contrast-agent 3.8.4

data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h

@@ -0,0 +1,29 @@
+#include <funchook.h>
+#include <ruby.h>
+
+static VALUE regexp_class;
+static VALUE track_rb_n_match;
+static VALUE track_rb_pre_match;
+static VALUE track_rb_post_match;
+static VALUE track_rb_reg_match_last;
+
+VALUE rb_reg_match_pre(VALUE match);
+static VALUE *(*rb_reg_match_pre_original)(VALUE match);
+
+VALUE rb_reg_match_post(VALUE match);
+static VALUE *(*rb_reg_match_post_original)(VALUE match);
+
+VALUE rb_reg_match_last(VALUE match);
+static VALUE *(*rb_reg_match_last_original)(VALUE match);
+
+VALUE rb_reg_nth_match(int nth, VALUE match);
+static VALUE *(*rb_reg_nth_match_original)(int nth, VALUE match);
+
+static VALUE rb_reg_match_pre_hook(VALUE match);
+static VALUE rb_reg_match_post_hook(VALUE match);
+static VALUE rb_reg_match_last_hook(VALUE match);
+static VALUE rb_reg_nth_match_hook(int nth, VALUE match);
+
+static int install_regexp_hooks();
+
+void Init_cs__assess_regexp_track(void);

data/ext/cs__assess_regexp_track/extconf.rb

@@ -0,0 +1,2 @@
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/ext/cs__assess_string/cs__assess_string.c

@@ -0,0 +1,38 @@
+/* Copyright (c) 2020 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__assess_string.h"
+#include "../cs__common/cs__common.h"
+#include <ruby.h>
+
+static VALUE contrast_assess_string_uminus(const VALUE obj) {
+    VALUE dup, tracked;
+    if (!OBJ_FROZEN(obj)) {
+        tracked = rb_funcall(obj, rb_sym_cs_tracked, 0);
+        if (RTEST(tracked)) {
+            /*
+             * If the object is not frozen and the object is tracked, we cheat.
+             * We dup and then freeze to replicate the behavior of str_uminus in
+             * string.c, but we ignore any other monkey patches on String#-@
+             */
+            dup = rb_funcall(obj, rb_sym_dup, 0);
+            rb_funcall(dup, rb_sym_freeze, 0);
+            return dup;
+        }
+    }
+    /* in all other cases, preserve monkey patching and c call */
+    return rb_funcall(obj, rb_sym_assess_string_uminus, 0);
+}
+
+void Init_cs__assess_string(void) {
+    VALUE string_class;
+
+    rb_sym_dup = rb_intern("dup");
+    rb_sym_freeze = rb_intern("freeze");
+    rb_sym_assess_string_uminus = rb_intern("cs__patched_minus_at");
+
+    string_class = rb_define_class("String", rb_cObject);
+    /* -@ */
+    contrast_alias_method(string_class, "cs__patched_minus_at", "-@");
+    rb_define_method(string_class, "-@", contrast_assess_string_uminus, 0);
+}

data/ext/cs__assess_string/cs__assess_string.h

@@ -0,0 +1,19 @@
+#include <ruby.h>
+
+static VALUE rb_sym_assess_string_uminus;
+static VALUE rb_sym_dup;
+static VALUE rb_sym_freeze;
+
+/*
+ * The String#-@ method calls to the str_uminus method in String.C. This method
+ * differs in behavior from String#freeze in that it removes instance variables
+ * from the object when it is frozen. Rather than implement a trace map for
+ * frozen things (to which you cannot implment weak references, resulting in
+ * a potential memory leak), we'll override the method so that, in essence, it
+ * never calls String#-@ for unfrozen and tracked objects, but instead calls
+ * String#freeze, which will leave our properties alone.
+ * -HM
+ */
+static VALUE contrast_assess_string_uminus(const VALUE obj);
+
+void Init_cs__assess_string(void);

