contrast-agent 7.3.2 → 7.4.1

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb

@@ -422,6 +422,8 @@ module Contrast
           raise(ArgumentError, "#{ self } did not have a proper thread. Unable to continue.") unless thread
           raise(ArgumentError, "#{ self } did not have a proper time. Unable to continue.") unless time
           raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type
+
+          nil
         end
 
         # @raise [ArgumentError]
@@ -435,6 +437,8 @@ module Contrast
           raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature
           raise(ArgumentError, "#{ self } did not have a proper stack. Unable to continue.") unless stack
           raise(ArgumentError, "#{ self } did not have a proper tags. Unable to continue.") unless reportable_tags
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_request.rb

@@ -108,6 +108,8 @@ module Contrast
             raise(ArgumentError, "#{ self } did not have a proper method. Unable to continue.")
           end
           raise(ArgumentError, "#{ self } did not have a proper uri. Unable to continue.") unless uri && !uri.empty?
+
+          nil
         end
 
         # @param request [Contrast::Agent::Request]

data/lib/contrast/agent/reporting/reporting_events/observed_library_usage.rb

@@ -30,6 +30,8 @@ module Contrast
 
         def validate
           raise(ArgumentError, "#{ self } did not have observations. Unable to continue.") if observations.empty?
+
+          nil
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -38,15 +38,16 @@ module Contrast
         def to_controlled_hash
           validate
           {
+              appLanguage: Contrast::Utils::ObjectShare::RUBY,
+              appName: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              appPath: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
+              appVersion: ::Contrast::APP_CONTEXT.version,
               code: CODE,
-              app_language: Contrast::Utils::ObjectShare::RUBY,
-              app_name: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
-              app_version: ::Contrast::APP_CONTEXT.version,
               data: '',
               key: 0,
-              routes: @routes.map(&:to_controlled_hash),
-              session_id: ::Contrast::ASSESS.session_id
-          }
+              session_id: ::Contrast::ASSESS.session_id,
+              routes: @routes.map(&:to_controlled_hash)
+          }.compact
         end
 
         # @raise [ArgumentError]
@@ -54,8 +55,8 @@ module Contrast
           unless Contrast::Utils::StringUtils.present?(data)
             raise(ArgumentError, "#{ cs__class } did not have a proper data. Unable to continue.")
           end
-          unless ::Contrast::ASSESS.session_id
-            raise(ArgumentError, "#{ cs__class } did not have a proper session id. Unable to continue.")
+          unless Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
+            raise(ArgumentError, "#{ cs__class } did not have a proper Application Name. Unable to continue.")
           end
 
           nil

data/lib/contrast/agent/reporting/reporting_events/reportable_hash.rb

@@ -28,12 +28,31 @@ module Contrast
         #
         #  @return [String, nil] - JSON
         def event_json
-          hsh = to_controlled_hash
-          hsh.to_json
-        rescue ArgumentError => e
-          # Log the error and raise it for the client to handle:
-          logger.error(validation_error_message, e)
-          raise(e)
+          return unless valid?
+
+          to_controlled_hash.to_json
+        end
+
+        # Check before building the json if the event is valid.
+        # This will also log the error if the event is invalid.
+        # This will save some object creation in the reporter
+        # in the case of an invalid event, and will stop the
+        # reporting of the event.
+        #
+        # @return [Boolean]
+        # @raise [ArgumentError]
+        def valid?
+          @_valid ||= begin
+            validate
+            # Some deeply nested validations only happens on
+            # the to_controlled_hash method, so we need to
+            # invoke it.
+            to_controlled_hash
+            true
+          rescue ArgumentError => e
+            handle_validation_error(e)
+            false
+          end
         end
 
         private
@@ -41,6 +60,11 @@ module Contrast
         def validation_error_message
           "#{ cs__class } failed validation with: "
         end
+
+        # @param error [ArgumentError]
+        def handle_validation_error error
+          logger.error(validation_error_message, error)
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -72,8 +72,8 @@ module Contrast
         # @return response [Net::HTTP::Response, nil] response from TS if no response
         def send_event event, connection
           return unless connection
+          return unless event.valid?
 
