contrast-agent 7.5.0 → 7.6.1

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -14,7 +14,6 @@ module Contrast
         include Contrast::Agent::Reporting::NgResponseExtractor
         include Contrast::Agent::Reporting::ResponseExtractor
 
-        ANALYZE_WHEN = %w[200 204].cs__freeze
         ERROR_CODES = {
             message_not_sent: '400',
             access_forbidden: '401',
@@ -68,7 +67,7 @@ module Contrast
 
         # check if response code is valid before analyze it
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @return [Boolean]
         def analyze_response? response
           # Code descriptions:
@@ -112,13 +111,12 @@ module Contrast
           # used for in observed routes message.
           return false unless response && (response_code = response&.code)
 
-          # We still need to check the response code even if we are not analyzing it, since the 304 code does not
-          # contain settings to be extracted but we still need to know for the diagnostics. Do not move this bellow
-          # the ANALYZE_WHEN check.
           @_last_response_code = response_code
-          return true if ANALYZE_WHEN.include?(response_code)
+          return true if response_code == '200'
+          return false if response_code == '204'
+          return false if response_code == '304'
 
-          handle_error(response) if ERROR_CODES.value?(response_code)
+          handle_error(response) if ERROR_CODES.value?(response_code) && response&.body
           # There was error, so analyze the Error and nothing more.
           false
         end
@@ -126,7 +124,7 @@ module Contrast
         # Analyze the headers of the response code. They have information about the
         # retry timeout and some response bodies contains error messages.
         #
-        # @param response [String] the response code from Net::HTTPResponse, which is obnoxiousy a String, not an
+        # @param response [Net::HTTPResponse]
         # Integer
         # @param message [String] Message to log.
         # @param mode [Symbol, nil]
@@ -142,6 +140,8 @@ module Contrast
                           error_message: error_message || 'none',
                           auth_error: auth_error || 'none')
           end
+          return unless rejected_by_ts?(response)
+
           suspend_reporting(message, ready_after, error_message) if mode == @_mode.resending
           return unless mode == @_mode.disabled
 
@@ -152,7 +152,7 @@ module Contrast
 
         # Extract what we've received.
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @return [Array<String, Integer>] all collected error info.
         def extract_response_info response
           # Extract what we got from the response:
@@ -164,11 +164,21 @@ module Contrast
           [ready_after.to_i, error_message, auth_error]
         end
 
+        # We only want to shut down the agent if TeamServer actually told us to, not because of a network error
+        #
+        # @param [Net::HTTPResponse]
+        # @return Boolean
+        def rejected_by_ts? response
+          response_body = response&.body || Contrast::Utils::ObjectShare::EMPTY_STRING
+          response_data = Contrast::Utils::Json.parse(response_body, deep_symbolize: true)
+          response_data.key?(:success) && response_data[:success] == false
+        end
+
         # Extract Last-Modified header from ServerSettings response.
         # The new GET server settings endpoint have different payload.
         # Extract the last modify headers with last update form TS.
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @param event [Contrast::Agent::Reporting::ServerSettings,
         #               Contrast::Agent::Reporting::ApplicationSettings, nil]
         # @return last_modified[integer, nil] Time since last server update
@@ -250,12 +260,12 @@ module Contrast
         #
         # This method works to extract away these differences.
         #
-        # @param response [Net::HTTP::Response, nil]
+        # @param response [Net::HTTPResponse, nil]
         # @param event [Contrast::Agent::Reporting::ReportingEvent] The event sent to TeamServer.
         # @return response [Contrast::Agent::Reporting::Response]
         def convert_response response, event
           response_body = response&.body
-          return unless response_body
+          return unless response_body && !response_body.blank?
 