data/ext/cs__assess_string/extconf.rb

@@ -0,0 +1,2 @@
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c

@@ -0,0 +1,31 @@
+/* Copyright (c) 2020 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__assess_string_interpolation26.h"
+#include "../cs__common/cs__common.h"
+#include <funchook.h>
+#include <ruby.h>
+
+static VALUE rb_str_concat_literals_hook(size_t num, VALUE *strary) {
+    VALUE result = rb_str_concat_literals_original(num, strary);
+    VALUE rb_params = rb_ary_new_from_values((int)num, strary);
+    rb_funcall(string_class, track_interpolation, 2, rb_params, result);
+    return result;
+}
+
+static int install_hooks() {
+    funchook_t *funchook = funchook_create();
+
+    rb_str_concat_literals_original = rb_str_concat_literals;
+    funchook_prepare(funchook, (void **)&rb_str_concat_literals_original,
+                     rb_str_concat_literals_hook);
+
+    funchook_install(funchook, 0);
+    return 0;
+}
+
+void Init_cs__assess_string_interpolation26(void) {
+    string_class = rb_define_class_under(core_assess, "StringPropagator", rb_cObject);
+    track_interpolation = rb_intern("track_interpolation");
+    install_hooks();
+}

data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h

@@ -0,0 +1,13 @@
+#include <ruby.h>
+
+static VALUE string_class;
+static VALUE track_interpolation;
+
+void *rb_str_concat_literals(size_t num, const VALUE *strary);
+void *(*rb_str_concat_literals_original)(size_t, const VALUE *);
+
+static VALUE rb_str_concat_literals_hook(size_t num, VALUE *strary);
+
+static int install_hooks();
+
+void Init_cs__assess_string_interpolation26(void);

data/ext/cs__assess_string_interpolation26/extconf.rb

@@ -0,0 +1,2 @@
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/ext/cs__common/cs__common.c

@@ -0,0 +1,60 @@
+/* Copyright (c) 2020 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__common.h"
+#include <ruby.h>
+
+/* Globals */
+/* These are defined w/ `extern` in the header */
+VALUE contrast, agent, patching, policy, assess, core_extensions, core_assess;
+
+VALUE rb_sym_enter_scope;
+VALUE rb_sym_exit_scope;
+VALUE rb_sym_in_scope;
+VALUE rb_sym_skip_contrast_analysis;
+VALUE rb_sym_skip_assess_analysis;
+VALUE rb_sym_method;
+VALUE rb_sym_cs_tracked;
+/* end globals */
+
+void contrast_alias_method(const VALUE target, const char *to,
+                           const char *from) {
+    rb_funcall(target, cs__send_method, 3, cs__alias_method_sym,
+               ID2SYM(rb_intern(to)), ID2SYM(rb_intern(from)));
+}
+
+VALUE contrast_patcher() {
+    return patcher;
+}
+
+void Init_cs__common(void) {
+    cs__send_method = rb_intern("send");
+    cs__alias_method_sym = ID2SYM(rb_intern("alias_method"));
+
+    /* Define symbols */
+    rb_sym_enter_scope = rb_intern("enter_contrast_scope!");
+    rb_sym_exit_scope = rb_intern("exit_contrast_scope!");
+    rb_sym_in_scope = rb_intern("in_contrast_scope?");
+    rb_sym_skip_contrast_analysis = rb_intern("skip_contrast_analysis?");
+    rb_sym_skip_assess_analysis = rb_intern("skip_assess_analysis?");
+    rb_sym_method = rb_intern("__method__");
+    rb_sym_cs_tracked = rb_intern("cs__tracked?");
+
+    /* Ensure definition of core Contrast instrumentation modules */
+    contrast = rb_define_module("Contrast");
+    agent = rb_define_module_under(contrast, "Agent");
+
+    assess = rb_define_module_under(agent, "Assess");
+
+    patching = rb_define_module_under(agent, "Patching");
+    policy = rb_define_module_under(patching, "Policy");
+    patcher = rb_define_module_under(policy, "Patch");
+
+    core_extensions = rb_define_module_under(contrast, "CoreExtensions");
+    core_assess = rb_define_module_under(core_extensions, "Assess");
+
+    /* Ensure ScopeUtil is set on the Contrast patcher */
+    VALUE utils = rb_define_module_under(contrast, "Utils");
+    VALUE scopeUtil = rb_define_module_under(utils, "ScopeUtil");
+    rb_extend_object(patcher, scopeUtil);
+}

