newrelic_security 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82cddb6a77c7bac2c46e31b5e0577dd346aa0e78b919fc8fb3c2765a7192c0a6
-  data.tar.gz: cb8f47120816909cb30ae0d16f9c6c4da3f684a8497747ccab3bbf12aa36e501
+  metadata.gz: 90213be8f4f16d3ac2402f570f734466927d341581a73e3382f8d843d0a4486e
+  data.tar.gz: a329513f2be86620ecccd38f2811b842b897028c06027e47930b3dea4e8b7b4c
 SHA512:
-  metadata.gz: 96abdbedd151b564c30d2ccafc1e98b46185130d6028634877ef0a42c1dc8ff775cf5affbcb7fdd7eee305bbb5ca33a266dfd82ebd5b7f0d2f6e396687af7897
-  data.tar.gz: a69f0fcaf8a427a4ec169ed7dd33952ee88e723a89281a2e9b46841029898fdea6a21748290e2058e861629e368da84b0b6d317181248b33f88a3a33bc5049e2
+  metadata.gz: 565fbe75ccb52096f5e1e1549f5dfdea51f96435a2ee0a8819723e1c996c731f6090a6edb3bb1673318a9273288b031a3645e7d64f81a56cd0212181d64647e4
+  data.tar.gz: d176f0228f7f448e2fd08abd28906f59c4e0cac88abcd41bd7a2c02b30c427a78c990cc08a41d3626d5e4ec1cb62809cc2d029bcce7b8f88aa20736c883373c6

data/.github/workflows/pr_ci.yml

@@ -22,7 +22,7 @@ jobs:
         run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libxslt1-dev libc6-dev openjdk-11-jdk
 
       - name: Install Ruby ${{ matrix.ruby-version }}
-        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+        uses: ruby/setup-ruby@086ffb1a2090c870a3f881cc91ea83aa4243d408 # v1.195.0
         with:
           ruby-version: ${{ matrix.ruby-version }}
 
@@ -53,7 +53,7 @@ jobs:
       - name: Configure git
         run: 'git config --global init.defaultBranch main'
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
-      - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+      - uses: ruby/setup-ruby@086ffb1a2090c870a3f881cc91ea83aa4243d408 # v1.195.0
         with:
           ruby-version: '3.1'
       - run: bundle

data/.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
       with:
         fetch-depth: 0
 
-    - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+    - uses: ruby/setup-ruby@086ffb1a2090c870a3f881cc91ea83aa4243d408 # v1.195.0
       with:
         ruby-version: 3.2
 

data/.github/workflows/rubocop.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Configure git
         run: 'git config --global init.defaultBranch main'
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
-      - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+      - uses: ruby/setup-ruby@086ffb1a2090c870a3f881cc91ea83aa4243d408 # v1.195.0
         with:
           ruby-version: '3.3'
       - run: bundle

data/CHANGELOG.md

@@ -1,5 +1,33 @@
 # New Relic Ruby Security Agent Release Notes
 
+## v0.4.0
+
+Version 0.4.0 introuduces Rack framework support, GraphQL support & CI/CD integration as part of security. Updated json_version: **1.2.9**
+
+- Feature: Rack framework support [PR#149](https://github.com/newrelic/csec-ruby-agent/pull/149)
+
+- Feature: GraphQL support [PR#133](https://github.com/newrelic/csec-ruby-agent/pull/133)
+
+- Feature: CI/CD integration support [PR#146](https://github.com/newrelic/csec-ruby-agent/pull/146)
+
+- Bugfix: Fix for Agent is sending 404 http error in runtime error json [PR#147](https://github.com/newrelic/csec-ruby-agent/pull/147)
+
+- Bugfix: Fix for Exception occurred in generating unhandled exception in Sinatra jruby app [PR#150](https://github.com/newrelic/csec-ruby-agent/pull/150)
+
+- Bugfix: Fix for Do not send empty url endpoint json & Reconnect in random interval between 5-15 secs [PR#151](https://github.com/newrelic/csec-ruby-agent/pull/151)
+
+- Bugfix: Fix for Wrong formated critical error message [PR#148](https://github.com/newrelic/csec-ruby-agent/pull/148)
+
+- BugFix: Fix for Vulnerability is missed in text/json because of small stackTrace [PR#155](https://github.com/newrelic/csec-ruby-agent/pull/155)
+
+- BugFix: Fix for API endpoints not detected in grape framework in JRuby environment [PR#158](https://github.com/newrelic/csec-ruby-agent/pull/158)
+
+- BugFix: Fix for XML content type vulnerability not detected [PR#159](https://github.com/newrelic/csec-ruby-agent/pull/159)
+
+- BugFix: Fix for Concurrency issue observed in JRuby environment, BufferOverflowException observed in writing events to websocket [PR#161](https://github.com/newrelic/csec-ruby-agent/pull/161)
+
+- Memory usage optimisations [PR#153](https://github.com/newrelic/csec-ruby-agent/pull/153)
+
 ## v0.3.0
 
