contrast-agent 7.4.1 → 7.6.0

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -33,42 +33,12 @@ module Contrast
           # @return
           def to_a
             @_to_a ||= [
-              UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
-              QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
-              MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
+              UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+              PARAMETER_VALUE, QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE,
+              MULTIPART_VALUE, MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST,
+              URL_PARAMETER, UNKNOWN
             ]
           end
-
-          # This is a hash of the input types and their corresponding values.
-          #
-          # @return [Hash]
-
-          def to_hash
-            {
-                UNDEFINED_TYPE: '1',
-                BODY: '2',
-                COOKIE_NAME: '3',
-                COOKIE_VALUE: '4',
-                HEADER: '5',
-                PARAMETER_NAME: '6',
-                PARAMETER_VALUE: '7',
-                QUERYSTRING: '8',
-                URI: '9',
-                SOCKET: '10',
-                JSON_VALUE: '11',
-                JSON_ARRAYED_VALUE: '12',
-                MULTIPART_CONTENT_TYPE: '13',
-                MULTIPART_VALUE: '14',
-                MULTIPART_FIELD_NAME: '15',
-                MULTIPART_NAME: '16',
-                XML_VALUE: '17',
-                DWR_VALUE: '18',
-                METHOD: '19',
-                REQUEST: '20',
-                URL_PARAMETER: '21',
-                UNKNOWN: '22'
-            }
-          end
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -43,7 +43,7 @@ module Contrast
               appPath: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
               appVersion: ::Contrast::APP_CONTEXT.version,
               code: CODE,
-              data: '',
+              data: @data || '',
               key: 0,
               session_id: ::Contrast::ASSESS.session_id,
               routes: @routes.map(&:to_controlled_hash)

data/lib/contrast/agent/reporting/reporting_utilities/audit.rb

@@ -24,7 +24,7 @@ module Contrast
         #
         # @param event [Contrast::Agent::Reporting::ReportingEvent] One of the DTMs valid for the
         #   event field of Contrast::Agent::Reporting::ReportingEvent
-        # @param response_data [Net::HTTP::Response]
+        # @param response_data [Net::HTTPResponse]
         def audit_event event, response_data = nil
           return unless ::Contrast::API.request_audit_requests || ::Contrast::API.request_audit_responses
 

data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb

@@ -17,14 +17,14 @@ module Contrast
           # @param finding [Contrast::Agent::Reporting::Finding]
           # @return [Contrast::Agent::Reporting::Preflight, nil]
           def generate finding
-            return unless finding
+            return unless finding&.cs__is_a?(Contrast::Agent::Reporting::Finding)
 
             new_preflight = Contrast::Agent::Reporting::Preflight.new
             new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-            finding.routes.each do |route|
-              new_preflight_message.routes << route
+            routes = finding.routes
+            unless Contrast::Utils::DuckUtils.empty_duck?(routes)
+              routes.each { |route| new_preflight_message.routes << route }
             end
-            new_preflight_message.hash_code = finding.hash_code
             new_preflight_message.data = "#{ finding.rule_id },#{ finding.hash_code }"
             new_preflight.messages << new_preflight_message
             return new_preflight unless Contrast::Utils::DuckUtils.empty_duck?(new_preflight.messages)

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client.rb

@@ -69,7 +69,7 @@ module Contrast
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event to send to TeamServer. Really a
         #   child of the ReportingEvent rather than a literal one.
         # @param connection [Net::HTTP] open connection
-        # @return response [Net::HTTP::Response, nil] response from TS if no response
+        # @return response [Net::HTTPResponse, nil] response from TS if no response
         def send_event event, connection
           return unless connection
           return unless event.valid?