data/ext/cs__common/cs__common.h

@@ -0,0 +1,28 @@
+#ifndef __CS_COMMON
+#define __CS_COMMON
+
+#include <ruby.h>
+
+static VALUE cs__send_method;
+static VALUE cs__alias_method_sym;
+
+extern VALUE contrast, agent, patching, policy, assess, core_extensions, core_assess;
+
+extern VALUE rb_sym_enter_scope;
+extern VALUE rb_sym_exit_scope;
+extern VALUE rb_sym_in_scope;
+extern VALUE rb_sym_skip_contrast_analysis;
+extern VALUE rb_sym_skip_assess_analysis;
+extern VALUE rb_sym_method;
+extern VALUE rb_sym_cs_tracked;
+
+static VALUE patcher;
+
+void contrast_alias_method(const VALUE target, const char *to,
+                           const char *from);
+
+VALUE contrast_patcher();
+
+void Init_cs__common(void);
+
+#endif /* __CS_COMMON */

data/ext/cs__common/extconf.rb

@@ -0,0 +1,20 @@
+require 'mkmf'
+
+require_relative '../../lib/contrast/agent/version'
+installed_path = __dir__
+
+origin =  if (darwin = !(/darwin/ =~ RUBY_PLATFORM).nil?)
+            "@loader_path"
+          else
+            "\\$${ORIGIN}"
+          end
+
+options = " -Wl,-rpath,#{origin}/../../shared_libraries"
+
+if try_link('int main() {return 0;}', options)
+  $LDFLAGS << options
+end
+
+$LIBPATH << installed_path
+
+create_makefile 'cs__common/cs__common'