 Version 0.3.0 introduces more control on IAST scanning through new configs(exclude_from_iast_scan, scan_schedule & scan_controllers) and 

data/Gemfile_test

@@ -13,7 +13,9 @@ gem 'rubocop'
 gem 'rubocop-minitest'
 gem 'rubocop-rake'
 gem 'simplecov'
+gem 'concurrent-ruby', '1.3.4'
 gem 'railties'
+gem 'ffi', '1.15.5' if RUBY_VERSION < '3.1.0'
 if RUBY_VERSION >= '3.0.0'
   gem 'rails', '~>6.0.0'
 elsif RUBY_VERSION < '2.5.0'
@@ -23,6 +25,7 @@ else
 end
 gem 'loofah', '~> 2.19.0'
 gem 'sinatra'
+gem 'tilt', '~> 2.4.0' if RUBY_VERSION < '2.5.0'
 gem 'padrino'
 gem 'grape'
 gem 'roda'

data/README.md

@@ -46,6 +46,7 @@ The newrelic_security must be explicitly enabled in order to perform IAST analys
 - Padrino: 0.15 or higher
 - Grape: 1.2 or higher
 - Roda: 3.19 or higher
+- Rack: 1.6 or higher
 - gRPC: 1 or higher
 ### Web servers
 - Puma: 3 or higher

data/lib/newrelic_security/agent/agent.rb

@@ -62,6 +62,8 @@ module NewRelic::Security
       end
 
       def shutdown_security_agent
+        NewRelic::Security::Agent.logger.info "Flushing eventQ (#{NewRelic::Security::Agent.agent.event_processor.eventQ.size} events) and closing websocket connection"
+        NewRelic::Security::Agent.agent.event_processor&.eventQ&.clear
         @iast_client&.fuzzQ&.clear
         @iast_client&.completed_requests&.clear
         @iast_client&.pending_request_ids&.clear
@@ -80,7 +82,7 @@ module NewRelic::Security
       end
 
       def start_event_processor
-        @event_processor&.event_dequeue_thread&.kill 
+        @event_processor&.event_dequeue_threads&.each { |t| t&.kill }
         @event_processor&.healthcheck_thread&.kill
         @event_processor = nil
         @event_processor = NewRelic::Security::Agent::Control::EventProcessor.new

data/lib/newrelic_security/agent/configuration/manager.rb

@@ -37,14 +37,17 @@ module NewRelic::Security
           @cache[:'security.detection.deserialization.enabled'] = ::NewRelic::Agent.config[:'security.detection.deserialization.enabled'].nil? ? true : ::NewRelic::Agent.config[:'security.detection.deserialization.enabled']
           @cache[:'security.scan_controllers.iast_scan_request_rate_limit'] = ::NewRelic::Agent.config[:'security.scan_controllers.iast_scan_request_rate_limit'].to_i
           @cache[:framework] = detect_framework
+          @cache[:app_class] = detect_app_class if @cache[:framework] == :rack
           @cache[:'security.application_info.port'] = ::NewRelic::Agent.config[:'security.application_info.port'].to_i
           @cache[:listen_port] = nil
           @cache[:process_start_time] = current_time_millis # TODO: Ruby doesn't provide process start time in pure ruby implementation using agent loading time for now.
           @cache[:traffic_start_time] = nil
           @cache[:scan_start_time] = nil
+          @cache[:'security.scan_controllers.scan_instance_count'] = ::NewRelic::Agent.config[:'security.scan_controllers.scan_instance_count']
+          @cache[:'security.iast_test_identifier'] = ::NewRelic::Agent.config[:'security.iast_test_identifier']
           @cache[:app_root] = NewRelic::Security::Agent::Utils.app_root
           @cache[:jruby_objectspace_enabled] = false
-          @cache[:json_version] = :'1.2.8'
+          @cache[:json_version] = :'1.2.9'
           @cache[:'security.exclude_from_iast_scan.api'] = convert_to_regexp_list(::NewRelic::Agent.config[:'security.exclude_from_iast_scan.api'])
           @cache[:'security.exclude_from_iast_scan.http_request_parameters.header'] = ::NewRelic::Agent.config[:'security.exclude_from_iast_scan.http_request_parameters.header']
           @cache[:'security.exclude_from_iast_scan.http_request_parameters.query'] = ::NewRelic::Agent.config[:'security.exclude_from_iast_scan.http_request_parameters.query']
@@ -153,6 +156,16 @@ module NewRelic::Security
           return :sinatra if defined?(::Sinatra)
           return :roda if defined?(::Roda)
           return :grape if defined?(::Grape)
+          return :rack if defined?(::Rack) && defined?(Rack::Builder)
+        end
+
+        def detect_app_class
+          target_class = nil
+          ObjectSpace.each_object(::Rack::Builder) do |z| target_class = z.instance_variable_get(:@run).target end
+          target_class
+        rescue StandardError => exception
+          NewRelic::Security::Agent.logger.error "Exception in detect_app_class : #{exception.inspect} #{exception.backtrace}"
+          nil
         end
 
         def generate_uuid
@@ -167,7 +180,8 @@ module NewRelic::Security
           end
           ::SecureRandom.uuid
         rescue Exception => exception
-          NewRelic::Security::Agent.logger.error "Exception in generate_uuid : #{exception.inspect} #{exception.backtrace}"
+          NewRelic::Security::Agent.logger.warn "Error in generate_uuid, generating it through default approach : #{exception.inspect} #{exception.backtrace}"
+          ::SecureRandom.uuid
         end
 
         def create_uuid

data/lib/newrelic_security/agent/control/application_runtime_error.rb

@@ -81,7 +81,7 @@ module NewRelic::Security
 
         def generate_trace_id(ctxt, category)
           @exception[:stackTrace]
-          method, route = ctxt.route.split(AT_THE_RATE) if ctxt.route
+          method, route = ctxt.route.split(AT_THE_RATE) if ctxt&.route
           if @exception[:stackTrace]
             ::Digest::SHA256.hexdigest("#{@exception[:stackTrace].join(PIPE)}#{category}#{route}#{method}").to_s
           else

