contrast-agent 7.3.2 → 7.4.1

data/lib/contrast/config/diagnostics/tools.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/utils/object_share'
 require 'contrast/config/diagnostics/effective_config_value'
+require 'contrast/config/diagnostics/singleton_tools'
 require 'contrast/utils/duck_utils'
 
 module Contrast
@@ -11,79 +12,11 @@ module Contrast
       # Diagnostics tools to be included in config components.
       module Tools
         CHECK = 'd'
-        CONTRAST_MARK = 'CONTRAST_'
-        class << self
-          # Creates new config instances for each read config entry from the flat generated configs.
-          #
-          # @param flats [Array] of flatten configs produced by #flatten_settings
-          # @param source [Boolean] flag to set the desired value class, it may be a effective or source value.
-          # @param cli [Boolean] flag to check if the value comes from cli.
-          # @return [Array<Contrast::Config::Diagnostics::SourceConfigValue>]
-          def to_config_values flats, source: false, cli: false
-            config_value_klass = if source
-                                   Contrast::Config::Diagnostics::SourceConfigValue
-                                 else
-                                   Contrast::Config::Diagnostics::EffectiveConfigValue
-                                 end
-            settings = []
-            flats.each do |entry|
-              entry.each do |key, value|
-                efc_value = config_value_klass.new.tap do |config_value|
-                  config_value.canonical_name = Contrast::Utils::ObjectShare::CONTRAST_DOT + key unless cli
-                  if cli && key.to_s.include?(CONTRAST_MARK)
-                    config_value.canonical_name = key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
-                                                           Contrast::Utils::ObjectShare::PERIOD).downcase
-                  end
-                  config_value.key = key
-                  config_value.value = value_to_s(value)
-                end
-                settings << efc_value if efc_value
-              end
-            end
-            settings
-          end
-
-          # Flattens out the read settings from file, env or contrast ui.
-          # example: {"agent.polling.server_settings_ms"=>"50000"}
-          #
-          # If cli is set we avoid adding the path and additional '.' to the key.
-          #
-          #  @param data [Hash, nil]
-          #  @param path  [String] where to look for settings.
-          #  @param config [Hash] symbolized config to fetch keys from.
-          #  @param cli [Boolean] does the config come from cli.
-          def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config, cli: false
-            return [] unless data
-
-            data.each_with_object([]) do |(k, v), entries|
-              if v.cs__is_a?(Hash)
-                entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
-              else
-                entries << { k.to_s => config.dig(*path, k).to_s } if cli
-                entries << { "#{ path.join('.') }.#{ k }" => config.dig(*path, k).to_s } unless cli
-              end
-            end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
-          end
 
-          # Recursively converts each value to string.
-          #
-          # @param value [Hash, nil]
-          def value_to_s value
-            return if value.nil?
-            return value if value.cs__is_a?(String)
-
-            value&.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
-              m[k] = if v.cs__is_a?(Hash)
-                       value_to_s(v)
-                     elsif v.cs__is_a?(Array)
-                       v.map(&:to_s)
-                     else
-                       v.to_s
-                     end
-            end
-          end
-        end
+        extend Contrast::Config::Diagnostics::SingletonTools
 
+        # TODO: RUBY-2113 deprecate name_prefix
+        #
         # Converts current configuration from array of values to effective config values class and appends them to
         # EffectiveConfig class. Must be used inside Config Components only.
         #
@@ -91,13 +24,15 @@ module Contrast
         # @param config_values [] array of the names of values.
         # @param canonical_prefix [String] starting of the path to config => api.proxy...
         # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
-        def add_effective_config_values effective_config, config_values, canonical_prefix, name_prefix
+        def add_effective_config_values(effective_config,
+                                        config_values,
+                                        canonical_prefix,
+                                        name_prefix = canonical_prefix)
           return if config_values.to_s.empty?
 
           config_values.each do |config_value_name|
             Contrast::Config::Diagnostics::EffectiveConfigValue.new.tap do |new_effective_value|
-              next if Contrast::Utils::DuckUtils.empty_duck?((config_value = send(config_value_name.to_sym)))
-
+              config_value = send(config_value_name.to_sym)
               fill_effective_value(new_effective_value, config_value, config_value_name, canonical_prefix, name_prefix)
               effective_config.values << new_effective_value
             rescue StandardError => e
@@ -107,6 +42,8 @@ module Contrast
           end
         end
 