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -0,0 +1,445 @@
+/* Copyright (c) 2020 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__contrast_patch.h"
+#include "../cs__common/cs__common.h"
+#include <ruby.h>
+
+VALUE build_preshift(const VALUE method_policy, const VALUE object,
+                     const int argc, const VALUE *params) {
+    if (method_policy == Qnil) {
+        return Qnil;
+    }
+
+    VALUE propagation_node, send, ret;
+    propagation_node = rb_funcall(method_policy, rb_sym_propagation_node, 0);
+    /* if there isn't a propagation node that applies to this method
+     *  we don't need to build a preshift */
+    if (propagation_node == Qnil) {
+        return Qnil;
+    }
+    send = rb_ary_new_from_values(argc, params);
+    ret = rb_funcall(preshift_class, rb_sym_build_preshift, 3, propagation_node,
+                     object, send);
+    return ret;
+}
+
+VALUE contrast_patch_call_original(const VALUE *args) {
+    int argc;
+    VALUE method, method_id, object;
+    VALUE *params;
+    object = args[0];
+    method = args[1];
+    method_id = SYM2ID(method);
+    argc = NUM2INT(args[2]);
+    params = (VALUE *)args[3];
+
+    /* It looks like we can find the last Ruby block given so long as we don't
+     * change Ruby method scope (always call this function from C, not Ruby),
+     * which is the point of this C call.
+     */
+    if (rb_block_given_p()) {
+        return rb_funcall_with_block(object, method_id, argc, params,
+                                     rb_block_proc());
+    } else {
+        return rb_funcall2(object, method_id, argc, params);
+    }
+}
+
+VALUE contrast_call_pre_patch(const VALUE method_policy, const VALUE method,
+                              const VALUE object, const int count,
+                              const VALUE *params, const VALUE exception) {
+    /* For simplicity's sake, this Ruby method is responsible for
+     * exiting scope if it throws a SecurityException.
+     * When we start to macro rescues, we can change this.
+     */
+    VALUE send;
+    send = rb_ary_new_from_values(count, params);
+    return rb_funcall(contrast_patcher(), rb_sym_contrast_apply_pre_patch, 5,
+                      method_policy, method, exception, object, send);
+}
+
+VALUE contrast_call_post_patch(const VALUE method_policy, const VALUE preshift,
+                               const VALUE object, const VALUE ret,
+                               const int count, const VALUE *params) {
+    VALUE send;
+    send = rb_ary_new_from_values(count, params);
+
+    VALUE block;
+    if (rb_block_given_p()) {
+        block = rb_block_proc();
+    } else {
+        block = Qnil;
+    }
+    return rb_funcall(contrast_patcher(), rb_sym_contrast_apply_post_patch, 6,
+                      method_policy, preshift, object, ret, send, block);
+}
+
+VALUE contrast_patch_call_rescue(const VALUE *args) {
+    int argc;
+    VALUE exception, object, preshift, method_policy, method;
+    VALUE *argv;
+
+    /* rb_errinfo() gives the value of $!, the exception that
+     * triggered a rescue block.
+     */
+    exception = rb_errinfo();
+
+    object = args[0];
+    method = args[1];
+    argc = NUM2INT(args[2]);
+    argv = (VALUE *)args[3];
+    method_policy = args[4];
+    preshift = args[5];
+
+    contrast_call_post_patch(method_policy, preshift, object, Qnil, argc, argv);
+
+    /* exit scope */
+    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
+
+    /* reraise the exception that got us here */
+    rb_exc_raise(exception);
+
+    return Qnil;
+}
+
+VALUE contrast_call_super(const VALUE *args) {
+    int argc = NUM2INT(args[0]);
+    VALUE *argv = (VALUE *)args[1];
+
+    return rb_call_super(argc, argv);
+}
+
+VALUE contrast_patch_dispatch(const int argc, const VALUE *argv,
+                              const patch_impl impl, const VALUE object) {
+    VALUE cs__method, known, method, ret, transformed_ret, original_ret,
+        method_policy, preshift;
+    VALUE original_args[4];
+    VALUE rescue_args[7];
+
+    int do_contrast, nested_scope;
+
+    /* Do Contrast analysis, unless our subsequent checks tell us no. */
+    do_contrast = 1;
+
+    /* Before we enter scope, see if we're already in scope.