data/lib/newrelic_security/agent/control/collector.rb

@@ -45,6 +45,7 @@ module NewRelic::Security
           # In rails 5 method name keeps chaning for same api call (ex: _app_views_sqli_sqlinjectionattackcase_html_erb__1999281606898621405_2624809100).
           # Hence, considering only frame absolute_path & lineno for apiId calculation.
           user_frame_index = get_user_frame_index(stk)
+          route = route&.gsub(/\d+/, EMPTY_STRING) if NewRelic::Security::Agent.config[:framework] == :rack || NewRelic::Security::Agent.config[:framework] == :roda
           event.apiId = "#{case_type}-#{calculate_api_id(stk[0..user_frame_index].map { |frame| "#{frame.absolute_path}:#{frame.lineno}" }, event.httpRequest[:method], route)}"
           stk.delete_if { |frame| frame.path.match?(/newrelic_security/) || frame.path.match?(/new_relic/) }
           user_frame_index = get_user_frame_index(stk)
@@ -60,7 +61,7 @@ module NewRelic::Security
             event.lineNumber = stk[0].lineno
           end
           event.stacktrace = stk[0..user_frame_index].map(&:to_s)
-          NewRelic::Security::Agent.agent.event_processor.send_event(event)
+          NewRelic::Security::Agent.agent.event_processor&.send_event(event)
           if event.httpRequest[:headers].key?(NR_CSEC_FUZZ_REQUEST_ID) && event.apiId == event.httpRequest[:headers][NR_CSEC_FUZZ_REQUEST_ID].split(COLON_IAST_COLON)[0] && NewRelic::Security::Agent.agent.iast_client.completed_requests[event.parentId]
             NewRelic::Security::Agent.agent.iast_client.completed_requests[event.parentId] << event.id
           end
@@ -73,6 +74,10 @@ module NewRelic::Security
           else
             NewRelic::Security::Agent.agent.rasp_event_stats.error_count.increment
           end
+        ensure
+          event = nil
+          stk = nil
+          route = nil
         end
 
         private
@@ -80,6 +85,7 @@ module NewRelic::Security
         def get_user_frame_index(stk)
           return -1 if NewRelic::Security::Agent.config[:app_root].nil?
           stk.each_with_index do |val, index|
+            next if stk[index + 1] && stk[index + 1].path.start_with?(NewRelic::Security::Agent.config[:app_root])
             return index if val.path.start_with?(NewRelic::Security::Agent.config[:app_root])
           end
           return -1

data/lib/newrelic_security/agent/control/control_command.rb

@@ -1,4 +1,5 @@
 require 'json'
+require 'securerandom'
 
 module NewRelic::Security
   module Agent
@@ -93,7 +94,7 @@ module NewRelic::Security
           NewRelic::Security::Agent.agent.iast_client.completed_requests.clear if NewRelic::Security::Agent.agent.iast_client
           NewRelic::Security::Agent.agent.iast_client.pending_request_ids.clear if NewRelic::Security::Agent.agent.iast_client
           NewRelic::Security::Agent.config.disable_security
-          Thread.new { NewRelic::Security::Agent.agent.reconnect(0) }
+          Thread.new { NewRelic::Security::Agent.agent.reconnect(SecureRandom.random_number(10) + 5) }
         end
 
         def current_time_millis

data/lib/newrelic_security/agent/control/error_reporting.rb

@@ -40,22 +40,24 @@ module NewRelic::Security
             # TODO: when do refactoring of ctxt.route, use both route and method to generate key
             ctxt.route&.+ response_code.to_s
                 else
-            application_runtime_error.exception[:type] + application_runtime_error.exception[:stackTrace][0]
+            application_runtime_error.exception[:type]&.+ application_runtime_error.exception[:stackTrace]&.first
                 end
+          return if key.nil? || key.empty?
           application_runtime_error.counter = @exceptions_map[key].counter + 1 if @exceptions_map.key?(key)
           @exceptions_map[key] = application_runtime_error
-        rescue Exception => exception
+        rescue StandardError => exception
           NewRelic::Security::Agent.logger.error "Exception in generating unhandled exception: #{exception.inspect} #{exception.backtrace}\n"
         end
 
-        def extract_noticed_error(current_transaction, ctxt, response_code)
+        def extract_noticed_error(current_transaction, ctxt, http_response_code)
+          return if http_response_code&.between?(400, 499)
           # TODO: Below operation is expensive, talk to APM to get optimized way to do this
           current_transaction.exceptions.each do |_, span|
             current_transaction.segments.each do |segment|
-              generate_unhandled_exception(segment.noticed_error, ctxt, response_code) if span[:span_id] == segment.guid
+              generate_unhandled_exception(segment.noticed_error, ctxt, http_response_code) if span[:span_id] == segment.guid
             end
           end
-        rescue Exception => exception
+        rescue StandardError => exception
           NewRelic::Security::Agent.logger.error "Exception in extract_noticed_error: #{exception.inspect} #{exception.backtrace}\n"
         end
 
@@ -64,7 +66,7 @@ module NewRelic::Security
           if current_transaction.exceptions.empty? && http_response_code&.between?(500, 599)
             generate_unhandled_exception(nil, ctxt, response_code)
           else
-            extract_noticed_error(current_transaction, ctxt, response_code) unless current_transaction.exceptions.empty?
+            extract_noticed_error(current_transaction, ctxt, http_response_code) unless current_transaction.exceptions.empty?
           end
         end
 

data/lib/newrelic_security/agent/control/event.rb

@@ -104,6 +104,7 @@ module NewRelic::Security
           http_request[:headers] = ctxt.headers
           http_request[:contentType] = ctxt.req[CONTENT_TYPE] if ctxt.req.has_key?(CONTENT_TYPE)
           http_request[:headers][CONTENT_TYPE1] = ctxt.req[CONTENT_TYPE] if ctxt.req.has_key?(CONTENT_TYPE)
+          http_request[:customDataType] = ctxt.custom_data_type
           http_request[:dataTruncated] = ctxt.data_truncated
           @httpRequest = http_request
           @metaData[:isClientDetectedFromXFF] = ctxt.headers.has_key?(X_FORWARDED_FOR) ? true : false

