RubyGems - contrast-agent - Versions diffs - 7.4.0 → 7.5.0 - Mend

contrast-agent 7.4.0 → 7.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

data/lib/contrast/agent/request/request_context_extend.rb CHANGED Viewed

@@ -52,8 +52,6 @@ module Contrast
         if (ia = Contrast::Agent::Protect::InputAnalyzer.analyse(request))
           # Handle prefilter
           Contrast::Agent::Protect::InputAnalyzer.input_classification(ia, prefilter: true)
-          # Reflected xss infilter
-          Contrast::Agent::Protect::InputAnalyzer.input_classification_for('reflected-xss', ia)
           @agent_input_analysis = ia
         else
           logger.trace('Analysis from Agent was empty.')

data/lib/contrast/agent/version.rb CHANGED Viewed

@@ -3,6 +3,6 @@
 module Contrast
   module Agent
-    VERSION = '7.4.0'
+    VERSION = '7.5.0'
   end
 end

data/lib/contrast/components/assess.rb CHANGED Viewed

@@ -237,6 +237,10 @@ module Contrast
         # The id for this process, based on the session metadata or id provided by the user, as indicated in
         # application startup.
+        #
+        # The ID of the current application run, as returned by the application settings endpoint or set by
+        # application.session_id. If there is no session associated with this run, this field should be omitted
+        # when reporting to TS.
         def session_id
           ::Contrast::SETTINGS.assess_state.session_id
         end

data/lib/contrast/framework/rails/support.rb CHANGED Viewed

@@ -59,7 +59,7 @@ module Contrast
             # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
             unless route
-              logger.warn("Unable to determine the current route of this request: #{ request.rack_request }")
+              logger.debug("Unable to determine the current route of this request: #{ request.rack_request }")
               return
             end
@@ -77,7 +77,7 @@ module Contrast
             new_route_coverage&.attach_rails_data(route, original_url)
             new_route_coverage
           rescue StandardError => e
-            logger.warn('Unable to determine the current route of this request due to exception: ', e)
+            logger.error('Unable to determine the current route of this request due to exception: ', e)
             nil
           end

data/lib/contrast/logger/cef_log.rb CHANGED Viewed

@@ -131,7 +131,16 @@ module Contrast
         log([message, block_entry, outcome], ::Logger::Severity::DEBUG)
       end
-      def successful_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log successful attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def successful_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
                                          "#{ rule_id } - #{ input_value }"
@@ -142,7 +151,16 @@ module Contrast
         end
       end
-      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log ineffective attack attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
                                           "but did not successfully exploit #{ rule_id } - #{ input_value }"
@@ -153,8 +171,16 @@ module Contrast
         end
       end
-      # newer - currently not in the agent, currently is a probe for us
-      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
+      # Log suspicious attack
+      #
+      # @param rule_id [String] the rule that was triggered
+      # @param outcome [String] the outcome of the rule
+      # @param input_type [String] the type of input that was detected
+      # @param input_value [String] the value of the input that was detected
+      # @param attack_context [Contrast::Agent::RequestContext] the request context of the attack
+      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil, attack_context = nil
+        # We may log from the worthwatching Queue with saved attack_context
+        update_logger_formatter(@_cef_logger, new_context: attack_context) if attack_context
         if input_type.present? && input_value.present?
           suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
                                    "as suspicious using #{ rule_id } - #{ input_value }"

data/lib/contrast/utils/io_util.rb CHANGED Viewed

@@ -7,6 +7,8 @@ module Contrast
   module Utils
     # Util for information about an IO
     module IOUtil
+      UNKNOWN_IO = 'unknown'
       extend Contrast::Components::Logger::InstanceMethods
       class << self
@@ -48,6 +50,7 @@ module Contrast
           return false unless status
           return false if status.pipe?
           return false if status.socket?
+          return false if status.ftype == UNKNOWN_IO
           true
         end

data/lib/contrast/utils/json.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Contrast
         # Add any known cases where parsing error might arise from older json parser:
         # @return [Array<String>]
-        SPECIAL_CASES = ["\"\""].cs__freeze # rubocop:disable Style/StringLiterals
+        SPECIAL_CASES = ["\"\"", "\"0\""].cs__freeze # rubocop:disable Style/StringLiterals
         # Parses a string using JSON.parser. This method is used instead of standard JSON.parse to
         # support older versions of json gem => not supporting key-value second parameter, which is

