RubyGems - contrast-agent - Versions diffs - 6.14.0 → 6.15.0 - Mend

contrast-agent 6.14.0 → 6.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 577b0810f45b302615af1f151ebb6b772d76c0bccd460057022f5fbadf065d73
-  data.tar.gz: f3e882dd5e3d7e63e4cf09f37733acd02ad3b70b2d195b8a9377175cfe1b4330
+  metadata.gz: e4f1f41a4e9c4b720867bf41832aceec4b4d4b2e55efafc086f5bf9a14f56401
+  data.tar.gz: 575fbbe0b929cc700daa495403325a27ff90cd92b44f549c9fd44dde7f25ec55
 SHA512:
-  metadata.gz: 168ea3d43d19acbe29a80b9b244a91c29b0f7c091137b7a0575edd39f763ec013e1402bc1337c167e8147738428813b7d1010e92a8e102aa3b72570685d73605
-  data.tar.gz: ddbf43ffe314bfd53c19687dc7bfc549a1b5374a43ede461a73487519ef263672f6dc7fe449140159c5e26587a55052b132242c20b1673d2dbed3d882340f157
+  metadata.gz: a6a321d684f4a220f3eed2cc85ddac8985a4720216beb062d9bc9c75322bbf9d626b96c83f8f0698acdf611fe0ba4dabfa3f908cb6d12a400c3ee05e3d850c05
+  data.tar.gz: 6de14c43bfd6bb54f6fc6da174c1affe91e2712dc6438d69fa6b87404336e8d68691f84339ba756a4a85f5d70ac8b17488a96e786faa77099c5e34963c8e0ffd

data/lib/contrast/agent/{assess.rb → assess/assess.rb} RENAMED Viewed

@@ -9,7 +9,7 @@ module Contrast
     # point of require for this functionality.
     module Assess
       require 'contrast/agent/assess/tracker'
-      require 'contrast/agent/module_data'
+      require 'contrast/agent/assess/module_data'
       require 'contrast/agent/assess/policy/preshift'
       # Dynamic Sources

data/lib/contrast/agent/{module_data.rb → assess/module_data.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/method_policy'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -15,6 +16,8 @@ module Contrast
           READ_TABLE = 'readTable'
           READ_COLUMN = 'readColumn'
           class << self
+            include Contrast::Components::Logger::InstanceMethods
             # Given a Class representing a table in a Database and a map of
             # methods representing columns, generate sources for each method
             # such that calls to that method will result in a Source Event.

data/lib/contrast/agent/assess/policy/policy_node.rb CHANGED Viewed

@@ -38,6 +38,7 @@ module Contrast
             capitalize!
             chomp
             to_s
+            to_str
             downcase
             downcase!
             lstrip
@@ -45,7 +46,7 @@ module Contrast
             upcase!
             upcase
           ].cs__freeze
-          TO_S = 'to_s'
+          TO_S = %w[to_s to_str].cs__freeze
           def initialize policy_hash = {}
             super(policy_hash)
@@ -63,7 +64,7 @@ module Contrast
             # String#to_s => self or string. This method is included here to cover the situations such as
             # String.to_s.html_safe, where normally the dynamic sources properties get lost. To solve this
             # we will simply return the original object here.
-            return true if @_use_original_object && policy_hash[JSON_METHOD_NAME] == TO_S
+            return true if @_use_original_object && TO_S.include?(policy_hash[JSON_METHOD_NAME])
             @_use_original_object &&
                 # Check if method name ends with a (!) bang unless is the to_s method:

data/lib/contrast/agent/assess/policy/propagation_method.rb CHANGED Viewed

@@ -92,11 +92,11 @@ module Contrast
             #   propagation event.
             # @param target [Object] the Target to which to propagate.
             def apply_tags propagation_node, target
-              return unless propagation_node.tags
+              return unless (propagation_tags = propagation_node.tags)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
               length = Contrast::Utils::StringUtils.ret_length(target)
-              propagation_node.tags.each do |tag|
+              propagation_tags.each do |tag|
                 properties.add_tag(tag, 0...length)
               end
             end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb CHANGED Viewed