+        # TODO: RUBY-2113 deprecate name_prefix
+        #
         # Converts current configuration from single value to effective config values class and appends them to
         # EffectiveConfig class. Must be used inside Config Components only.
         #
@@ -115,10 +52,12 @@ module Contrast
         # @param config_value [String, Boolean] value of the config.
         # @param canonical_prefix [String] starting of the path to config => api.proxy...
         # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
-        def add_single_effective_value effective_config, config_name, config_value, canonical_prefix, name_prefix
+        def add_single_effective_value(effective_config,
+                                       config_name,
+                                       config_value,
+                                       canonical_prefix,
+                                       name_prefix = canonical_prefix)
           Contrast::Config::Diagnostics::EffectiveConfigValue.new.tap do |new_effective_value|
-            break if Contrast::Utils::DuckUtils.empty_duck?(config_value)
-
             fill_effective_value(new_effective_value, config_value, config_name, canonical_prefix, name_prefix)
             effective_config.values << new_effective_value
           rescue StandardError => e
@@ -139,7 +78,11 @@ module Contrast
         # @return filled_new_effective_config [Contrast::Config::Diagnostics::EffectiveConfigValue]
         def fill_effective_value new_effective_value, config_value, config_value_name, canonical_prefix, name_prefix
           find_source(new_effective_value, canonical_prefix, assign_name(config_value_name), name_prefix)
-          new_effective_value.value = config_value
+          if Contrast::Config::Diagnostics::SingletonTools::API_CREDENTIALS.include?(config_value_name.to_s)
+            new_effective_value.value = Contrast::Configuration::EFFECTIVE_REDACTED
+            return new_effective_value
+          end
+          new_effective_value.value = config_value.cs__is_a?(Array) ? config_value.join(',') : config_value.to_s
           new_effective_value
         end
 
@@ -174,14 +117,10 @@ module Contrast
           # For files we keep the whole path as source.
           source = Contrast::CONFIG.sources.get(new_effective_value.canonical_name)
           new_effective_value.assign_filename(source)
-          new_source = if source.include?(Contrast::Config::LocalSourceValue::YAML_EXT) ||
-                source.include?(Contrast::Config::LocalSourceValue::YML_EXT)
-
+          new_source = if Contrast::CONFIG.sources.configuration_file_source?(new_effective_value.canonical_name)
                          Contrast::Components::Config::Sources::APP_CONFIGURATION_FILE
-                       else
-                         Contrast::Components::Config::Sources::DEFAULT_VALUE
                        end
-          new_effective_value.source = new_source
+          new_effective_value.source = new_source || source
           new_effective_value
         end
 

data/lib/contrast/config/request_audit_configuration.rb

@@ -50,7 +50,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, "#{ CONTRAST }.#{ CANON_NAME }")
+        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME)
       end
     end
   end

data/lib/contrast/config/server_configuration.rb

@@ -54,21 +54,9 @@ module Contrast
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
         super
-        add_single_effective_value(effective_config,
-                                   'type',
-                                   Contrast::APP_CONTEXT.server_type,
-                                   CANON_NAME,
-                                   "#{ CONTRAST }.#{ CANON_NAME }")
-        add_single_effective_value(effective_config,
-                                   'name',
-                                   Contrast::APP_CONTEXT.server_name,
-                                   CANON_NAME,
-                                   "#{ CONTRAST }.#{ CANON_NAME }")
-        add_single_effective_value(effective_config,
-                                   'path',
-                                   Contrast::APP_CONTEXT.server_path,
-                                   CANON_NAME,
-                                   "#{ CONTRAST }.#{ CANON_NAME }")
+        add_single_effective_value(effective_config, 'type', Contrast::APP_CONTEXT.server_type, CANON_NAME)
+        add_single_effective_value(effective_config, 'name', Contrast::APP_CONTEXT.server_name, CANON_NAME)
+        add_single_effective_value(effective_config, 'path', Contrast::APP_CONTEXT.server_path, CANON_NAME)
       end
     end
   end

data/lib/contrast/configuration.rb

@@ -63,6 +63,7 @@ module Contrast
     CONFIG_BASE_PATHS = %w[./ config/ /etc/contrast/ruby/ /etc/contrast/ /etc/].cs__freeze
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
+    EFFECTIVE_REDACTED = '****'
 
     DEPRECATED_PROPERTIES = %w[
       CONTRAST__AGENT__SERVICE__ENABLE CONTRAST__AGENT__SERVICE__LOGGER__LEVEL
@@ -146,8 +147,10 @@ module Contrast
 
         paths = []
         # Environment paths takes precedence here. Look first through them.
-        paths << ENV['CONTRAST_CONFIG_PATH']     if ENV['CONTRAST_CONFIG_PATH']
-        paths << ENV['CONTRAST_SECURITY_CONFIG'] if ENV['CONTRAST_SECURITY_CONFIG']
+        config_path = ENV.fetch('CONTRAST_CONFIG_PATH', nil)
+        security_path = ENV.fetch('CONTRAST_SECURITY_CONFIG', nil)
+        paths << config_path if config_path
+        paths << security_path if security_path
 
         extensions.each do |ext|
           places = CONFIG_BASE_PATHS.product(["#{ basename }.#{ ext }"])

data/lib/contrast/framework/manager.rb

@@ -29,6 +29,7 @@ module Contrast
       ].cs__freeze
 
       def initialize
+        @_frameworks = []
         return if Contrast::AGENT.disabled? || Contrast::Utils::JobServersRunning.job_servers_running?
 