+     * We only want to Contrast methods called out of all scope.
+     * Otherwise, we do things like propagate within propagators,
+     * which is unnecessary, or run Contrast analysis on Contrast code,
+     * which will never terminate.
+     */
+    nested_scope = RTEST(rb_funcall(contrast_patcher(), rb_sym_in_scope, 0));
+
+    /* enter scope */
+    rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
+
+    /* Get the name of the calling method */
+    method = rb_funcall(object, rb_sym_method, 0);
+
+    /* Retrieve from Ruby Patcher class
+     * [method_policy object, Symbol representing original method]
+     */
+    switch (impl) {
+    case IMPL_ALIAS_INSTANCE:
+    case IMPL_PREPEND:
+        known =
+            rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qtrue);
+        break;
+    case IMPL_ALIAS_SINGLETON:
+        known = rb_funcall(patch_status, rb_sym_info_for, 3, object, method,
+                           Qfalse);
+        break;
+    }
+
+    /* Index into above array & retrieve contents */
+    if (RTEST(known)) {
+        method_policy = rb_funcall(known, rb_sym_brackets, 1, INT2NUM(0));
+    } else {
+        method_policy = Qnil;
+    }
+
+    if (impl == IMPL_ALIAS_INSTANCE || impl == IMPL_ALIAS_SINGLETON) {
+        /* Alias patching moves the original method to "cs__#{method}" */
+        cs__method = rb_funcall(known, rb_sym_brackets, 1, INT2NUM(1));
+
+        /* We may not have built the alias yet */
+        if (!RTEST(cs__method)) {
+            cs__method =
+                rb_funcall(contrast_patcher(), rb_sym_build_method_name, 2,
+                           object, method);
+        }
+    }
+
+    /* Check conditions for not doing Contrast analysis */
+    if (nested_scope) {
+        /* if we were in scope */
+        do_contrast = 0;
+    } else if (!RTEST(known)) {
+        /* nothing to be done with entirely unknown method*/
+        do_contrast = 0;
+    } else if (!RTEST(method_policy)) {
+        /* nothing to be done without a method policy */
+        do_contrast = 0;
+    } else if (!RTEST(rb_funcall(contrast_patcher(), rb_sym_in_request_context,
+                                 0))) {
+        /* (RUBY-290, checking for a request_context is to be deprecated)
+         * if we're not within a request context, don't analyze (by fiat)
+         * We reset scope at the end of request contexts right now, don't remove
+         * this check without also handling that code.
+         */
+        do_contrast = 0;
+    }
+
+    switch (impl) {
+    case IMPL_ALIAS_INSTANCE:
+    case IMPL_ALIAS_SINGLETON:
+        original_args[0] = object;
+        original_args[1] = cs__method;
+        original_args[2] = INT2NUM(argc);
+        original_args[3] = (VALUE)argv;
+        break;
+    case IMPL_PREPEND:
+        original_args[0] = INT2NUM(argc);
+        original_args[1] = (VALUE)argv;
+        break;
+    }
+
+    /* If we're not doing Contrast analysis, exit scope and treat as normal. */
+    if (!do_contrast) {
+        goto call_original;
+    }
+
+    rescue_args[0] = object;
+    rescue_args[1] = method;
+    rescue_args[2] = INT2NUM(argc);
+    rescue_args[3] = (VALUE)argv;
+    rescue_args[4] = method_policy;
+
+    /* Tracking, triggering, and propagation here. */
+    contrast_call_pre_patch(method_policy, method, object, argc, argv, Qnil);
+
+    /* Capture pre-call state */
+    preshift = build_preshift(method_policy, object, argc, argv);
+    rescue_args[5] = preshift;
+
+    /* We wrap a call to the original method with a rescue block, and we use
+     * rb_rescue2 to capture all Exception-inheriting exceptions (and if your
+     * software is well-behaved, all exceptions should inherit from Exception.)
+     *
+     * The rescue block is responsible for doing Contrast post-call analysis
+     * in the event the original method has thrown an exception.
+     *
+     * EDGE CASES:
+     * Given how extensively we patch and instrument, this code is
+     * prone to some esoteric edge cases that are not well-documented or
+     * easy to research.
+     *
+     * There is an esoteric edge case in core Ruby, upon Thread#kill, where
+     * it raises Fixnum 8 (Qnil==8).  This is an intentional choice on the
+     * part of the core Ruby devs, as blindly rescuing Thread#kill would be