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -90,7 +90,7 @@ module Contrast
         # Handles response processing and sets status
         #
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
-        # @param response [Net::HTTP::Response]
+        # @param response [Net::HTTPResponse]
         def process_settings_response response, event
           res = response_handler.process(response, event)
           if res
@@ -118,7 +118,11 @@ module Contrast
           mode.resend.reset_rescue_attempts
           findings_to_return.each do |index|
             preflight_message = event.messages[index.to_i]
-            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message&.data)
+            preflight_data = preflight_message&.data
+            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_data)
+            if Contrast::Agent::REQUEST_TRACKER.current
+              Contrast::Agent::REQUEST_TRACKER.current.reported_findings << preflight_data
+            end
             next unless corresponding_finding
 
             send_event(corresponding_finding, connection)

data/lib/contrast/agent/reporting/reporting_utilities/response_handler.rb

@@ -20,9 +20,9 @@ module Contrast
 
         # Process the response from TS
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
-        # @return response [Net::HTTP::Response, nil]
+        # @return response [Net::HTTPResponse, nil]
         def process response, event
           logger.debug('[Reporter] Received a response')
           return unless analyze_response?(response)
@@ -107,7 +107,7 @@ module Contrast
         # Handles the errors code received from TS and takes appropriate action.
         # If we are here the response.code is an error that needs handling [4XX]
         #
-        # @param response [Net::HTTP::Response]
+        # @param response [Net::HTTPResponse]
         def handle_error response
           case response&.code
           when ERROR_CODES[:message_not_sent]

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -68,7 +68,7 @@ module Contrast
 
         # check if response code is valid before analyze it
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @return [Boolean]
         def analyze_response? response
           # Code descriptions:
@@ -118,7 +118,7 @@ module Contrast
           @_last_response_code = response_code
           return true if ANALYZE_WHEN.include?(response_code)
 
-          handle_error(response) if ERROR_CODES.value?(response_code)
+          handle_error(response) if ERROR_CODES.value?(response_code) && response&.body
           # There was error, so analyze the Error and nothing more.
           false
         end
@@ -126,7 +126,7 @@ module Contrast
         # Analyze the headers of the response code. They have information about the
         # retry timeout and some response bodies contains error messages.
         #
-        # @param response [String] the response code from Net::HTTPResponse, which is obnoxiousy a String, not an
+        # @param response [Net::HTTPResponse]
         # Integer
         # @param message [String] Message to log.
         # @param mode [Symbol, nil]
@@ -142,6 +142,8 @@ module Contrast
                           error_message: error_message || 'none',
                           auth_error: auth_error || 'none')
           end
+          return unless rejected_by_ts?(response)
+
           suspend_reporting(message, ready_after, error_message) if mode == @_mode.resending
           return unless mode == @_mode.disabled
 
@@ -152,7 +154,7 @@ module Contrast
 
         # Extract what we've received.
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @return [Array<String, Integer>] all collected error info.
         def extract_response_info response
           # Extract what we got from the response:
@@ -164,11 +166,21 @@ module Contrast
           [ready_after.to_i, error_message, auth_error]
         end
 
+        # We only want to shut down the agent if TeamServer actually told us to, not because of a network error
+        #
+        # @param [Net::HTTPResponse]
+        # @return Boolean
+        def rejected_by_ts? response
+          response_body = response&.body || Contrast::Utils::ObjectShare::EMPTY_STRING
+          response_data = Contrast::Utils::Json.parse(response_body, deep_symbolize: true)
+          response_data.key?(:success) && response_data[:success] == false
+        end
+
         # Extract Last-Modified header from ServerSettings response.
         # The new GET server settings endpoint have different payload.
         # Extract the last modify headers with last update form TS.
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @param event [Contrast::Agent::Reporting::ServerSettings,
         #               Contrast::Agent::Reporting::ApplicationSettings, nil]
         # @return last_modified[integer, nil] Time since last server update
@@ -250,7 +262,7 @@ module Contrast
         #
         # This method works to extract away these differences.
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
         # @return response [Contrast::Agent::Reporting::Response]
         def convert_response response, event
@@ -263,7 +275,7 @@ module Contrast
           extract_response_last_modified(response, event)
           populate_response(response_data, event)
         rescue StandardError => e
-          logger.error('Unable to convert response', e)
+          logger.error('Unable to convert response', error: e)
           nil
         end
 

data/lib/contrast/agent/request/request_handler.rb

@@ -26,6 +26,7 @@ module Contrast
       #
       def report_observed_route
         return unless (reporter = Contrast::Agent.reporter)
+        return if Contrast::Agent::REQUEST_TRACKER.current&.response&.response_code == 404
 
         reporter.send_event(context.observed_route) if Contrast::ROUTES_SENT.sendable?(context.observed_route)
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.4.1'
+    VERSION = '7.6.0'
   end
 end

data/lib/contrast/configuration.rb

@@ -124,7 +124,7 @@ module Contrast
 
     # @return [Contrast::Components::Assess::Interface]
     def assess
-      @assess ||= Contrast::Components::Assess::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
+      @assess ||= Contrast::Components::Settings::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
     end
 