         @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
@@ -90,9 +91,7 @@ module Contrast
       #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
-        if Contrast::Utils::DuckUtils.empty_duck?(@_frameworks)
-          return Contrast::Framework::Rack::Support.retrieve_request(env)
-        end
+        return Contrast::Framework::Rack::Support.retrieve_request(env) if @_frameworks.empty?
 
         framework = @_frameworks[0]
 
@@ -115,6 +114,8 @@ module Contrast
       # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
       def streaming? env
         result = false
+        return result if @_frameworks.empty?
+
         @_frameworks.each do |framework|
           result = framework.streaming?(env)
           break if result

data/lib/contrast/framework/manager_extend.rb

@@ -29,7 +29,7 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        @_frameworks.flat_map { |framework| framework.send(method_name) }.
+        @_frameworks&.flat_map { |framework| framework.send(method_name) }&.
             compact
       end
 
@@ -39,6 +39,8 @@ module Contrast
       # @return [Object] - Determined by method to be invoked
       def first_framework_result method_name, default_value
         result = nil
+        return default_value if @_frameworks.empty?
+
         @_frameworks.each do |framework|
           result = framework.send(method_name)
           break if result

data/lib/contrast/framework/rack/support.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/framework/base_support'
 require 'contrast/framework/rack/patch/support'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Framework
@@ -10,6 +11,9 @@ module Contrast
       # Used when Rack is present to define framework specific behavior. For
       # now, the only part of this implemented is the Patch Support.
       module Support
+        RACK_REQUEST_PATH = 'REQUEST_PATH'
+        RACK_SERVER_NAME = 'SERVER_NAME'
+
         extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rack::Patch::Support
         class << self
@@ -74,8 +78,13 @@ module Contrast
           def current_route_coverage request, _controller = nil, full_route = nil
             method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
 
-            full_route ||= request.env[::Rack::PATH_INFO]
-            return unless full_route && method
+            full_route ||= request.env.fetch(::Rack::PATH_INFO, nil)
+            full_route = request.env.fetch(RACK_REQUEST_PATH, nil) if Contrast::Utils::DuckUtils.empty_duck?(full_route)
+            return unless method
+
+            # If we are here and have method but the route is "" we might be expecting the home page.
+            full_route = '/' if Contrast::Utils::DuckUtils.empty_duck?(full_route) &&
+                request.env.fetch(RACK_SERVER_NAME, nil)
 
             route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
             # We might not have controller, or even if there is defined one, it could not bare the name of the

data/lib/contrast/framework/rails/support.rb

@@ -59,7 +59,7 @@ module Contrast
             # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
             unless route
-              logger.warn("Unable to determine the current route of this request: #{ request.rack_request }")
+              logger.debug("Unable to determine the current route of this request: #{ request.rack_request }")
               return
             end
 
@@ -77,7 +77,7 @@ module Contrast
             new_route_coverage&.attach_rails_data(route, original_url)
             new_route_coverage
           rescue StandardError => e
-            logger.warn('Unable to determine the current route of this request due to exception: ', e)
+            logger.error('Unable to determine the current route of this request due to exception: ', e)
             nil
           end
 

data/lib/contrast/logger/cef_log.rb

@@ -131,7 +131,16 @@ module Contrast
         log([message, block_entry, outcome], ::Logger::Severity::DEBUG)
       end
 
-      def successful_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log successful attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def successful_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
                                          "#{ rule_id } - #{ input_value }"
@@ -142,7 +151,16 @@ module Contrast
         end
       end
 
-      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log ineffective attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
                                           "but did not successfully exploit #{ rule_id } - #{ input_value }"
@@ -153,8 +171,16 @@ module Contrast
         end
       end
 