-          response = nil
           logger.debug('[Reporter] Preparing to send reporting event', event_class: event.cs__class)
           request = build_request(event)
           response = connection.request(request)

data/lib/contrast/agent/reporting/reporting_utilities/resend.rb

@@ -12,7 +12,7 @@ module Contrast
         RESCUE_ATTEMPTS = 3
         TIMEOUT = 5
         RETRY_ERRORS = [
-          Net::OpenTimeout, Net::ReadTimeout, ArgumentError, EOFError, OpenSSL::SSL::SSLError, Resolv::ResolvError,
+          Net::OpenTimeout, Net::ReadTimeout, EOFError, OpenSSL::SSL::SSLError, Resolv::ResolvError,
           Errno::ECONNRESET, Errno::ECONNREFUSED, Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, NameError,
           Errno::EHOSTUNREACH, Errno::EISCONN, Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH, SocketError,
           NameError, NoMethodError, Timeout::Error, RuntimeError

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -232,11 +232,7 @@ module Contrast
           return unless ::Contrast::AGENT.enabled?
 
           logger.trace_with_time('Rebuilding rule modes from TeamServer') do
-            # TODO: RUBY-999999 Make sure when updating Protect rules to reflect the mode source (always DEFAULT_VALUE)
-            ::Contrast::AGENT.reset_ruleset
-            ::Contrast::SETTINGS.build_protect_rules if ::Contrast::PROTECT.enabled?
-            logger.info('Current rule settings:')
-            ::Contrast::PROTECT.defend_rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
+            ::Contrast::PROTECT.state.update if ::Contrast::PROTECT.enabled?
             if ::Contrast::ASSESS.enabled?
               logger.info('Disabled Assess Rules', rules: ::Contrast::ASSESS.disabled_rules)
             end

data/lib/contrast/agent/reporting/settings/protect.rb

@@ -121,10 +121,10 @@ module Contrast
           # Returns list of actively used protection rules to be updated, or default list.
           # This will be used to query the received settings for the ones used by the Agent.
           def active_defend_rules
-            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::SETTINGS)
+            return ACTIVE_PROTECT_RULES_LIST unless defined?(Contrast::PROTECT)
 
-            current_rules = (Contrast::PROTECT&.defend_rules&.keys if defined?(Contrast::PROTECT))
-            return current_rules unless current_rules&.empty?
+            current_rules = Contrast::PROTECT.defend_rules.keys
+            return current_rules unless current_rules.empty?
 
             ACTIVE_PROTECT_RULES_LIST
           end

data/lib/contrast/agent/reporting/settings/sampling.rb

@@ -24,10 +24,11 @@ module Contrast
 
           def initialize hsh
             @baseline = hsh[:baseline]
-            @enabled = hsh[:enabled]
-            @request_frequency = hsh[:frequency]
-            @response_frequency = hsh[:responseFrequency]
-            @window_ms = hsh[:window]
+            # NG endpoints vs non-ng
+            @enabled = hsh[:enabled] || hsh[:enable]
+            @request_frequency = hsh[:frequency] || hsh[:request_frequency]
+            @response_frequency = hsh[:responseFrequency] || hsh[:response_frequency]
+            @window_ms = hsh[:window] || hsh[:window_ms]
           end
 
           def to_controlled_hash

data/lib/contrast/agent/request/request_context_extend.rb

@@ -52,8 +52,6 @@ module Contrast
         if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
           # Handle prefilter
           Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
-          # Reflected xss infilter
-          Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
           @agent_input_analysis = ia
         else
           logger.trace('Analysis from Agent was empty.')

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.3.2'
+    VERSION = '7.4.1'
   end
 end

data/lib/contrast/components/agent.rb

@@ -26,6 +26,8 @@ module Contrast
         attr_reader :config_values
         # @return [Boolean]
         attr_accessor :enable
+        # @return [Boolean]
+        attr_accessor :omit_body
 
         CANON_NAME = 'agent'
         CONFIG_VALUES = %w[enabled? omit_body?].cs__freeze
@@ -95,16 +97,12 @@ module Contrast
           @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_protect_ruleset.values)
         end
 
-        def reset_ruleset
-          @_ruleset = nil
-        end
-
         def patch_yield?
           !false?(ruby.propagate_yield)
         end
 
         def omit_body?
-          @_omit_body
+          true?(@_omit_body)
         end
 
         def disable_agent!

data/lib/contrast/components/api.rb

@@ -129,7 +129,7 @@ module Contrast
         #
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def to_effective_config effective_config
-          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CONTRAST)
+          add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CANON_NAME)
           effective_proxy(effective_config)
           request_audit&.to_effective_config(effective_config)
           certificate&.to_effective_config(effective_config)
@@ -139,10 +139,10 @@ module Contrast
 