data/lib/newrelic_security/agent/control/event_processor.rb

@@ -9,7 +9,7 @@ module NewRelic::Security
 
       class EventProcessor
 
-        attr_accessor :eventQ, :event_dequeue_thread, :healthcheck_thread
+        attr_accessor :eventQ, :event_dequeue_threads, :healthcheck_thread
 
         def initialize
           @first_event = true
@@ -24,18 +24,22 @@ module NewRelic::Security
           NewRelic::Security::Agent.init_logger.info "[STEP-3] => Gathering information about the application"
           app_info = NewRelic::Security::Agent::Control::AppInfo.new
           app_info.update_app_info
-          NewRelic::Security::Agent.logger.info "Sending application info : #{app_info.to_json}"
-          NewRelic::Security::Agent.init_logger.info "Sending application info : #{app_info.to_json}"
+          app_info_json = app_info.to_json
+          NewRelic::Security::Agent.logger.info "Sending application info : #{app_info_json}"
+          NewRelic::Security::Agent.init_logger.info "Sending application info : #{app_info_json}"
           enqueue(app_info)
           app_info = nil
+          app_info_json = nil
         end
 
         def send_application_url_mappings
           application_url_mappings = NewRelic::Security::Agent::Control::ApplicationURLMappings.new
           application_url_mappings.update_application_url_mappings
-          NewRelic::Security::Agent.logger.info "Sending application URL Mappings : #{application_url_mappings.to_json}"
+          application_url_mappings_json = application_url_mappings.to_json
+          NewRelic::Security::Agent.logger.info "Sending application URL Mappings : #{application_url_mappings_json}"
           enqueue(application_url_mappings)
           application_url_mappings = nil
+          application_url_mappings_json = nil
         end
 
         def send_event(event)
@@ -65,7 +69,7 @@ module NewRelic::Security
           if exc
             exception = {}
             exception[:message] = exc.message
-            exception[:cause] = exc.cause
+            exception[:cause] = { :message => exc.cause }
             exception[:stackTrace] = exc.backtrace.map(&:to_s)
           end
           critical_message = NewRelic::Security::Agent::Control::CriticalMessage.new(message, level, caller, thread_name, exception)
@@ -87,15 +91,17 @@ module NewRelic::Security
         private
 
         def create_dequeue_threads
-          # TODO: Create 3 or more consumers for event sending
-          @event_dequeue_thread = Thread.new do
-            Thread.current.name = "newrelic_security_event_thread"
-            loop do
-              begin
-                data_to_be_sent = @eventQ.pop
-                NewRelic::Security::Agent::Control::WebsocketClient.instance.send(data_to_be_sent)
-              rescue => exception
-                NewRelic::Security::Agent.logger.error "Exception in event pop operation : #{exception.inspect}"
+          @event_dequeue_threads = []
+          3.times do |t|
+            @event_dequeue_threads<< Thread.new do
+              Thread.current.name = "newrelic_security_event_thread-#{t}"
+              loop do
+                begin
+                  data_to_be_sent = @eventQ.pop
+                  NewRelic::Security::Agent::Control::WebsocketClient.instance.send(data_to_be_sent)
+                rescue => exception
+                  NewRelic::Security::Agent.logger.error "Exception in event pop operation : #{exception.inspect}"
+                end
               end
             end
           end

data/lib/newrelic_security/agent/control/event_subscriber.rb

@@ -8,7 +8,11 @@ module NewRelic::Security
               NewRelic::Security::Agent.init_logger.info "NewRelic server_source_configuration_added for pid : #{Process.pid}, Parent Pid : #{Process.ppid}"
               NewRelic::Security::Agent.config.update_server_config
               if NewRelic::Security::Agent.config[:'security.enabled'] && !NewRelic::Security::Agent.config[:high_security]
-                Thread.new { NewRelic::Security::Agent.agent.scan_scheduler.init_via_scan_scheduler }
+                NewRelic::Security::Agent.agent.event_processor&.event_dequeue_threads&.each { |t| t&.kill }
+                NewRelic::Security::Agent.agent.event_processor = nil
+                @csec_agent_main_thread&.kill
+                @csec_agent_main_thread = nil
+                @csec_agent_main_thread = Thread.new { NewRelic::Security::Agent.agent.scan_scheduler.init_via_scan_scheduler }
               else
                 NewRelic::Security::Agent.logger.info "New Relic Security is disabled by one of the user provided config `security.enabled` or `high_security`."
                 NewRelic::Security::Agent.init_logger.info "New Relic Security is disabled by one of the user provided config `security.enabled` or `high_security`."

data/lib/newrelic_security/agent/control/health_check.rb

@@ -38,6 +38,7 @@ module NewRelic::Security
           @procStartTime = NewRelic::Security::Agent.config[:process_start_time]
           @trafficStartedTime = NewRelic::Security::Agent.config[:traffic_start_time]
           @scanStartTime = NewRelic::Security::Agent.config[:scan_start_time]
+          @iastTestIdentifer = NewRelic::Security::Agent.config[:'security.iast_test_identifier']
         end
 
         def as_json

data/lib/newrelic_security/agent/control/http_context.rb

@@ -19,7 +19,7 @@ module NewRelic::Security
 
       class HTTPContext
         
-        attr_accessor :time_stamp, :req, :method, :headers, :params, :body, :data_truncated, :route, :cache, :fuzz_files, :event_counter, :mutex, :url
+        attr_accessor :time_stamp, :req, :method, :headers, :params, :body, :data_truncated, :route, :cache, :fuzz_files, :event_counter, :custom_data_type, :mutex, :url
 
