contrast-agent 7.4.1 → 7.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b62e21b5f8d2c3d786aaaac33005487eab07fd07438e9fe20532742f926bcb0
-  data.tar.gz: 37ff12d328d1a58bddb75e4f0e9c799b44df881daaa78bea62f565f95ae715ff
+  metadata.gz: f6b34ada48cf9e91e05d85ea0f003575119b751bf135ef49709fb1501c475b3e
+  data.tar.gz: 2915fb037c832fec213dfc7835b8d732e1c22005987ef2c4287dfb55264d41a2
 SHA512:
-  metadata.gz: 46f9f576d3a28befa4681e73a250af98602c100d50ace13a1e3fcaa5a22ca2a0d0695b4b19492677d57183ff56203d2f57a5470b7c6fa0fc9c1b15bbbd49dc16
-  data.tar.gz: 427a3dafa3d8108a4aa2130ff02c8c4d52539f7d1c7b265ba78d60dc10f86f142a2b4f1132ae0be02c0c9a41c043ab1459c0a0e3a836dbced2f0db4b550aa970
+  metadata.gz: 627d1959c5993100f6bc08624d1a68627b02af18f6aa48c074f0cf374925877761b09077ce21366b6d5ddafb3185907472564753b3fbab65f6f7d74d2b74dc10
+  data.tar.gz: 224228b9e9c276c39e6d78a330a456b37cf550b4155c4b96f5ff1d29e7bf7846521c102f510061f8d6ec5e9245b99fe567cce7a5202dd2acfd62c6e7bb9ca795

data/lib/contrast/agent/hooks/at_exit_hook.rb

@@ -27,7 +27,8 @@ module Contrast
                      pp_id: @ppid,
                      process_pid: Process.pid,
                      process_pp_id: Process.ppid)
-
+        $stdout.puts('[Contrast Agent] Graceful shutdown...')
+        report_traces
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context
 
@@ -39,6 +40,20 @@ module Contrast
         end
         Contrast::Agent.reporter&.send_event_immediately(context.activity)
       end
+
+      def self.report_traces
+        return unless Contrast::ASSESS.enabled?
+
+        collection = Contrast::Agent::Reporting::ReportingStorage.collection
+
+        # report gathered traces:
+        return if collection.empty?
+
+        collection.each do |_id, finding|
+          preflight = Contrast::Agent::Reporting::BuildPreflight.generate(finding)
+          Contrast::Agent.reporter&.send_event_immediately(preflight)
+        end
+      end
     end
   end
 end

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -20,6 +20,7 @@ require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss/xss'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 require 'contrast/agent/protect/rule/input_classification/base64_statistic'
 require 'json'
 
@@ -105,12 +106,10 @@ module Contrast
             return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
 
             input_analysis.inputs.each do |input_type, value|
-              # TODO: RUBY-2110 Update the HEADER handling if possible.
-              # Analyze only Header values:
-              # This may break bot blocker rule:
-              # value = value.values if input_type == HEADER
-              next if value.nil? || value.empty?
+              value = handle_header(input_type, value)
+              next if Contrast::Utils::DuckUtils.empty_duck?(value)
 
+              # Traverse only the Header values:
               Timeout.timeout(interval) do
                 protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
               end
@@ -156,6 +155,16 @@ module Contrast
 
           private
 
+          # Extracts header values, and skips keys if input_type is Header.
+          # @param input_type [Symbol]
+          # @param value [Hash, nil]
+          # @return value [Hash, nil]
+          def handle_header input_type, value
+            return value&.values || [] if input_type == Contrast::Agent::Reporting::InputType::HEADER
+
+            value
+          end
+
           # Extract the filename and name of the  Content Disposition Header.
           #
           # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -22,32 +22,6 @@ module Contrast
           class << self
             include Contrast::Agent::Protect::Rule::InputClassification::Base
 
-            # Input Classification stage is done to determine if an user input is
-            # DEFINITEATTACK or to be ignored.
-            #
-            # @param rule_id [String] Name of the protect rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [Hash<String>] the value of the input.
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-            #                                                       agent analysis from the current
-            #                                                       Request.
-            # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
-            def classify rule_id, input_type, value, input_analysis
-              return unless (rule = Contrast::PROTECT.rule(rule_id))
-              return unless rule.applicable_user_inputs.include?(input_type)
-              return unless input_analysis.request
-
-              value.each_value do |val|
-                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, val)
-                append_result(input_analysis, result)
-              end
-
-              input_analysis
-            rescue StandardError => e
-              logger.debug("An Error was recorded in the input classification of the #{ rule_id }", error: e)
-              nil
-            end
-
             private
 
             # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's

data/lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb

@@ -21,6 +21,11 @@ module Contrast
           include Contrast::Components::Logger::InstanceMethods
           include Contrast::Agent::Reporting::InputType
           NAME = 'cmd-injection'
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+          ].cs__freeze
 
           def rule_name
             NAME

data/lib/contrast/agent/protect/rule/input_classification/base.rb

@@ -24,7 +24,7 @@ module Contrast
               COOKIE_VALUE, PARAMETER_VALUE, HEADER, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
             ].cs__freeze
 
-            BASE64_INPUT_TYPES = [BODY, COOKIE_VALUE, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
+            BASE64_INPUT_TYPES = [BODY, HEADER, COOKIE_VALUE, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
 
             class << self
               include Contrast::Components::Logger::InstanceMethods
@@ -183,9 +183,6 @@ module Contrast
               return value unless Contrast::PROTECT.normalize_base64?
               return value unless BASE64_INPUT_TYPES.include?(input_type)
 
-              # TODO: RUBY-2110 Update the HEADER handling if possible.
-              # We need only the Header values.
-
               cs__decode64(value, input_type)
             end
           end

data/lib/contrast/agent/protect/rule/input_classification/encoding.rb

@@ -37,7 +37,7 @@ module Contrast
             # The Base64 method will return printable ascii characters, so we can use this to determine if the value is
             # encoded or not.
             #
-            # The solution in this case is encodind the value, and then decoding it. If the value is already encoded
+            # The solution in this case is encoding the value, and then decoding it. If the value is already encoded
             # it will not be eq to the original value. If the value is not encoded, it will be eq to the original value.
             #
             # @param value [String] input to check for encoding status.
@@ -96,11 +96,43 @@ module Contrast
             def cs__decode64 value, input_type
               return value unless cs__base64?(value, input_type)
 
-              Base64.decode64(value)
+              new_value = try_base64_decode(value)
+              new_value, success = normalize_encoding(new_value)
+              return new_value if success
+
+              value
             rescue StandardError => e
               logger.error('Error while decoding base64', error: e, message: e.message, backtrace: e.backtrace)
               value
             end
+
+            private
+
+            # Try and decode the value, do not use decoding if the value have zero bytes.
+            def try_base64_decode value
+              new_value = Base64.decode64(value)
+              # check for null bytes:
+              return new_value unless new_value.bytes.select(&:zero?).any?
+
+              value
+            end
+
+            # Detecting encoded Base64 is not perfect. In some cases it will detect certain inputs as
+            # encoded and will try to decode them. Even if the decoding is successful, the value may be
+            # encoded back to ASCII format. AgentLib will raise UTF-8 error in this case.
+            # This method will try to normalize the encoding to UTF-8. If the encoding fails, this means
+            # that the decoding was not successful and the value will be returned as is. Otherwise a
+            # base64 decoded string with ASCII-8BIT encoding will be parsed to UTF-8 without errors.
+            #
+            # @param value [String] input to normalize.
+            # @return [Array<String, Boolean>] normalized value and success flag.
+            def normalize_encoding value
+              new_value = value.dup.encode!('Windows-1252').force_encoding('UTF-8')
+              [new_value, true]
+            rescue StandardError
+              # encoding failed, or the decoding from base64 failed.
+              [nil, false]
+            end
           end
         end
       end

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -33,42 +33,12 @@ module Contrast
           # @return
           def to_a
             @_to_a ||= [
-              UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
-              QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
-              MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
+              UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+              PARAMETER_VALUE, QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE,
+              MULTIPART_VALUE, MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST,
+              URL_PARAMETER, UNKNOWN
             ]
           end
-
-          # This is a hash of the input types and their corresponding values.
-          #
-          # @return [Hash]
-
-          def to_hash
-            {
-                UNDEFINED_TYPE: '1',
-                BODY: '2',
-                COOKIE_NAME: '3',
-                COOKIE_VALUE: '4',
-                HEADER: '5',
-                PARAMETER_NAME: '6',
-                PARAMETER_VALUE: '7',
-                QUERYSTRING: '8',
-                URI: '9',
-                SOCKET: '10',
-                JSON_VALUE: '11',
-                JSON_ARRAYED_VALUE: '12',
-                MULTIPART_CONTENT_TYPE: '13',
-                MULTIPART_VALUE: '14',
-                MULTIPART_FIELD_NAME: '15',
-                MULTIPART_NAME: '16',
-                XML_VALUE: '17',
-                DWR_VALUE: '18',
-                METHOD: '19',
-                REQUEST: '20',
-                URL_PARAMETER: '21',
-                UNKNOWN: '22'
-            }
-          end
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/preflight_message.rb