           response_data = Contrast::Utils::Json.parse(response_body, deep_symbolize: true)
           return unless response_data.cs__is_a?(Hash)

data/lib/contrast/agent/request/request.rb

@@ -180,7 +180,7 @@ module Contrast
         end
       end
 
-      # returns or fenerates the hash checksum for the request
+      # returns or generates the hash checksum for the request
       #
       # @return @_hash_id [String] Contrast::Utils::HashDigest generated string checksum
       def hash_id

data/lib/contrast/agent/request/request_handler.rb

@@ -26,6 +26,7 @@ module Contrast
       #
       def report_observed_route
         return unless (reporter = Contrast::Agent.reporter)
+        return if Contrast::Agent::REQUEST_TRACKER.current&.response&.response_code == 404
 
         reporter.send_event(context.observed_route) if Contrast::ROUTES_SENT.sendable?(context.observed_route)
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.5.0'
+    VERSION = '7.6.1'
   end
 end

data/lib/contrast/configuration.rb

@@ -124,7 +124,7 @@ module Contrast
 
     # @return [Contrast::Components::Assess::Interface]
     def assess
-      @assess ||= Contrast::Components::Assess::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
+      @assess ||= Contrast::Components::Settings::Interface.new # rubocop:disable Naming/MemoizedInstanceVariableName
     end
 
     # @return [Contrast::Components::Inventory::Interface]

data/lib/contrast/utils/hash_digest.rb

@@ -15,7 +15,6 @@ module Contrast
     class HashDigest < Digest::Class
       include Digest::Instance
       extend Contrast::Utils::HashDigestExtend
-      CONTENT_LENGTH_HEADER = 'Content-Length'
       CHARS = %w[a b c d e f g].cs__freeze
       CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
       CONFIG_PATH_KEY = 'path'
@@ -34,8 +33,6 @@ module Contrast
       #
       # @param finding [Contrast::Agent::Reporting::Finding] finding to be reported
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
-      # @return checksum [Integer, nil] returns nil if there is no request context or tracking
-      # is disabled.
       def update_on_request finding, request
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context || ::Contrast::ASSESS.non_request_tracking?
@@ -58,7 +55,6 @@ module Contrast
       # Update to CRC checksum the event source name and source type.
       #
       # @param events [Array<Contrast::Agent::Reporting::FindingEvent>]
-      # @return checksum [Integer, nil] returns nil if there is no events
       def update_on_sources events
         events.each do |event|
           event.event_sources.each do |source|
@@ -68,22 +64,12 @@ module Contrast
         end
       end
 
-      # This method converts and integer value for length into a string value
-      # that we can hash on, based on the logarithmic value of the length, and
-      # updates the current hash with that value.
-      # @param chr [Numeric] the length to translate
-      def update_on_content_length chr
-        update(CHARS[Math.log10(chr.to_s.length).to_i] || CHARS[-1])
-      end
-
       # Converts  given string to CRC checksum. CRC32 checksum ensures that If error
       # of a single bit occurs, the CRC checksum will fail, regardless of any other
       # property of the transmitted data, including its length. Called several times
       # with previous CRC to recalculate the new output.
       #
       # @param str [String]
-      # @return @crc32 [Integer, nil] updated value of crc 32 bit integer checksum or
-      # nil if passed string is nil or empty
       def update str
         return unless str
 

data/lib/contrast/utils/hash_digest_extend.rb

@@ -17,7 +17,7 @@ module Contrast
       # param names and content length to CRC checksum and returns string representation
       #
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
-      # @return checksum [String] String representation of CRC32 checksum
+      # @return [String] String representation of CRC32 checksum
       def generate_request_hash request
         hash = new
         hash.update(request.request_method)
@@ -25,8 +25,6 @@ module Contrast
         request.parameters.each_key do |name|
           hash.update(name)
         end
-        cl = request.headers[Contrast::Utils::HashDigest::CONTENT_LENGTH_HEADER]
-        hash.update_on_content_length(cl) if cl
         hash.finish
       end
 
@@ -37,7 +35,7 @@ module Contrast
       # @param finding [Contrast::Agent::Reporting::Finding] to be reported
       # @param source [Object] the source of the Trigger Event
       # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
-      # @return checksum [String] String representation of CRC32 checksum
+      # @return [String] String representation of CRC32 checksum
       def generate_event_hash finding, source, request
         return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
 
@@ -51,7 +49,7 @@ module Contrast
       # to CRC32 checksum and returns string representation to be appended to Contrast::Api::Dtm::Finding
       #
       # @param finding [Contrast::Agent::Reporting::Finding] to be reported
-      # @return checksum [String] String representation of CRC32 checksum.
+      # @return [String] String representation of CRC32 checksum.
       def generate_config_hash finding
         hash = new
         hash.update(finding.rule_id)
@@ -80,6 +78,19 @@ module Contrast
         hash.finish
       end
 