         def initialize(env)
           @time_stamp = current_time_millis
@@ -48,6 +48,7 @@ module NewRelic::Security
           @data_truncated = @body && @body.size >= REQUEST_BODY_LIMIT * 1024
 					strio&.rewind
 					@body = @body.force_encoding(Encoding::UTF_8) if @body.is_a?(String)
+          @custom_data_type = {}
           @cache = Hash.new
           @fuzz_files = ::Set.new
           @event_counter = 0

data/lib/newrelic_security/agent/control/iast_client.rb

@@ -99,7 +99,7 @@ module NewRelic::Security
                 end
                 iast_data_transfer_request.pendingRequestIds = pending_request_ids.to_a
                 iast_data_transfer_request.completedRequests = completed_requests
-                NewRelic::Security::Agent.agent.event_processor&.send_iast_data_transfer_request(iast_data_transfer_request)
+                NewRelic::Security::Agent.agent.event_processor&.send_iast_data_transfer_request(iast_data_transfer_request) if NewRelic::Security::Agent::Control::WebsocketClient.instance.is_open?
               end
             end
           end

data/lib/newrelic_security/agent/control/reflected_xss.rb

@@ -108,8 +108,8 @@ module NewRelic::Security
                 processed_data.add(body)
               end
             when APPLICATION_XML
-              # Unescaping of xml data is remaining
-              processed_data.add(body)
+              xml_data = ::CGI.unescapeHTML(body)
+              processed_data.add(xml_data)
             when APPLICATION_X_WWW_FORM_URLENCODED
               body = ::CGI.unescape(body, UTF_8)
               processed_data.add(body)
@@ -134,7 +134,7 @@ module NewRelic::Security
               # do while loop in java code here
               old_processed_body = processed_body
               body = ::JSON.parse(processed_body)
-              processed_data.add(body) if old_processed_body != body && body.to_s.include?(LESS_THAN)
+              processed_data.add(body.to_s) if old_processed_body != body && body.to_s.include?(LESS_THAN)
             when APPLICATION_XML
               # Unescaping of xml data is remaining
               processed_data.add(processed_data)
@@ -176,7 +176,6 @@ module NewRelic::Security
           start_pos = 0
           tmp_curr_pos = 0
           tmp_start_pos = 0
-      
           while curr_pos < data.length
             matcher = TAG_NAME_REGEX.match(data, curr_pos)
             is_attack_construct = false

data/lib/newrelic_security/agent/control/websocket_client.rb

@@ -23,6 +23,8 @@ module NewRelic::Security
       NR_CSEC_IAST_DATA_TRANSFER_MODE = 'NR-CSEC-IAST-DATA-TRANSFER-MODE'
       NR_CSEC_IGNORED_VUL_CATEGORIES = 'NR-CSEC-IGNORED-VUL-CATEGORIES'
       NR_CSEC_PROCESS_START_TIME = 'NR-CSEC-PROCESS-START-TIME'
+      NR_CSEC_IAST_SCAN_INSTANCE_COUNT = 'NR-CSEC-IAST-SCAN-INSTANCE-COUNT'
+      NR_CSEC_IAST_TEST_IDENTIFIER = 'NR-CSEC-IAST-TEST-IDENTIFIER'
 
       class WebsocketClient
         include Singleton
@@ -47,6 +49,11 @@ module NewRelic::Security
           headers[NR_CSEC_IAST_DATA_TRANSFER_MODE] = PULL
           headers[NR_CSEC_IGNORED_VUL_CATEGORIES] = ingnored_vul_categories.join(COMMA)
           headers[NR_CSEC_PROCESS_START_TIME] = NewRelic::Security::Agent.config[:process_start_time]
+          headers[NR_CSEC_IAST_SCAN_INSTANCE_COUNT] = NewRelic::Security::Agent.config[:'security.scan_controllers.scan_instance_count']
+          if NewRelic::Security::Agent.config[:'security.iast_test_identifier'] && !NewRelic::Security::Agent.config[:'security.iast_test_identifier'].empty?
+            headers[NR_CSEC_IAST_TEST_IDENTIFIER] = NewRelic::Security::Agent.config[:'security.iast_test_identifier']
+            headers[NR_CSEC_IAST_SCAN_INSTANCE_COUNT] = 1
+          end
 
           begin
             cert_store = ::OpenSSL::X509::Store.new
@@ -54,13 +61,16 @@ module NewRelic::Security
             NewRelic::Security::Agent.logger.info "Websocket connection URL : #{NewRelic::Security::Agent.config[:validator_service_url]}"
             connection = NewRelic::Security::WebSocket::Client::Simple.connect NewRelic::Security::Agent.config[:validator_service_url], headers: headers, cert_store: cert_store
             @ws = connection
+            @mutex = Mutex.new
 
             connection.on :open do
+              headers = nil
               NewRelic::Security::Agent.logger.debug "Websocket connected with IC, AgentEventMachine #{NewRelic::Security::Agent::Utils.filtered_log(connection.inspect)}"
               NewRelic::Security::Agent.init_logger.info "[STEP-4] => Web socket connection to SaaS validator established successfully"
               NewRelic::Security::Agent.agent.event_processor.send_app_info
               NewRelic::Security::Agent.agent.event_processor.send_application_url_mappings
               NewRelic::Security::Agent.config.enable_security
+              NewRelic::Security::Agent::Control::WebsocketClient.instance.start_ping_thread
             end
         
             connection.on :message do |msg|
@@ -75,13 +85,14 @@ module NewRelic::Security
             connection.on :close do |e|
               NewRelic::Security::Agent.logger.info "Closing websocket connection : #{e.inspect}\n"
               NewRelic::Security::Agent.config.disable_security
-              Thread.new { NewRelic::Security::Agent.agent.reconnect(0) } if e
+              reconnect_interval = e.instance_of?(TrueClass) ? 0 : 15
+              Thread.new { NewRelic::Security::Agent.agent.reconnect(reconnect_interval) } if e
             end
 