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def effective_proxy effective_config
-          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME, "#{ CONTRAST }.proxy")
+          add_single_effective_value(effective_config, ENABLE, proxy_enable.to_s, PROXY_NAME)
           return unless proxy_url && proxy_enable
 
-          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME, "#{ CONTRAST }.proxy")
+          add_single_effective_value(effective_config, 'url', proxy_url, PROXY_NAME)
         end
 
         def certification_truly_enabled? config_path

data/lib/contrast/components/assess.rb

@@ -237,6 +237,10 @@ module Contrast
 
         # The id for this process, based on the session metadata or id provided by the user, as indicated in
         # application startup.
+        #
+        # The ID of the current application run, as returned by the application settings endpoint or set by
+        # application.session_id. If there is no session associated with this run, this field should be omitted
+        # when reporting to TS.
         def session_id
           ::Contrast::SETTINGS.assess_state.session_id
         end

data/lib/contrast/components/assess_rules.rb

@@ -16,7 +16,6 @@ module Contrast
 
         SPEC_KEY = :disabled_rules.cs__freeze
         CANON_NAME = 'assess.rules'
-        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }".cs__freeze
 
         # @return [Array, nil] list of disabled assess rules
         attr_accessor :disabled_rules
@@ -36,7 +35,7 @@ module Contrast
         #
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def to_effective_config effective_config
-          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules, canon_name, NAME_PREFIX)
+          add_single_effective_value(effective_config, SPEC_KEY.to_s, disabled_rules || [], canon_name)
         end
 
         private

data/lib/contrast/components/base.rb

@@ -12,7 +12,6 @@ module Contrast
     module ComponentBase
       include Contrast::Config::Diagnostics::Tools
 
-      CONTRAST = 'contrast'
       ENABLE = 'enable'
 
       # Used for config diagnostics. Override per rule.
@@ -87,7 +86,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, config_values, canon_name, "#{ CONTRAST }.#{ canon_name }")
+        add_effective_config_values(effective_config, config_values, canon_name)
       end
 
       # attempts to stringify the config value if it is an array with the join char

data/lib/contrast/components/config/sources.rb

@@ -11,6 +11,8 @@ module Contrast
       # This component encapsulates storing the source for each entry in the config,
       # so that we can report on where the value was set from.
       class Sources
+        # [ CORPORATE_RULE, COMMAND_LINE, JAVA_SYSTEM_PROPERTY, ENVIRONMENT_VARIABLE, APP_CONFIGURATION_FILE,
+        # USER_CONFIGURATION_FILE, CONTRAST_UI, DEFAULT_VALUE ]
         ENVIRONMENT_VARIABLE = 'ENVIRONMENT_VARIABLE'
         COMMAND_LINE = 'COMMAND_LINE'
         CONTRAST_UI = 'CONTRAST_UI'
@@ -57,6 +59,27 @@ module Contrast
           deep_select(data.dup, type, [])
         end
 
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable) or source
+        #   if the source(CONTRAST_UI, ENVIRONMENT_VARIABLE...) flag is set true.
+        # @param source [Boolean] flag to specify we are passing in a source, no need to look for it.
+        # @return [Boolean] true if the entry is from a YAML file
+        def configuration_file_source? path, source: false
+          s = source ? path : Contrast::CONFIG.sources.get(path)
+          return true if s.include?(APP_CONFIGURATION_EXTENSIONS[0]) || s.include?(APP_CONFIGURATION_EXTENSIONS[1])
+
+          false
+        end
+
+        # Check to see whether the source has been overridden by local settings.
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable)
+        def source_overridden? path
+          source = Contrast::CONFIG.sources.get(path)
+          return true if [ENVIRONMENT_VARIABLE, COMMAND_LINE].include?(source)
+          return true if configuration_file_source?(source, source: true)
+
+          false
+        end
+
         private
 
         # @param path [String] the canonical name for a config entry (such as api.proxy.enable)

data/lib/contrast/components/logger.rb

@@ -33,6 +33,8 @@ module Contrast
         include InstanceMethods
         include Contrast::Components::ComponentBase
 