@@ -43,7 +43,7 @@ module Contrast
               appPath: ::Contrast::APP_CONTEXT.name, # rubocop:disable Security/Module/Name
               appVersion: ::Contrast::APP_CONTEXT.version,
               code: CODE,
-              data: '',
+              data: @data || '',
               key: 0,
               session_id: ::Contrast::ASSESS.session_id,
               routes: @routes.map(&:to_controlled_hash)

data/lib/contrast/agent/reporting/reporting_utilities/build_preflight.rb

@@ -17,14 +17,14 @@ module Contrast
           # @param finding [Contrast::Agent::Reporting::Finding]
           # @return [Contrast::Agent::Reporting::Preflight, nil]
           def generate finding
-            return unless finding
+            return unless finding&.cs__is_a?(Contrast::Agent::Reporting::Finding)
 
             new_preflight = Contrast::Agent::Reporting::Preflight.new
             new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-            finding.routes.each do |route|
-              new_preflight_message.routes << route
+            routes = finding.routes
+            unless Contrast::Utils::DuckUtils.empty_duck?(routes)
+              routes.each { |route| new_preflight_message.routes << route }
             end
-            new_preflight_message.hash_code = finding.hash_code
             new_preflight_message.data = "#{ finding.rule_id },#{ finding.hash_code }"
             new_preflight.messages << new_preflight_message
             return new_preflight unless Contrast::Utils::DuckUtils.empty_duck?(new_preflight.messages)

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -118,7 +118,11 @@ module Contrast
           mode.resend.reset_rescue_attempts
           findings_to_return.each do |index|
             preflight_message = event.messages[index.to_i]
-            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message&.data)
+            preflight_data = preflight_message&.data
+            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_data)
+            if Contrast::Agent::REQUEST_TRACKER.current
+              Contrast::Agent::REQUEST_TRACKER.current.reported_findings << preflight_data
+            end
             next unless corresponding_finding
 
             send_event(corresponding_finding, connection)

data/lib/contrast/agent/reporting/reporting_utilities/response_handler_utils.rb

@@ -263,7 +263,7 @@ module Contrast
           extract_response_last_modified(response, event)
           populate_response(response_data, event)
         rescue StandardError => e
-          logger.error('Unable to convert response', e)
+          logger.error('Unable to convert response', error: e)
           nil
         end
 

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '7.4.1'
+    VERSION = '7.5.0'
   end
 end

data/lib/contrast/utils/json.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Add any known cases where parsing error might arise from older json parser:
         # @return [Array<String>]
-        SPECIAL_CASES = ["\"\""].cs__freeze # rubocop:disable Style/StringLiterals
+        SPECIAL_CASES = ["\"\"", "\"0\""].cs__freeze # rubocop:disable Style/StringLiterals
 
         # Parses a string using JSON.parser. This method is used instead of standard JSON.parse to
         # support older versions of json gem => not supporting key-value second parameter, which is

data/ruby-agent.gemspec

@@ -116,9 +116,10 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  spec.add_dependency 'ffi', '~> 1.0'
+  # TODO: RUBY-99999 investigate init_with_options segmentation fault
+  spec.add_dependency 'ffi'
   spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
-  spec.add_dependency 'rack', '~> 2.0'
+  spec.add_dependency 'rack', '>= 2.0', '< 4.0.0'
 
   # bind this directly as we've had issues w/ build changes on bug release
   spec.add_dependency 'contrast-agent-lib',  '1.1.1'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 7.4.1
+  version: 7.5.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -10,10 +10,10 @@ authors:
 - alex.macdonald@contrastsecurity.com
 - mark.petersen@contrastsecurity.com
 - joshua.reed@contrastsecurity.com
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-09-21 00:00:00.000000000 Z
+date: 2023-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -619,16 +619,16 @@ dependencies:
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ougai
   requirement: !ruby/object:Gem::Requirement
@@ -653,16 +653,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: contrast-agent-lib
   requirement: !ruby/object:Gem::Requirement
@@ -1370,7 +1376,7 @@ metadata:
   support_uri: https://support.contrastsecurity.com
   trouble_shooting_uri: https://support.contrastsecurity.com/hc/en-us/search?utf8=%E2%9C%93&query=Ruby
   wiki_uri: https://docs.contrastsecurity.com/
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1388,8 +1394,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: Contrast Security's agent for rack-based applications.
 test_files: []