             connection.on :error do |e|
               NewRelic::Security::Agent.logger.error "Error in websocket connection : #{e.inspect} #{e.backtrace}"
               ::NewRelic::Agent.notice_error(e)
-              Thread.new { NewRelic::Security::Agent::Control::WebsocketClient.instance.close(true) }
+              Thread.new { NewRelic::Security::Agent::Control::WebsocketClient.instance.close(e) }
             end
           rescue Errno::EPIPE => exception
             NewRelic::Security::Agent.logger.error "Unable to connect to validator_service: #{exception.inspect}"
@@ -107,25 +118,37 @@ module NewRelic::Security
         end
 
         def send(message)
-          message_json = message.to_json
-          NewRelic::Security::Agent.logger.debug "Sending #{message.jsonName} : #{message_json}"
-          res = @ws.send(message_json)
-          if res && message.jsonName == :Event
-            NewRelic::Security::Agent.agent.event_sent_count.increment
-            if NewRelic::Security::Agent::Utils.is_IAST_request?(message.httpRequest[:headers])
-              NewRelic::Security::Agent.agent.iast_event_stats.sent.increment
-            else
-              NewRelic::Security::Agent.agent.rasp_event_stats.sent.increment
+          message_json = nil
+          begin
+            message_json = message.to_json
+            NewRelic::Security::Agent.logger.debug "Sending #{message.jsonName} : #{message_json}"
+            @mutex.synchronize do
+              res = @ws.send(message_json)
+              if res && message.jsonName == :Event
+                NewRelic::Security::Agent.agent.event_sent_count.increment
+                if NewRelic::Security::Agent::Utils.is_IAST_request?(message.httpRequest[:headers])
+                  NewRelic::Security::Agent.agent.iast_event_stats.sent.increment
+                else
+                  NewRelic::Security::Agent.agent.rasp_event_stats.sent.increment
+                end
+              end
+              NewRelic::Security::Agent.agent.exit_event_stats.sent.increment if res && message.jsonName == :'exit-event'
             end
+          rescue Exception => exception
+            NewRelic::Security::Agent.logger.error "Exception in sending message : #{exception.inspect} #{exception.backtrace}, message: #{message_json}"
+            NewRelic::Security::Agent.agent.event_drop_count.increment if message.jsonName == :Event
+            NewRelic::Security::Agent.agent.event_processor.send_critical_message(exception.message, "SEVERE", caller_locations[0].to_s, Thread.current.name, exception)
+          ensure
+            message_json = nil
           end
-          NewRelic::Security::Agent.agent.exit_event_stats.sent.increment if res && message.jsonName == :'exit-event'
-        rescue Exception => exception
-          NewRelic::Security::Agent.logger.error "Exception in sending message : #{exception.inspect} #{exception.backtrace}"
-          NewRelic::Security::Agent.agent.event_drop_count.increment if message.jsonName == :Event
-          NewRelic::Security::Agent.agent.event_processor.send_critical_message(exception.message, "SEVERE", caller_locations[0].to_s, Thread.current.name, exception)
         end
 
         def close(reconnect = true)
+          NewRelic::Security::Agent.config.disable_security
+          NewRelic::Security::Agent.logger.info "Flushing eventQ (#{NewRelic::Security::Agent.agent.event_processor.eventQ.size} events) and closing websocket connection"
+          NewRelic::Security::Agent.agent.event_processor&.eventQ&.clear
+          @iast_client&.iast_data_transfer_request_processor_thread&.kill
+          stop_ping_thread
           @ws.close(reconnect) if @ws
         end
 
@@ -134,8 +157,22 @@ module NewRelic::Security
           false
         end
 
+        def start_ping_thread
+          @ping_thread = Thread.new do
+            loop do
+              sleep 30
+              @ws.send(EMPTY_STRING, :type => :ping)
+            end
+          end
+        end
+
         private
 
+        def stop_ping_thread
+          @ping_thread&.kill
+          @ping_thread = nil
+        end
+
         def ingnored_vul_categories
           list = []
           list << FILE_OPERATION << FILE_INTEGRITY if NewRelic::Security::Agent.config[:'security.exclude_from_iast_scan.iast_detection_category.invalid_file_access']

data/lib/newrelic_security/agent/utils/agent_utils.rb

@@ -114,12 +114,14 @@ module NewRelic::Security
             end
           end
         when :grape
-          ObjectSpace.each_object(::Grape::Endpoint) { |z|
-            z.instance_variable_get(:@routes)&.each { |route|
-              http_method = route.instance_variable_get(:@request_method) || route.instance_variable_get(:@options)[:method]
-              NewRelic::Security::Agent.agent.route_map << "#{http_method}@#{route.pattern.origin}"
-            }
-          }
+          if defined?(::Grape::API)
+            ObjectSpace.each_object(Class).select { |klass| klass < ::Grape::API }.each do |api_class|
+              api_class.routes.each do |route|
+                http_method = route.request_method || route.options[:method]
+                NewRelic::Security::Agent.agent.route_map << "#{http_method}@#{route.pattern.origin}"
+              end
+            end
+          end
         when :padrino
           if router.instance_of?(::Padrino::PathRouter::Router)
             router.instance_variable_get(:@routes).each do |route|
@@ -127,17 +129,19 @@ module NewRelic::Security
             end
           end
         when :roda
-          NewRelic::Security::Agent.logger.warn "TODO: Roda is a routing tree web toolkit, which generates route dynamically, hence route extraction is not possible."
+          NewRelic::Security::Agent.logger.debug "TODO: Roda is a routing tree web toolkit, which generates route dynamically, hence route extraction is not possible."
         when :grpc
           router.owner.superclass.public_instance_methods(false).each do |m|
             NewRelic::Security::Agent.agent.route_map << "*@/#{router.owner}/#{m}"
           end
+        when :rack
+          # TODO: API enpointes(routes) extraction for rack
         else
           NewRelic::Security::Agent.logger.error "Unable to get app routes as Framework not detected"
         end
         disable_object_space_in_jruby if NewRelic::Security::Agent.config[:jruby_objectspace_enabled]
         NewRelic::Security::Agent.logger.debug "ALL ROUTES : #{NewRelic::Security::Agent.agent.route_map}"
-        NewRelic::Security::Agent.agent.event_processor&.send_application_url_mappings
+        NewRelic::Security::Agent.agent.event_processor&.send_application_url_mappings unless NewRelic::Security::Agent.agent.route_map.empty?
       rescue Exception => exception
         NewRelic::Security::Agent.logger.error "Error in get app routes : #{exception.inspect} #{exception.backtrace}"
       end
@@ -199,14 +203,14 @@ module NewRelic::Security
       end
 