     # @return [Contrast::Components::Inventory::Interface]

data/lib/contrast/utils/json.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Add any known cases where parsing error might arise from older json parser:
         # @return [Array<String>]
-        SPECIAL_CASES = ["\"\""].cs__freeze # rubocop:disable Style/StringLiterals
+        SPECIAL_CASES = ["\"\"", "\"0\""].cs__freeze # rubocop:disable Style/StringLiterals
 
         # Parses a string using JSON.parser. This method is used instead of standard JSON.parse to
         # support older versions of json gem => not supporting key-value second parameter, which is

data/lib/contrast/utils/middleware_utils.rb

@@ -91,6 +91,15 @@ module Contrast
       rescue Contrast::SecurityException => e
         logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
         raise(e)
+      rescue StandardError => e
+        # If there is a routing error of this type, then we cannot find a method explicitly mapped to this route.
+        # In this case, we should report nothing.
+        if Contrast::Utils::ClassUtil.truly_defined?('ActionController::RoutingError') &&
+              e.is_a?(ActionController::RoutingError)
+
+          Contrast::Agent::REQUEST_TRACKER.current&.observed_route = nil
+        end
+        raise(e)
       end
     end
   end

data/lib/contrast/utils/routes_sent.rb

@@ -25,8 +25,9 @@ module Contrast
       # @param route [Contrast::Agent::Reporting::ObservedRoute] the route
       # @return [boolean]
       def sendable? route
-        return false if Contrast::Utils::DuckUtils.empty_duck?(route.signature)
-        return false if Contrast::Utils::DuckUtils.empty_duck?(route.url)
+        return false unless route
+        return false unless route.signature && !route.signature.blank?
+        return false unless route.url && !route.url.blank?
 
         route_hash = route.hash_id
 

data/lib/contrast.rb

@@ -95,15 +95,15 @@ end
 
 # This needs to be required very early, after component interfaces, and before instrumentation attempts
 require 'contrast/funchook/funchook'
-
 require 'contrast/agent/version'
 
 # shared utils
 require 'contrast/utils/timer'
-
 require 'contrast/utils/assess/sampling_util'
 require 'contrast/agent'
 
+# Prepend fix for Ruby 3.0
+# TODO: RUBY-99999 remove once obsolete.
 if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
   # Put prepend back as it was.
   Class.alias_method(:prepend, :cs__orig_prepend)

data/resources/assess/policy.json

@@ -304,7 +304,15 @@
       "class_name":"String",
       "instance_method": true,
       "method_visibility": "public",
-      "method_name":"capitalize!",
+      "method_name":"capitalize",
+      "source":"O",
+      "target":"R",
+      "action":"KEEP"
+    }, {
+      "class_name":"String",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"html_safe",
       "source":"O",
       "target":"R",
       "action":"KEEP"
@@ -908,6 +916,36 @@
       "action":"SPLAT",
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
+    }, {
+       "class_name": "ActiveSupport::CoreExt::ERBUtil",
+       "method_name": "html_escape",
+       "method_visibility": "public",
+       "instance_method": true,
+       "source": "P0",
+       "target": "R",
+       "action": "SPLAT",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
+    }, {
+       "class_name": "ActiveSupport::CoreExt::ERBUtil",
+       "method_name": "h",
+       "method_visibility": "public",
+       "instance_method": true,
+       "source": "P0",
+       "target": "R",
+       "action": "SPLAT",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
+    }, {
+       "class_name": "ActiveSupport::CoreExt::ERBUtil",
+       "method_name": "unwrapped_html_escape",
+       "method_visibility": "public",
+       "instance_method": true,
+       "source": "P0",
+       "target": "R",
+       "action": "SPLAT",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
     }, {
       "class_name":"ERB::Util",
       "method_name":"h",
@@ -1028,6 +1066,17 @@
       "target": "R",
       "action": "SPLAT"
     },
+    {
+       "class_name": "ActiveSupport::Multibyte::Unicode",
+       "instance_method": true,
+       "method_visibility": "public",
+       "method_name":"tidy_bytes",
+       "source":"P0",
+       "target":"R",
+       "action": "KEEP",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
+    },
     {
       "class_name": "JSON",
       "method_name": "generate",