+        DEFAULT_NAME = 'contrast.log'
+        DEFAULT_LEVEL = 'INFO'
         CANON_NAME = 'agent.logger'
         CONFIG_VALUES = %w[path level progname].cs__freeze
 
@@ -56,6 +58,23 @@ module Contrast
           @level = hsh[:level]
           @progname = hsh[:progname]
         end
+
+        def to_effective_config effective_config
+          path_setting = nil
+          level_setting = nil
+
+          if defined?(Contrast::SETTINGS)
+            path_setting = Contrast::SETTINGS.agent_state.logger_path
+            level_setting = Contrast::SETTINGS.agent_state.logger_level
+          end
+
+          path_setting ||= DEFAULT_NAME
+          level_setting ||= DEFAULT_LEVEL
+
+          add_single_effective_value(effective_config, config_values[0], path || path_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[1], level || level_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[2], progname, CANON_NAME)
+        end
       end
     end
   end

data/lib/contrast/components/protect.rb

@@ -4,6 +4,8 @@
 require 'contrast/components/base'
 require 'contrast/config/exception_configuration'
 require 'contrast/config/protect_rule_configuration'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/state'
 
 module Contrast
   module Components
@@ -68,7 +70,7 @@ module Contrast
           return false if forcibly_disabled?
           return true  if forcibly_enabled?
 
-          ::Contrast::SETTINGS.protect_state.enabled == true
+          state.enabled?
         end
 
         # Check to determine if the base64 decoding is required for user inputs.
@@ -85,12 +87,19 @@ module Contrast
           ::Contrast::CONFIG.protect.rules
         end
 
+        # Current Active Protect rules and the state/mode they are in.
+        #
+        # @return [Contrast::Agent::Protect::State]
+        def state
+          @_state ||= Contrast::Agent::Protect::State.new
+        end
+
         # Returns Protect array of all initialized
         # protect rules.
         #
         # @return defend_rules[Hash<Contrast::SETTINGS.protect_state.rules>]
         def defend_rules
-          ::Contrast::SETTINGS.protect_state.rules
+          state.rules
         end
 
         # The Contrast::CONFIG.protect.rules is object so we need to check it's
@@ -102,16 +111,27 @@ module Contrast
         # @return mode [Symbol]
         def rule_mode rule_id
           str = rule_id.tr('-', '_')
-          ::Contrast::CONFIG.protect.rules[str]&.applicable_mode ||
-              ::Contrast::SETTINGS.application_state.modes_by_id[rule_id] ||
-              :NO_ACTION
+          config_mode = Contrast::CONFIG.protect.rules[str]&.applicable_mode
+          settings_mode = ::Contrast::SETTINGS.application_state.modes_by_id[rule_id]
+
+          if config_mode
+            update_config_for_rule(rule_id, config_mode)
+            return config_mode
+          end
+
+          if settings_mode
+            update_config_for_rule(rule_id, settings_mode, ui_source: true)
+            return settings_mode
+          end
+          :NO_ACTION
         end
 
         # Name of the protect rule
         #
-        # @return [String]
+        # @param name [String]
+        # @return [Contrast::Agent::Protect::Rule::Base]
         def rule name
-          ::Contrast::SETTINGS.protect_state.rules[name]
+          state.rules[name]
         end
 
         def report_any_command_execution?
@@ -124,7 +144,8 @@ module Contrast
 
         def report_custom_code_sysfile_access?
           if @_report_custom_code_sysfile_access.nil?
-            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.tr('-', '_')
+            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.
+                tr(Contrast::Utils::ObjectShare::DASH, Contrast::Utils::ObjectShare::UNDERSCORE)
             ctrl = rule_config[name_changed]
             @_report_custom_code_sysfile_access = ctrl && true?(ctrl.detect_custom_code_accessing_system_files)
           end
@@ -150,16 +171,15 @@ module Contrast
 
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def protect_rules_to_effective_config effective_config
-          return unless defend_rules
-
-          defend_rules.each do |key, value|
+          state.rules.each do |key, value|
             next unless key && value
 
             config_prefix = "#{ CANON_NAME }.#{ RULES }.#{ key }"
-            name_prefix = "#{ CONTRAST }.#{ CANON_NAME }.#{ RULES }.#{ key }"
-            add_single_effective_value(effective_config, ENABLE, value.enabled?, config_prefix, name_prefix)
+            add_single_effective_value(effective_config, ENABLE, value.enabled?, config_prefix)
             # Get the mode by checking Current Configs or Settings received:
-            add_single_effective_value(effective_config, MODE, rule_mode(key), config_prefix, name_prefix)
+            mode = rule_mode(key)
+            mode = :OFF if mode == :NO_ACTION
+            add_single_effective_value(effective_config, MODE, mode, config_prefix)
           end
         end
 