data/lib/contrast/utils/log_utils.rb CHANGED Viewed

@@ -146,6 +146,7 @@ module Contrast
       private
       def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        context = Contrast::Agent::REQUEST_TRACKER.current
         logger = case path
                  when STDOUT_STR, STDERR_STR
                    ::Logger.new(Object.cs__const_get(path))
@@ -154,15 +155,23 @@ module Contrast
                  end
         logger.progname = PROGNAME
         logger.level = level_const
-        change_logger_formatter(logger)
+        update_logger_formatter(logger, new_context: context)
         logger
       end
       def context
-        Contrast::Agent::REQUEST_TRACKER.current
+        @_context ||= Contrast::Agent::REQUEST_TRACKER.current
       end
-      def change_logger_formatter logger
+      def context_update new_context
+        @_context = new_context unless new_context.nil?
+      end
+      # @param logger [Logger]
+      # @param new_context [Contrast::Agent::RequestContext]
+      def update_logger_formatter logger, new_context: nil
+        context_update(new_context) if new_context
         ip_address = extract_ip_address
         logger.formatter = proc do |severity, datetime, progname, msg|
           date_format = datetime.strftime(DATE_TIME_FORMAT)
@@ -206,7 +215,7 @@ module Contrast
         request_method = assign_request_method(context)
         app_name = ::Contrast::APP_CONTEXT.name # rubocop:disable Security/Module/Name
         attach_request_and_sender_info(message, sender_info)
-        message << "request=#{ context.request.url } "
+        message << "request=#{ context&.request&.url } "
         message << "requestMethod=#{ request_method } "
         message << "app=#{ app_name } "
         message << "outcome=#{ outcome } "
@@ -238,16 +247,18 @@ module Contrast
       end
       def extract_sender_ip
-        request_headers = context.activity.request.headers&.transform_keys(&:to_s)
+        request_headers = context&.activity&.request&.headers&.transform_keys(&:to_s)
+        return unless request_headers
         request_headers['X-Forwarded-For']
       end
       def assign_request_method context
-        if context.request.rack_request.env['REQUEST_METHOD'].length.positive?
-          context.request.rack_request.env['REQUEST_METHOD']
-        else
-          DEFAULT_METADATA
-        end
+        request_method = context&.request&.rack_request&.env
+        request_method = request_method['REQUEST_METHOD'] if request_method
+        return DEFAULT_METADATA if request_method.nil? || !request_method.length.positive?
+        request_method
       end
     end
   end

data/ruby-agent.gemspec CHANGED Viewed

@@ -116,9 +116,10 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  spec.add_dependency 'ffi', '~> 1.0'
+  # TODO: RUBY-99999 investigate init_with_options segmentation fault
+  spec.add_dependency 'ffi'
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
-  spec.add_dependency 'rack', '~> 2.0'
+  spec.add_dependency 'rack', '>= 2.0', '< 4.0.0'
   # bind this directly as we've had issues w/ build changes on bug release
   spec.add_dependency 'contrast-agent-lib',  '1.1.1'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.4.0
+  version: 7.5.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -10,10 +10,10 @@ authors:
 - alex.macdonald@contrastsecurity.com
 - mark.petersen@contrastsecurity.com
 - joshua.reed@contrastsecurity.com
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-09-12 00:00:00.000000000 Z
+date: 2023-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -619,16 +619,16 @@ dependencies:
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ougai
   requirement: !ruby/object:Gem::Requirement
@@ -653,16 +653,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: contrast-agent-lib
   requirement: !ruby/object:Gem::Requirement
@@ -1370,7 +1376,7 @@ metadata:
   support_uri: https://support.contrastsecurity.com
   trouble_shooting_uri: https://support.contrastsecurity.com/hc/en-us/search?utf8=%E2%9C%93&query=Ruby
   wiki_uri: https://docs.contrastsecurity.com/
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1388,8 +1394,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
-signing_key:
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Contrast Security's agent for rack-based applications.
 test_files: []