data/ruby-agent.gemspec

@@ -9,14 +9,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 # Add the team as authors of the Agent
 def self.add_authors spec
-  spec.authors = %w[
-    galen.palmer@contrastsecurity.com
-    harold.mcginnis@contrastsecurity.com
-    donald.propst@contrastsecurity.com
-    alex.macdonald@contrastsecurity.com
-    mark.petersen@contrastsecurity.com
-    joshua.reed@contrastsecurity.com
-  ]
+  spec.authors = %w[ruby@contrastsecurity.com]
 end
 
 # Add those dependencies required to develop or test the Agent
@@ -44,7 +37,6 @@ end
 def self.add_debuggers spec
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'pry-byebug', '>= 3.9'
-  spec.add_development_dependency 'ruby-debug-ide'
 end
 
 # Dependencies used for framework testing.
@@ -52,7 +44,7 @@ def self.add_frameworks spec
   spec.add_development_dependency 'grape', '~> 1.5', '>= 1.5.2'
   spec.add_development_dependency 'rack-protection', '>= 2'
   spec.add_development_dependency 'rails', '>= 6', '~> 7'
-  spec.add_development_dependency 'sinatra', '>= 2'
+  spec.add_development_dependency 'sinatra', '>= 2', '<4.0.0'
 end
 
 # Dependencies used for linting prior to commit.
@@ -105,9 +97,14 @@ def self.add_tested_gems spec
   spec.add_development_dependency 'async'
   spec.add_development_dependency 'execjs'
   spec.add_development_dependency 'rhino'
-  spec.add_development_dependency 'sqlite3'
+  if ENV.fetch('CONTRAST__PIPELINE__RUN', nil) == 'true'
+    spec.add_development_dependency 'sqlite3', '1.6.6'
+  else
+    spec.add_development_dependency 'sqlite3'
+  end
   spec.add_development_dependency 'tilt'
   spec.add_development_dependency 'xpath'
+  spec.add_development_dependency 'ruby'
 end
 
 # Add those dependencies required to run the Agent in customer applications.
@@ -116,9 +113,13 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  spec.add_dependency 'ffi', '~> 1.0'
+  if ENV.fetch('CONTRAST__PIPELINE__RUN', nil) == 'true'
+    spec.add_dependency 'ffi', '1.15.5'
+  else
+    spec.add_dependency 'ffi'
+  end
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
-  spec.add_dependency 'rack', '~> 2.0'
+  spec.add_dependency 'rack', '>= 2.0', '< 4.0.0'
 
   # bind this directly as we've had issues w/ build changes on bug release
   spec.add_dependency 'contrast-agent-lib',  '1.1.1'

metadata

@@ -1,19 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.4.1
+  version: 7.6.0
 platform: ruby
 authors:
-- galen.palmer@contrastsecurity.com
-- harold.mcginnis@contrastsecurity.com
-- donald.propst@contrastsecurity.com
-- alex.macdonald@contrastsecurity.com
-- mark.petersen@contrastsecurity.com
-- joshua.reed@contrastsecurity.com
-autorequire: 
+- ruby@contrastsecurity.com
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-09-21 00:00:00.000000000 Z
+date: 2024-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -85,20 +80,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.9'
-- !ruby/object:Gem::Dependency
-  name: ruby-debug-ide
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: debride
   requirement: !ruby/object:Gem::Requirement
@@ -300,6 +281,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -307,6 +291,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: async
   requirement: !ruby/object:Gem::Requirement
@@ -391,6 +378,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -619,16 +620,16 @@ dependencies:
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ougai
   requirement: !ruby/object:Gem::Requirement
@@ -653,16 +654,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: contrast-agent-lib
   requirement: !ruby/object:Gem::Requirement
@@ -1370,7 +1377,7 @@ metadata:
   support_uri: https://support.contrastsecurity.com
   trouble_shooting_uri: https://support.contrastsecurity.com/hc/en-us/search?utf8=%E2%9C%93&query=Ruby
   wiki_uri: https://docs.contrastsecurity.com/
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1388,8 +1395,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Contrast Security's agent for rack-based applications.
 test_files: []