       def enable_object_space_in_jruby
-        if RUBY_ENGINE == 'jruby' && !JRuby.objectspace
+        if RUBY_ENGINE == 'jruby' && JRuby.respond_to?(:objectspace) && !JRuby.objectspace
           JRuby.objectspace = true
           NewRelic::Security::Agent.config.jruby_objectspace_enabled = true
         end
       end
 
       def disable_object_space_in_jruby
-        if RUBY_ENGINE == 'jruby' && JRuby.objectspace
+        if RUBY_ENGINE == 'jruby' && JRuby.respond_to?(:objectspace) && JRuby.objectspace
           JRuby.objectspace = false
           NewRelic::Security::Agent.config.jruby_objectspace_enabled = false
         end

data/lib/newrelic_security/instrumentation-security/graphql/chain.rb

@@ -0,0 +1,26 @@
+module NewRelic::Security
+  module Instrumentation
+    module GraphQL
+      module Query
+        module Executor
+          module Chain
+            def self.instrument!
+              ::GraphQL::Query::Executor.class_eval do
+                class << self
+                  include NewRelic::Security::Instrumentation::GraphQL::Query::Executor
+    
+                  alias_method :execute_without_security, :execute
+    
+                  def execute
+                    execute_on_enter { return execute_without_security }
+                  end
+    
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/instrumentation-security/graphql/instrumentation.rb

@@ -0,0 +1,28 @@
+require_relative 'prepend'
+require_relative 'chain'
+
+module NewRelic::Security
+  module Instrumentation
+    module GraphQL::Query::Executor
+      
+      GRAPHQL_QUERY = 'GRAPHQL_QUERY'.freeze
+      GRAPHQL_VARIABLE = 'GRAPHQL_VARIABLE'.freeze
+      STAR_DOT_QUERY = '*.query'.freeze
+      STAR_DOT_VARIABLES = '*.variables'.freeze
+
+      def execute_on_enter
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        ctxt = NewRelic::Security::Agent::Control::HTTPContext.get_context
+        ctxt.custom_data_type[STAR_DOT_QUERY] = GRAPHQL_QUERY if query.query_string
+        ctxt.custom_data_type[STAR_DOT_VARIABLES] = GRAPHQL_VARIABLE if query.instance_variable_get(:@provided_variables)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+
+    end
+  end
+end
+
+NewRelic::Security::Instrumentation::InstrumentationLoader.install_instrumentation(:graphql, ::GraphQL::Query::Executor, ::NewRelic::Security::Instrumentation::GraphQL::Query::Executor)

data/lib/newrelic_security/instrumentation-security/graphql/prepend.rb

@@ -0,0 +1,18 @@
+module NewRelic::Security
+  module Instrumentation
+    module GraphQL
+      module Query
+        module Executor
+          module Prepend
+            include NewRelic::Security::Instrumentation::GraphQL::Query::Executor
+
+            def execute
+              execute_on_enter { return super }
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/instrumentation-security/io/chain.rb

@@ -99,9 +99,9 @@ module NewRelic::Security
 
               alias_method :popen_without_security, :popen
               
-              def popen(*var)
+              def popen(*var, &block)
                 retval = nil
-                event = popen_on_enter(*var) { retval = popen_without_security(*var) }
+                event = popen_on_enter(*var) { retval = popen_without_security(*var, &block) }
                 popen_on_exit(event) { return retval }
               end
             end

data/lib/newrelic_security/instrumentation-security/io/prepend.rb

@@ -75,7 +75,7 @@ module NewRelic::Security
           binwrite_on_exit(event, retval) { return retval }
         end
 
-        def popen(*var)
+        def popen(*var, &block)
           retval = nil
           event = popen_on_enter(*var) { retval = super }
           popen_on_exit(event) { return retval }

data/lib/newrelic_security/instrumentation-security/rack/chain.rb

@@ -0,0 +1,24 @@
+module NewRelic::Security
+  module Instrumentation
+    module Rack
+      module Builder
+        module Chain
+          def self.instrument!
+            ::Rack::Builder.class_eval do 
+              include NewRelic::Security::Instrumentation::Rack::Builder
+
+              alias_method :call_without_security, :call
+
+              def call(env)
+                retval = nil
+                event = call_on_enter(env) { retval = call_without_security(env) }
+                call_on_exit(event, retval) { return retval }
+              end
+            end
+          end
+        end
+      end
+    end
+    
+  end
+end