-      # newer - currently not in the agent, currently is a probe for us
-      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log suspicious attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
                                    "as suspicious using #{ rule_id } - #{ input_value }"

data/lib/contrast/utils/io_util.rb

@@ -7,6 +7,8 @@ module Contrast
   module Utils
     # Util for information about an IO
     module IOUtil
+      UNKNOWN_IO = 'unknown'
+
       extend Contrast::Components::Logger::InstanceMethods
 
       class << self
@@ -48,6 +50,7 @@ module Contrast
           return false unless status
           return false if status.pipe?
           return false if status.socket?
+          return false if status.ftype == UNKNOWN_IO
 
           true
         end

data/lib/contrast/utils/log_utils.rb

@@ -12,7 +12,7 @@ module Contrast
     # Method utility used by Contrast::Logger::log
     module LogUtils
       DEFAULT_NAME     = 'contrast.log'
-      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
+      DEFAULT_LEVEL    = 'INFO'
       VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
       STDOUT_STR       = 'STDOUT'
       STDERR_STR       = 'STDERR'
@@ -146,6 +146,7 @@ module Contrast
       private
 
       def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        context = Contrast::Agent::REQUEST_TRACKER.current
         logger = case path
                  when STDOUT_STR, STDERR_STR
                    ::Logger.new(Object.cs__const_get(path))
@@ -154,15 +155,23 @@ module Contrast
                  end
         logger.progname = PROGNAME
         logger.level = level_const
-        change_logger_formatter(logger)
+        update_logger_formatter(logger, new_context: context)
         logger
       end
 
       def context
-        Contrast::Agent::REQUEST_TRACKER.current
+        @_context ||= Contrast::Agent::REQUEST_TRACKER.current
       end
 
-      def change_logger_formatter logger
+      def context_update new_context
+        @_context = new_context unless new_context.nil?
+      end
+
+      # @param logger [Logger]
+      # @param new_context [Contrast::Agent::RequestContext]
+      def update_logger_formatter logger, new_context: nil
+        context_update(new_context) if new_context
+
         ip_address = extract_ip_address
         logger.formatter = proc do |severity, datetime, progname, msg|
           date_format = datetime.strftime(DATE_TIME_FORMAT)
@@ -206,7 +215,7 @@ module Contrast
         request_method = assign_request_method(context)
         app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
         attach_request_and_sender_info(message, sender_info)
-        message << "request=#{ context.request.url } "
+        message << "request=#{ context&.request&.url } "
         message << "requestMethod=#{ request_method } "
         message << "app=#{ app_name } "
         message << "outcome=#{ outcome } "
@@ -238,16 +247,18 @@ module Contrast
       end
 
       def extract_sender_ip
-        request_headers = context.activity.request.headers&.transform_keys(&:to_s)
+        request_headers = context&.activity&.request&.headers&.transform_keys(&:to_s)
+        return unless request_headers
+
         request_headers['X-Forwarded-For']
       end
 
       def assign_request_method context
-        if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
-          context.request.rack_request.env['REQUEST_METHOD']
-        else
-          DEFAULT_METADATA
-        end
+        request_method = context&.request&.rack_request&.env
+        request_method = request_method['REQUEST_METHOD'] if request_method
+        return DEFAULT_METADATA if request_method.nil? || !request_method.length.positive?
+
+        request_method
       end
     end
   end

data/lib/contrast/utils/request_utils.rb

@@ -12,7 +12,7 @@ module Contrast
       NUM_PATTERN = %r{/\d+/}.cs__freeze
       END_PATTERN = %r{/\d+$}.cs__freeze
       STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
-      UUID_PATTERN = Regexp.new('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}').cs__freeze # rubocop:disable Metrics/LineLength
+      UUID_PATTERN = Regexp.new('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}').cs__freeze # rubocop:disable Layout/LineLength
       # Regular expression to match any type of hash pattern that is 16 bytes like uuid with no
       # slashes, md5, sha1, sha256, etc
       HASH_PATTERN = Regexp.new('([a-fA-F0-9]{2}){16,}').cs__freeze

data/lib/contrast/utils/timer.rb

@@ -29,7 +29,7 @@ module Contrast
       #
       # @return[String]
       def self.time_now
-        Time.now.utc.iso8601(7)
+        Time.now.utc.iso8601(2)
       end
 
       # Converts time given in ms format form TS to HttpDate.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.3.2
+  version: 7.4.1
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-08-09 00:00:00.000000000 Z
+date: 2023-09-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -1058,6 +1058,7 @@ files:
 - lib/contrast/agent/protect/rule/xss/xss.rb
 - lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb
 - lib/contrast/agent/protect/rule/xxe/xxe.rb
+- lib/contrast/agent/protect/state.rb
 - lib/contrast/agent/reactions/disable_reaction.rb
 - lib/contrast/agent/reporting/attack_result/attack_result.rb
 - lib/contrast/agent/reporting/attack_result/rasp_rule_sample.rb
@@ -1253,6 +1254,7 @@ files:
 - lib/contrast/config/diagnostics/effective_config_value.rb
 - lib/contrast/config/diagnostics/environment_variables.rb
 - lib/contrast/config/diagnostics/monitor.rb
+- lib/contrast/config/diagnostics/singleton_tools.rb
 - lib/contrast/config/diagnostics/source_config_value.rb
 - lib/contrast/config/diagnostics/tools.rb
 - lib/contrast/config/diagnostics/user_configuration_file.rb