@@ -181,6 +201,27 @@ module Contrast
         def report_custom_code_sysfile_access
           report_custom_code_sysfile_access?
         end
+
+        # @param rule_id [String] the canonical name for a config entry (such as api.proxy.enable).
+        # @param mode [Symbol] to set the value of the config entry.
+        # @param ui_source [Boolean] whether to se the source as contrast ui or not.
+        def update_config_for_rule rule_id, mode, ui_source: false
+          str = rule_id.tr('-', '_').to_sym
+          config = Contrast::CONFIG.config.loaded_config
+          return unless config
+
+          config[:protect] ||= {}
+          config[:protect][:rules] ||= {}
+          config[:protect][:rules][str] ||= {}
+          config[:protect][:rules][str][:mode] = mode
+          config[:protect][:rules][str][:enable] = (mode != :NO_ACTION)
+          return unless ui_source
+
+          Contrast::CONFIG.sources.set("#{ CANON_NAME }.#{ RULES }.#{ str }.mode",
+                                       Contrast::Components::Config::Sources::CONTRAST_UI)
+          Contrast::CONFIG.sources.set("#{ CANON_NAME }.#{ RULES }.#{ str }.enable",
+                                       Contrast::Components::Config::Sources::CONTRAST_UI)
+        end
       end
     end
   end

data/lib/contrast/components/sampling.rb

@@ -111,7 +111,6 @@ module Contrast
         include Contrast::Config::BaseConfiguration
 
         CANON_NAME = 'assess.sampling'
-        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }".cs__freeze
         CONFIG_VALUES = %w[enable baseline request_frequency response_frequency window_ms].cs__freeze
 
         # @return [Boolean, nil]
@@ -145,19 +144,13 @@ module Contrast
         def to_effective_config effective_config
           confirm_sources
 
-          add_single_effective_value(effective_config, 'enable', sampling_control[:enabled], canon_name, NAME_PREFIX)
-          add_single_effective_value(effective_config, 'baseline', sampling_control[:baseline], canon_name, NAME_PREFIX)
-          add_single_effective_value(effective_config, 'window_ms', sampling_control[:window], canon_name, NAME_PREFIX)
+          add_single_effective_value(effective_config, 'enable', sampling_control[:enabled], canon_name)
+          add_single_effective_value(effective_config, 'baseline', sampling_control[:baseline], canon_name)
+          add_single_effective_value(effective_config, 'window_ms', sampling_control[:window], canon_name)
           add_single_effective_value(effective_config,
-                                     'request_frequency',
-                                     sampling_control[:request_frequency],
-                                     canon_name,
-                                     NAME_PREFIX)
+                                     'request_frequency', sampling_control[:request_frequency], canon_name)
           add_single_effective_value(effective_config,
-                                     'response_frequency',
-                                     sampling_control[:response_frequency],
-                                     canon_name,
-                                     NAME_PREFIX)
+                                     'response_frequency', sampling_control[:response_frequency], canon_name)
         end
 
         private

data/lib/contrast/components/security_logger.rb

@@ -10,6 +10,7 @@ module Contrast
       class Interface
         include Contrast::Components::ComponentBase
 
+        DEFAULT_CEF_NAME = 'security.log'
         CANON_NAME = 'agent.security_logger'
         CONFIG_VALUES = %w[path level].cs__freeze
 
@@ -30,6 +31,22 @@ module Contrast
           @path = hsh[:path]
           @level = hsh[:level]
         end
+
+        def to_effective_config effective_config
+          path_setting = nil
+          level_setting = nil
+
+          if defined?(Contrast::SETTINGS)
+            path_setting = Contrast::SETTINGS.agent_state.cef_logger_path
+            level_setting = Contrast::SETTINGS.agent_state.cef_logger_level
+          end
+
+          path_setting ||= DEFAULT_CEF_NAME
+          level_setting ||= Contrast::CONFIG.agent.logger.level
+
+          add_single_effective_value(effective_config, config_values[0], path || path_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[1], level || level_setting, CANON_NAME)
+        end
       end
     end
   end