+      # Generates the hash checksum for response scanning. Converts the rule_id and request to CRC32 checksum and
+      # returns string representation.
+      #
+      # @param finding [Contrast::Agent::Reporting::Finding] to be reported
+      # # @param request [Contrast::Agent::Request]
+      # @return [String] String representation of CRC32 checksum.
+      def generate_response_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
       private
 
       # Generates the hash checksum for crypto(crypto-bad-ciphers, crypto-bad-mac) rules.

data/lib/contrast/utils/json.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Add any known cases where parsing error might arise from older json parser:
         # @return [Array<String>]
-        SPECIAL_CASES = ["\"\"", "\"0\""].cs__freeze # rubocop:disable Style/StringLiterals
+        SPECIAL_CASES = [nil, "", "\"\"", "\"0\""].cs__freeze # rubocop:disable Style/StringLiterals
 
         # Parses a string using JSON.parser. This method is used instead of standard JSON.parse to
         # support older versions of json gem => not supporting key-value second parameter, which is

data/lib/contrast/utils/middleware_utils.rb

@@ -91,6 +91,15 @@ module Contrast
       rescue Contrast::SecurityException => e
         logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
         raise(e)
+      rescue StandardError => e
+        # If there is a routing error of this type, then we cannot find a method explicitly mapped to this route.
+        # In this case, we should report nothing.
+        if Contrast::Utils::ClassUtil.truly_defined?('ActionController::RoutingError') &&
+              e.is_a?(ActionController::RoutingError)
+
+          Contrast::Agent::REQUEST_TRACKER.current&.observed_route = nil
+        end
+        raise(e)
       end
     end
   end

data/lib/contrast/utils/routes_sent.rb

@@ -25,8 +25,9 @@ module Contrast
       # @param route [Contrast::Agent::Reporting::ObservedRoute] the route
       # @return [boolean]
       def sendable? route
-        return false if Contrast::Utils::DuckUtils.empty_duck?(route.signature)
-        return false if Contrast::Utils::DuckUtils.empty_duck?(route.url)
+        return false unless route
+        return false unless route.signature && !route.signature.blank?
+        return false unless route.url && !route.url.blank?
 
         route_hash = route.hash_id
 

data/lib/contrast.rb

@@ -95,15 +95,15 @@ end
 
 # This needs to be required very early, after component interfaces, and before instrumentation attempts
 require 'contrast/funchook/funchook'
-
 require 'contrast/agent/version'
 
 # shared utils
 require 'contrast/utils/timer'
-
 require 'contrast/utils/assess/sampling_util'
 require 'contrast/agent'
 
+# Prepend fix for Ruby 3.0
+# TODO: RUBY-99999 remove once obsolete.
 if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
   # Put prepend back as it was.
   Class.alias_method(:prepend, :cs__orig_prepend)

data/resources/assess/policy.json

@@ -304,7 +304,15 @@
       "class_name":"String",
       "instance_method": true,
       "method_visibility": "public",
-      "method_name":"capitalize!",
+      "method_name":"capitalize",
+      "source":"O",
+      "target":"R",
+      "action":"KEEP"
+    }, {
+      "class_name":"String",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"html_safe",
       "source":"O",
       "target":"R",
       "action":"KEEP"
@@ -908,6 +916,36 @@
       "action":"SPLAT",
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
+    }, {
+       "class_name": "ActiveSupport::CoreExt::ERBUtil",
+       "method_name": "html_escape",
+       "method_visibility": "public",
+       "instance_method": true,
+       "source": "P0",
+       "target": "R",
+       "action": "SPLAT",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
+    }, {
+       "class_name": "ActiveSupport::CoreExt::ERBUtil",
+       "method_name": "h",
+       "method_visibility": "public",
+       "instance_method": true,
+       "source": "P0",
+       "target": "R",
+       "action": "SPLAT",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
+    }, {
+       "class_name": "ActiveSupport::CoreExt::ERBUtil",
+       "method_name": "unwrapped_html_escape",
+       "method_visibility": "public",
+       "instance_method": true,
+       "source": "P0",
+       "target": "R",
+       "action": "SPLAT",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
     }, {
       "class_name":"ERB::Util",
       "method_name":"h",
@@ -1028,6 +1066,17 @@
       "target": "R",
       "action": "SPLAT"
     },
+    {
+       "class_name": "ActiveSupport::Multibyte::Unicode",
+       "instance_method": true,
+       "method_visibility": "public",
+       "method_name":"tidy_bytes",
+       "source":"P0",
+       "target":"R",
+       "action": "KEEP",
+       "tags":["HTML_ENCODED"],
+       "untags":["HTML_DECODED"]
+    },
     {
       "class_name": "JSON",
       "method_name": "generate",