+     * disastrous.
+     * A consequence of this is that Thread#kill will leak scope, if you
+     * happen to ever instrument it.
+     *
+     * If you are within a catch block, and the original function results
+     * in a throw, you will leak scope.  We handle this by not instrumenting
+     * methods that do that.  (Tracked in RUBY-552.)
+     *
+     * If you're thinking of cleaning this up by using rb_protect,
+     * you will catch ALL exceptions, as well as ANYTHING
+     * else that unwinds the stack.  This includes fiber context switches
+     * (which are used to implement Enumerator#next) and catch/throw blocks.
+     * I spent a week debugging that so you don't have to.  -ajm
+     */
+
+    switch (impl) {
+    case IMPL_ALIAS_INSTANCE:
+    case IMPL_ALIAS_SINGLETON:
+        original_ret = rb_rescue2(
+            contrast_patch_call_original, (VALUE)original_args,
+            contrast_patch_call_rescue, (VALUE)rescue_args, rb_eException, 0);
+        break;
+    case IMPL_PREPEND:
+        original_ret = rb_rescue2(contrast_call_super, (VALUE)original_args,
+                                  contrast_patch_call_rescue,
+                                  (VALUE)rescue_args, rb_eException, 0);
+        break;
+    };
+
+    /* If you're here, the original method did not throw an exception
+     * (or unwind the stack otherwise).
+     * If the original method threw an exception, contrast_patch_call_rescue
+     * re-raises the original exception, which unwinds the stack back to the
+     * call site.  This means the rest of this function is not executed.
+     */
+
+    /* Invoke Contrast post-call patching.
+     * Post-call patching may transform the return value,
+     * hence the assignment.
+     */
+    transformed_ret = contrast_call_post_patch(method_policy, preshift, object,
+                                               original_ret, argc, argv);
+
+    /* Special case for tracking frozen sources */
+    if (transformed_ret != Qnil) {
+        ret = transformed_ret;
+    } else {
+        ret = original_ret;
+    }
+
+    /* exit scope */
+    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
+
+    return ret;
+
+call_original:
+
+    /* exit scope */
+    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
+
+    switch (impl) {
+    case IMPL_ALIAS_INSTANCE:
+    case IMPL_ALIAS_SINGLETON:
+        return contrast_patch_call_original(original_args);
+    case IMPL_PREPEND:
+        return contrast_call_super(original_args);
+    };
+}
+
+VALUE contrast_alias_instance_patch(const int argc, const VALUE *argv,
+                                    const VALUE object) {
+    return contrast_patch_dispatch(argc, argv, IMPL_ALIAS_INSTANCE, object);
+}
+
+VALUE contrast_alias_singleton_patch(const int argc, const VALUE *argv,
+                                     const VALUE object) {
+    return contrast_patch_dispatch(argc, argv, IMPL_ALIAS_SINGLETON, object);
+}
+
+VALUE contrast_prepend_patch(const int argc, const VALUE *argv,
+                             const VALUE object) {
+    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND, object);
+}
+
+VALUE contrast_patch_define_method(const VALUE self, const VALUE clazz,
+                                   const VALUE method_policy,
+                                   const VALUE cs_method) {
+    const VALUE original_method_name =
+        rb_funcall(method_policy, rb_sym_method_name, 0);
+    const VALUE is_instance_method =
+        rb_funcall(method_policy, rb_sym_instance_method, 0);
+    char *cStr;
+    VALUE str;
+    rb_funcall(patch_status, rb_sym_set_info_for, 5, clazz, original_method_name,
+               method_policy, is_instance_method, cs_method);
+
+    /* Some methods we patch rely on a specific C level patch,
+     * in those cases we should still add the method to the info_for hash
+     * on the class, but we should skip setting up the generic Contrast
+     * monkeypatch
+     */
+    VALUE is_custom_patch = rb_funcall(method_policy, rb_sym_custom_patch, 0);
+    if (RTEST(is_custom_patch)) {
+        return Qnil;
+    }
+    str = rb_funcall(original_method_name, rb_sym_cs_to_s, 0);
+    cStr = StringValueCStr(str);
+
+    const VALUE is_private =
+        rb_funcall(method_policy, rb_sym_private_method, 0);