data/lib/newrelic_security/instrumentation-security/rack/instrumentation.rb

@@ -0,0 +1,44 @@
+require_relative 'prepend'
+require_relative 'chain'
+
+module NewRelic::Security
+  module Instrumentation
+    module Rack::Builder
+
+      def call_on_enter(env)
+        event = nil
+        NewRelic::Security::Agent.logger.debug "OnEnter : #{self.class}.#{__method__}"
+        return unless NewRelic::Security::Agent.config[:enabled]
+        NewRelic::Security::Agent.config.update_port = NewRelic::Security::Agent::Utils.app_port(env) unless NewRelic::Security::Agent.config[:listen_port]
+        NewRelic::Security::Agent::Utils.get_app_routes(:rack) if NewRelic::Security::Agent.agent.route_map.empty?
+        NewRelic::Security::Agent::Control::HTTPContext.set_context(env)
+        ctxt = NewRelic::Security::Agent::Control::HTTPContext.get_context
+        ctxt.route = "#{env[REQUEST_METHOD]}@#{env[PATH_INFO]}" if ctxt
+        NewRelic::Security::Agent::Utils.parse_fuzz_header(NewRelic::Security::Agent::Control::HTTPContext.get_context)
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+        return event
+      end
+      
+      def call_on_exit(event, retval)
+        NewRelic::Security::Agent.logger.debug "OnExit :  #{self.class}.#{__method__}"
+        # NewRelic::Security::Agent.logger.debug "\n\nHTTP Context : #{::NewRelic::Agent::Tracer.current_transaction.instance_variable_get(:@security_context_data).inspect}\n\n"
+        NewRelic::Security::Agent::Control::ReflectedXSS.check_xss(NewRelic::Security::Agent::Control::HTTPContext.get_context, retval) if NewRelic::Security::Agent.config[:'security.detection.rxss.enabled']
+        NewRelic::Security::Agent::Utils.delete_created_files(NewRelic::Security::Agent::Control::HTTPContext.get_context)
+        NewRelic::Security::Agent.agent.error_reporting&.report_unhandled_or_5xx_exceptions(NewRelic::Security::Agent::Control::HTTPContext.get_current_transaction, NewRelic::Security::Agent::Control::HTTPContext.get_context, retval[0])
+        NewRelic::Security::Agent::Control::HTTPContext.reset_context
+        NewRelic::Security::Agent.logger.debug "Exit event : #{event}"
+      rescue => exception
+        NewRelic::Security::Agent.logger.error "Exception in hook in #{self.class}.#{__method__}, #{exception.inspect}, #{exception.backtrace}"
+      ensure
+        yield
+      end
+      
+    end
+
+  end
+end
+
+NewRelic::Security::Instrumentation::InstrumentationLoader.install_instrumentation(:rack, NewRelic::Security::Agent.config[:app_class].class, ::NewRelic::Security::Instrumentation::Rack::Builder) if NewRelic::Security::Agent.config[:framework] == :rack

data/lib/newrelic_security/instrumentation-security/rack/prepend.rb

@@ -0,0 +1,18 @@
+module NewRelic::Security
+  module Instrumentation
+    module Rack
+      module Builder
+        module Prepend
+          include NewRelic::Security::Instrumentation::Rack::Builder
+
+          def call(env, &block)
+            retval = nil
+            event = call_on_enter(env) { retval = super }
+            call_on_exit(event, retval) { return retval }
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/version.rb

@@ -1,5 +1,5 @@
 module NewRelic
   module Security
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/lib/newrelic_security/websocket-client-simple/client.rb

@@ -72,7 +72,11 @@ module NewRelic::Security
                     end
                   end
                 rescue IOError => e
-                  close false
+                  if e.inspect =~ /stream closed in another thread/
+                    close false
+                  else
+                    emit :error, e
+                  end
                 rescue => e
                   emit :error, e
                 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: newrelic_security
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Prateek Sen
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-20 00:00:00.000000000 Z
+date: 2025-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: newrelic_rpm
@@ -208,6 +208,9 @@ files:
 - lib/newrelic_security/instrumentation-security/grape/chain.rb
 - lib/newrelic_security/instrumentation-security/grape/instrumentation.rb
 - lib/newrelic_security/instrumentation-security/grape/prepend.rb
+- lib/newrelic_security/instrumentation-security/graphql/chain.rb
+- lib/newrelic_security/instrumentation-security/graphql/instrumentation.rb
+- lib/newrelic_security/instrumentation-security/graphql/prepend.rb
 - lib/newrelic_security/instrumentation-security/grpc/client/chain.rb
 - lib/newrelic_security/instrumentation-security/grpc/client/instrumentation.rb
 - lib/newrelic_security/instrumentation-security/grpc/client/prepend.rb
@@ -258,6 +261,9 @@ files:
 - lib/newrelic_security/instrumentation-security/pty/chain.rb
 - lib/newrelic_security/instrumentation-security/pty/instrumentation.rb
 - lib/newrelic_security/instrumentation-security/pty/prepend.rb
+- lib/newrelic_security/instrumentation-security/rack/chain.rb
+- lib/newrelic_security/instrumentation-security/rack/instrumentation.rb
+- lib/newrelic_security/instrumentation-security/rack/prepend.rb
 - lib/newrelic_security/instrumentation-security/rails/chain.rb
 - lib/newrelic_security/instrumentation-security/rails/instrumentation.rb
 - lib/newrelic_security/instrumentation-security/rails/prepend.rb
@@ -324,7 +330,7 @@ metadata:
   documentation_uri: https://docs.newrelic.com/docs/iast/introduction/
   source_code_uri: https://github.com/newrelic/csec-ruby-agent
   homepage_uri: https://github.com/newrelic/csec-ruby-agent
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -340,7 +346,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.1
 requirements: []
 rubygems_version: 3.4.19
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Extension for newrelic_rpm with security feature
 test_files: []