@@ -50,7 +50,6 @@ module Contrast
                   next if known_tainted&.include?(key)
                   next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
-                  # TODO: RUBY-540 handle sanitization, handle nested objects
                   Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
                   event_data = Contrast::Agent::Assess::Events::EventData.new(propagation_node,
                                                                               value, preshift.object,

data/lib/contrast/agent/assess/policy/source_method.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 require 'set'
 require 'contrast/agent/assess/policy/source_validation/source_validation'
-require 'contrast/agent/excluder'
+require 'contrast/agent/excluder/excluder'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'

data/lib/contrast/agent/assess/policy/trigger_method.rb CHANGED Viewed

@@ -2,9 +2,10 @@
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
-require 'contrast/agent/excluder'
+require 'contrast/agent/excluder/excluder'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 require 'contrast/utils/sha256_builder'
 require 'contrast/utils/assess/trigger_method_utils'
 require 'contrast/agent/assess/events/event_data'
@@ -99,6 +100,7 @@ module Contrast
               return if excluded_by_input_and_rule?(request, finding, trigger_node.rule_id)
               finding.hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
+              check_for_stored_xss(finding)
               finding
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
@@ -188,6 +190,39 @@ module Contrast
             def excluded_by_input_and_rule? request, finding, rule_id
               Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(request, finding, rule_id)
             end
+            # Handles the Stored Xss rule. If a vector is stored in the database
+            def check_for_stored_xss finding
+              return unless finding && finding.rule_id == 'reflected-xss'
+              # Check for database tainted event propagation:
+              if finding.events.select { |event| event.reportable_tags.include?('DATABASE_WRITE') }.
+                    any? && !Contrast::ASSESS.disabled_rules.include?('stored-xss')
+                # Override 'reflected-xss' => 'stored-xss'
+                finding.instance_variable_set(:@rule_id, 'stored-xss')
+                extract_dynamic_source_info(finding)
+                finding
+              end
+            end
+            def extract_dynamic_source_info finding
+              return unless finding
+              creation_events = finding.events.select { |e| e.action == :CREATION }
+              source_event_policy = creation_events[0].policy_node if creation_events.any?
+              properties = source_event_policy.properties if source_event_policy
+              # Properties example:
+              # => {"dynamic_source_id"=>"Assess:Source:Comment#message",
+              #  "dynamic_source_name"=>"Comment.message",
+              #  "readTable"=>"Comment",
+              #  "readColumn"=>:message,
+              #  "writeDateTimeUtc"=>1675087341948,
+              #  "writeRequestUrl"=>"/comments"}
+              return if Contrast::Utils::DuckUtils.empty_duck?(properties)
+              finding.instance_variable_set(:@properties, finding.properties.merge(properties))
+            end
           end
         end
       end

data/lib/contrast/agent/{excluder.rb → excluder/excluder.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/{exclusion_matcher.rb → excluder/exclusion_matcher.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/{at_exit_hook.rb → hooks/at_exit_hook.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/{tracepoint_hook.rb → hooks/tracepoint_hook.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/inventory/database_config.rb CHANGED Viewed

@@ -54,6 +54,7 @@ module Contrast
           # @return [Hash]
           def active_record_config
             return @_active_record_config if instance_variable_defined?(:@_active_record_config)
+            return unless defined?(ActiveRecord) && defined?(ActiveRecord::Base)
             @_active_record_config = if ActiveRecord::Base.cs__respond_to?(:connection_db_config)
                                        ActiveRecord::Base.connection_db_config

data/lib/contrast/agent/{inventory.rb → inventory/inventory.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/{middleware.rb → middleware/middleware.rb} RENAMED Viewed

@@ -10,9 +10,9 @@ require 'contrast/utils/object_share'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/heap_dump_util'
-require 'contrast/agent/telemetry'
-require 'contrast/agent/request_handler'
-require 'contrast/agent/static_analysis'
+require 'contrast/agent/telemetry/telemetry'
+require 'contrast/agent/request/request_handler'
+require 'contrast/agent/middleware/static_analysis'
 require 'contrast/agent/telemetry/startup_metrics_event'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/middleware_utils'

data/lib/contrast/agent/{static_analysis.rb → middleware/static_analysis.rb} RENAMED Viewed

File without changes

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb CHANGED Viewed

@@ -4,18 +4,18 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
-require 'contrast/agent/protect/rule/bot_blocker'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker'
 require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
 require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
-require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
-require 'contrast/agent/protect/rule/unsafe_file_upload'
-require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
-require 'contrast/agent/protect/rule/xss'
+require 'contrast/agent/protect/rule/xss/xss'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'json'

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/worker_thread'
+require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/reporting_events/application_activity'

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/protect/rule/cmdi/cmd_injection'
 require 'contrast/agent/protect/policy/applies_deserialization_rule'
 require 'contrast/agent/protect/policy/rule_applicator'

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/protect/rule/deserialization'
+require 'contrast/agent/protect/rule/deserialization/deserialization'
 require 'contrast/agent/protect/policy/rule_applicator'
 module Contrast

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/policy/rule_applicator'
 module Contrast

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/protect/rule/path_traversal'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/protect/rule/sqli'
+require 'contrast/agent/protect/rule/sqli/sqli'
 require 'contrast/agent/protect/policy/rule_applicator'
 module Contrast

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-require 'contrast/agent/protect/rule/xxe'
+require 'contrast/agent/protect/rule/xxe/xxe'
 require 'contrast/agent/protect/policy/rule_applicator'
 require 'contrast/utils/object_share'