+    if (RTEST(is_instance_method)) {
+        rb_funcall(clazz, rb_sym_alias_method, 2, cs_method,
+                   original_method_name);
+        if (RTEST(is_private)) {
+            rb_funcall(clazz, rb_sym_public, 1, cs_method);
+        }
+        rb_define_method(clazz, cStr, contrast_alias_instance_patch, -1);
+        if (RTEST(is_private)) {
+            rb_funcall(clazz, rb_sym_private, 1, original_method_name);
+        }
+    } else {
+        /*
+         * we have to send the method call to either the singleton class or the
+         * instance depending on the method type. send_to will hold this for us.
+         * https://stackoverflow.com/questions/212407/what-exactly-is-the-singleton-class-in-ruby
+         */
+        const VALUE singleton_class =
+            rb_funcall(clazz, rb_sym_cs_singleton_class, 0);
+        rb_funcall(singleton_class, rb_sym_alias_method, 2, cs_method,
+                   original_method_name);
+        if (RTEST(is_private)) {
+            rb_funcall(singleton_class, rb_sym_public, 1, cs_method);
+        }
+        rb_define_singleton_method(clazz, cStr, contrast_alias_singleton_patch,
+                                   -1);
+        if (RTEST(is_private)) {
+            rb_funcall(singleton_class, rb_sym_private, 1,
+                       original_method_name);
+        }
+    }
+    return Qnil;
+}
+
+VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule,
+                             const VALUE method_policy) {
+
+    const VALUE original_method_name =
+        rb_funcall(method_policy, rb_sym_method_name, 0);
+    const VALUE is_private =
+        rb_funcall(method_policy, rb_sym_private_method, 0);
+    const VALUE is_instance_method =
+        rb_funcall(method_policy, rb_sym_instance_method, 0);
+    rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
+               original_method_name, method_policy, Qtrue, Qnil);
+    VALUE module = rb_define_module_under(originalModule, "ContrastPrepend");
+    VALUE str = rb_funcall(original_method_name, rb_sym_cs_to_s, 0);
+    char *cMethodName = StringValueCStr(str);
+    if (RTEST(is_instance_method)) {
+        if (RTEST(is_private)) {
+            rb_define_private_method(module, cMethodName,
+                                     contrast_prepend_patch, -1);
+        } else {
+            rb_define_method(module, cMethodName, contrast_prepend_patch, -1);
+        }
+    } else {
+        rb_define_singleton_method(module, cMethodName, contrast_prepend_patch,
+                                   -1);
+    }
+    rb_prepend_module(originalModule, module);
+    return Qtrue;
+}
+
+void Init_cs__contrast_patch(void) {
+    rb_sym_brackets = rb_intern("[]");
+    rb_sym_build_method_name = rb_intern("build_method_name");
+    rb_sym_build_preshift = rb_intern("build_preshift");
+    rb_sym_contrast_apply_post_patch = rb_intern("apply_post_patch");
+    rb_sym_contrast_apply_pre_patch = rb_intern("apply_pre_patch");
+    rb_sym_cs_to_s = rb_intern("to_s");
+    rb_sym_custom_patch = rb_intern("requires_custom_patch?");
+    rb_sym_in_request_context = rb_intern("in_request_context?");
+    rb_sym_info_for = rb_intern("info_for");
+    rb_sym_propagation_node = rb_intern("propagation_node");
+    rb_sym_set_info_for = rb_intern("set_info_for");
+
+    rb_sym_private_method = rb_intern("private_method?");
+    rb_sym_method_name = rb_intern("method_name");
+    rb_sym_alias_method = rb_intern("alias_method");
+    rb_sym_public = rb_intern("public");
+    rb_sym_private = rb_intern("private");
+    rb_sym_instance_method = rb_intern("instance_method");
+    rb_sym_cs_singleton_class = rb_intern("cs__singleton_class");
+
+
+    rb_define_module_function(contrast_patcher(), "contrast_define_method",
+                              contrast_patch_define_method, 3);
+
+    rb_define_module_function(contrast_patcher(), "contrast_prepend_method",
+                              contrast_patch_prepend, 2);
+
+    /* patch_status = Contrast::Agent::Patching::Policy::PatchStatus */
+    patch_status = rb_define_class_under(policy, "PatchStatus", rb_cObject);
+
+    /* preshift_class = Contrast::Agent::Assess::PreShift */
+    preshift_class = rb_define_class_under(assess, "PreShift", rb_cObject);
+}