data/ruby-agent.gemspec

@@ -9,14 +9,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 # Add the team as authors of the Agent
 def self.add_authors spec
-  spec.authors = %w[
-    galen.palmer@contrastsecurity.com
-    harold.mcginnis@contrastsecurity.com
-    donald.propst@contrastsecurity.com
-    alex.macdonald@contrastsecurity.com
-    mark.petersen@contrastsecurity.com
-    joshua.reed@contrastsecurity.com
-  ]
+  spec.authors = %w[ruby@contrastsecurity.com]
 end
 
 # Add those dependencies required to develop or test the Agent
@@ -44,7 +37,6 @@ end
 def self.add_debuggers spec
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'pry-byebug', '>= 3.9'
-  spec.add_development_dependency 'ruby-debug-ide'
 end
 
 # Dependencies used for framework testing.
@@ -52,7 +44,7 @@ def self.add_frameworks spec
   spec.add_development_dependency 'grape', '~> 1.5', '>= 1.5.2'
   spec.add_development_dependency 'rack-protection', '>= 2'
   spec.add_development_dependency 'rails', '>= 6', '~> 7'
-  spec.add_development_dependency 'sinatra', '>= 2'
+  spec.add_development_dependency 'sinatra', '>= 2', '<4.0.0'
 end
 
 # Dependencies used for linting prior to commit.
@@ -105,9 +97,14 @@ def self.add_tested_gems spec
   spec.add_development_dependency 'async'
   spec.add_development_dependency 'execjs'
   spec.add_development_dependency 'rhino'
-  spec.add_development_dependency 'sqlite3'
+  if ENV.fetch('CONTRAST__PIPELINE__RUN', nil) == 'true'
+    spec.add_development_dependency 'sqlite3', '1.6.6'
+  else
+    spec.add_development_dependency 'sqlite3'
+  end
   spec.add_development_dependency 'tilt'
   spec.add_development_dependency 'xpath'
+  spec.add_development_dependency 'ruby'
 end
 
 # Add those dependencies required to run the Agent in customer applications.
@@ -116,8 +113,11 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  # TODO: RUBY-99999 investigate init_with_options segmentation fault
-  spec.add_dependency 'ffi'
+  if ENV.fetch('CONTRAST__PIPELINE__RUN', nil) == 'true'
+    spec.add_dependency 'ffi', '1.15.5'
+  else
+    spec.add_dependency 'ffi'
+  end
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'rack', '>= 2.0', '< 4.0.0'
 

metadata

@@ -1,19 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.5.0
+  version: 7.6.1
 platform: ruby
 authors:
-- galen.palmer@contrastsecurity.com
-- harold.mcginnis@contrastsecurity.com
-- donald.propst@contrastsecurity.com
-- alex.macdonald@contrastsecurity.com
-- mark.petersen@contrastsecurity.com
-- joshua.reed@contrastsecurity.com
+- ruby@contrastsecurity.com
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-10-06 00:00:00.000000000 Z
+date: 2024-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -85,20 +80,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.9'
-- !ruby/object:Gem::Dependency
-  name: ruby-debug-ide
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: debride
   requirement: !ruby/object:Gem::Requirement
@@ -300,6 +281,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -307,6 +291,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: async
   requirement: !ruby/object:Gem::Requirement
@@ -391,6 +378,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -1394,7 +1395,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Contrast Security's agent for rack-based applications.