contrast/agent/reactions/disable_reaction.rb
 - lib/contrast/agent/reporting/attack_result/attack_result.rb
 - lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb
@@ -1253,6 +1254,7 @@ files:
 - lib/contrast/config/diagnostics/effective_config_value.rb
 - lib/contrast/config/diagnostics/environment_variables.rb
 - lib/contrast/config/diagnostics/monitor.rb
+- lib/contrast/config/diagnostics/singleton_tools.rb
 - lib/contrast/config/diagnostics/source_config_value.rb
 - lib/contrast/config/diagnostics/tools.rb
 - lib/contrast/config/diagnostics/user_configuration_file.rb