RubyGems - contrast-agent - Versions diffs - 7.4.0 → 7.5.0 - Mend

contrast-agent 7.4.0 → 7.5.0

Files changed (43) hide show

data/lib/contrast/agent/request/request_context_extend.rb CHANGED Viewed

@@ -52,8 +52,6 @@ module Contrast
         if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
           # Handle prefilter
           Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
-          # Reflected xss infilter
-          Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
           @agent_input_analysis = ia
         else
           logger.trace('Analysis from Agent was empty.')

data/lib/contrast/agent/version.rb CHANGED Viewed

@@ -3,6 +3,6 @@
 module Contrast
   module Agent
-    VERSION = '7.4.0'
+    VERSION = '7.5.0'
   end
 end

data/lib/contrast/components/assess.rb CHANGED Viewed

@@ -237,6 +237,10 @@ module Contrast
         # The id for this process, based on the session metadata or id provided by the user, as indicated in
         # application startup.
+        #
+        # The ID of the current application run, as returned by the application settings endpoint or set by
+        # application.session_id. If there is no session associated with this run, this field should be omitted
+        # when reporting to TS.
         def session_id
           ::Contrast::SETTINGS.assess_state.session_id
         end

data/lib/contrast/framework/rails/support.rb CHANGED Viewed

@@ -59,7 +59,7 @@ module Contrast
             # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
             unless route
-              logger.warn("Unable to determine the current route of this request: #{ request.rack_request }")
+              logger.debug("Unable to determine the current route of this request: #{ request.rack_request }")
               return
             end
@@ -77,7 +77,7 @@ module Contrast
             new_route_coverage&.attach_rails_data(route, original_url)
             new_route_coverage
           rescue StandardError => e
-            logger.warn('Unable to determine the current route of this request due to exception: ', e)
+            logger.error('Unable to determine the current route of this request due to exception: ', e)
             nil
           end

data/lib/contrast/logger/cef_log.rb CHANGED Viewed

@@ -131,7 +131,16 @@ module Contrast
         log([message, block_entry, outcome], ::Logger::Severity::DEBUG)
       end
-      def successful_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log successful attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def successful_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
                                          "#{ rule_id } - #{ input_value }"
@@ -142,7 +151,16 @@ module Contrast
         end
       end
-      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log ineffective attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
                                           "but did not successfully exploit #{ rule_id } - #{ input_value }"
@@ -153,8 +171,16 @@ module Contrast
         end
       end
-      # newer - currently not in the agent, currently is a probe for us
-      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log suspicious attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
                                    "as suspicious using #{ rule_id } - #{ input_value }"

data/lib/contrast/utils/io_util.rb CHANGED Viewed

@@ -7,6 +7,8 @@ module Contrast
   module Utils
     # Util for information about an IO
     module IOUtil
+      UNKNOWN_IO = 'unknown'
       extend Contrast::Components::Logger::InstanceMethods
       class << self
@@ -48,6 +50,7 @@ module Contrast
           return false unless status
           return false if status.pipe?
           return false if status.socket?
+          return false if status.ftype == UNKNOWN_IO
           true
         end

data/lib/contrast/utils/json.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Contrast
         # Add any known cases where parsing error might arise from older json parser:
         # @return [Array<String>]
-        SPECIAL_CASES = ["\"\""].cs__freeze # rubocop:disable Style/StringLiterals
+        SPECIAL_CASES = ["\"\"", "\"0\""].cs__freeze # rubocop:disable Style/StringLiterals
         # Parses a string using JSON.parser. This method is used instead of standard JSON.parse to
         # support older versions of json gem => not supporting key-value second parameter, which is

data/lib/contrast/utils/log_utils.rb CHANGED Viewed

@@ -146,6 +146,7 @@ module Contrast
       private
       def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        context = Contrast::Agent::REQUEST_TRACKER.current
         logger = case path
                  when STDOUT_STR, STDERR_STR
                    ::Logger.new(Object.cs__const_get(path))
@@ -154,15 +155,23 @@ module Contrast
                  end
         logger.progname = PROGNAME
         logger.level = level_const
-        change_logger_formatter(logger)
+        update_logger_formatter(logger, new_context: context)
         logger
       end
       def context
-        Contrast::Agent::REQUEST_TRACKER.current
+        @_context ||= Contrast::Agent::REQUEST_TRACKER.current
       end
-      def change_logger_formatter logger
+      def context_update new_context
+        @_context = new_context unless new_context.nil?
+      end
+      # @param logger [Logger]
+      # @param new_context [Contrast::Agent::RequestContext]
+      def update_logger_formatter logger, new_context: nil
+        context_update(new_context) if new_context
         ip_address = extract_ip_address
         logger.formatter = proc do |severity, datetime, progname, msg|
           date_format = datetime.strftime(DATE_TIME_FORMAT)
@@ -206,7 +215,7 @@ module Contrast
         request_method = assign_request_method(context)
         app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
         attach_request_and_sender_info(message, sender_info)
-        message << "request=#{ context.request.url } "
+        message << "request=#{ context&.request&.url } "
         message << "requestMethod=#{ request_method } "
         message << "app=#{ app_name } "
         message << "outcome=#{ outcome } "
@@ -238,16 +247,18 @@ module Contrast
       end
       def extract_sender_ip
-        request_headers = context.activity.request.headers&.transform_keys(&:to_s)
+        request_headers = context&.activity&.request&.headers&.transform_keys(&:to_s)
+        return unless request_headers
         request_headers['X-Forwarded-For']
       end
       def assign_request_method context
-        if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
-          context.request.rack_request.env['REQUEST_METHOD']
-        else
-          DEFAULT_METADATA
-        end
+        request_method = context&.request&.rack_request&.env
+        request_method = request_method['REQUEST_METHOD'] if request_method
+        return DEFAULT_METADATA if request_method.nil? || !request_method.length.positive?
+        request_method
       end
     end
   end

data/ruby-agent.gemspec CHANGED Viewed

@@ -116,9 +116,10 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  spec.add_dependency 'ffi', '~> 1.0'
+  # TODO: RUBY-99999 investigate init_with_options segmentation fault
+  spec.add_dependency 'ffi'
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
-  spec.add_dependency 'rack', '~> 2.0'
+  spec.add_dependency 'rack', '>= 2.0', '< 4.0.0'
   # bind this directly as we've had issues w/ build changes on bug release
   spec.add_dependency 'contrast-agent-lib',  '1.1.1'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.4.0
+  version: 7.5.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -10,10 +10,10 @@ authors:
 - alex.macdonald@contrastsecurity.com
 - mark.petersen@contrastsecurity.com
 - joshua.reed@contrastsecurity.com
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-09-12 00:00:00.000000000 Z
+date: 2023-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -619,16 +619,16 @@ dependencies:
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ougai
   requirement: !ruby/object:Gem::Requirement
@@ -653,16 +653,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: contrast-agent-lib
   requirement: !ruby/object:Gem::Requirement
@@ -1370,7 +1376,7 @@ metadata:
   support_uri: https://support.contrastsecurity.com
   trouble_shooting_uri: https://support.contrastsecurity.com/hc/en-us/search?utf8=%E2%9C%93&query=Ruby
   wiki_uri: https://docs.contrastsecurity.com/
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1388,8 +1394,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
-signing_key:
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Contrast Security's agent for rack-based applications.
 test_files: []