contrast-agent 3.8.4

data/lib/contrast/agent/assess/class_reverter.rb

@@ -0,0 +1,82 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Assess
+      # This is used to revert, or undo, the patches that we've placed into
+      # modules. This is necessary for those cases where the original method
+      # was supposed to be removed, but wasn't b/c we had renamed it -- looking
+      # at you, FactoryBot
+      class ClassReverter
+        include Contrast::Components::Interface
+        access_component :logging, :scope
+
+        class << self
+          def unpatch!
+            Contrast::Agent::FeatureState.instance.uninstrument_namespaces.
+                each { |mod_sym| revert_module mod_sym }
+          end
+
+          private
+
+          def revert_module mod
+            with_contrast_scope do
+              revert_child_modules(mod, [])
+            end
+          rescue StandardError => e
+            logger.error(e, "Unable to remove patches from the module #{ mod }")
+          end
+
+          def revert_child_modules mod, reverted_modules, parent_mod = nil
+            return if parent_mod == mod
+            return if reverted_modules.include?(mod)
+
+            reverted_modules << mod
+
+            immediate_constants = mod.cs__constants(false).collect! { |k| mod.cs__const_get(k) }
+            immediate_constants.select! { |k| k.is_a?(Module) }
+            immediate_constants.flatten!
+            if immediate_constants.any?
+              immediate_constants.each do |const|
+                revert_aliases(const)
+                revert_child_modules(const, reverted_modules, mod)
+              end
+            else
+              revert_aliases(mod)
+            end
+          end
+
+          # in order to fully uninstrument classes we must use true when getting the singleton/instance methods
+          # that way if a class makes use of instance_eval for instance(defined on Kernel) we are able to revert this
+          # specific instance of that method to use the default behavior while leaving the remainder of
+          # objects using the patched behavior
+          def revert_aliases clazz
+            marker = Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START
+            instance_methods = (clazz.instance_methods(true) + clazz.private_instance_methods(true)).select { |method| method.to_s.start_with?(marker) }
+            singleton_methods = clazz.cs__singleton_class.instance_methods(true).select { |method| method.to_s.start_with?(marker) }
+            instance_methods.each { |i_method| revert_alias(clazz, i_method, instance_methods) }
+            singleton_methods.each { |s_method| revert_alias(clazz.cs__singleton_class, s_method, singleton_methods) }
+          end
+
+          def revert_alias clazz, current_method_name, methods
+            original_method_name = clazz.instance_method(current_method_name).original_name
+
+            is_private = clazz.private_method_defined?(original_method_name)
+
+            # revert aliasing only for those methods currently defined on the original
+            if is_private || clazz.method_defined?(original_method_name)
+              clazz.send(:alias_method, original_method_name, current_method_name)
+              clazz.send(:private, original_method_name) if is_private
+            end
+            clazz.send(:undef_method, current_method_name) if methods.include?(current_method_name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/contrast_event.rb

@@ -0,0 +1,398 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/prevent_serialization'
+
+module Contrast
+  module Agent
+    module Assess
+      # This class holds the data about an event in the application
+      # We'll use it to build an event that TeamServer can consume if
+      # the object to which this event belongs ends in a trigger.
+      class ContrastEvent
+        include Contrast::Utils::PreventSerialization
+
+        class << self
+          def safe_args_representation args
+            return nil unless args
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
+
+            rep = []
+            args.each do |arg|
+              # We have to handle named args
+              rep <<  if arg.is_a?(Hash)
+                        safe_arg_hash_representation(arg)
+                      else
+                        arg.cs__inspect
+                      end
+            end
+            rep
+          end
+
+          def safe_arg_hash_representation hash
+            # since this is the named hash for arguments, only the value is
+            # suspect here
+            hash.transform_values(&:cs__inspect)
+          end
+
+          # if given an object that can be duped, duplicate it. otherwise just
+          # return the original object. swallow all exceptions from
+          # non-duplicable things.
+          #
+          # we can't just check respond_to? though b/c dup exists on the
+          # base Object class
+          def safe_dup original
+            return nil unless original
+
+            begin
+              original.dup
+            rescue StandardError
+              original
+            end
+          end
+        end
+
+        attr_accessor :source_name
+        attr_reader :event_id, :source_type, :parent_ids
+
+        # We need this to track the parent id's of events to build up a flow
+        # chart of the finding
+        @atomic_id = 0
+        @atomic_mutex = Mutex.new
+        def self.next_atomic_id
+          @atomic_mutex.synchronize do
+            begin
+              @atomic_id += 1
+              # Rollover things
+            rescue StandardError
+              @atomic_id = 1
+            end
+          end
+        end
+
+        def initialize policy_node, tagged, object, ret, args, invoked = 0, source_type = nil, source_name = nil
+          @caller = caller_locations(get_call_start(policy_node, invoked), 10)
+          @policy_node = policy_node
+          @time = Contrast::Utils::Timer.now_ms
+          @thread = Thread.current.object_id
+          @source_type = source_type
+          @source_name = source_name
+
+          # These methods rely on the above being set. Don't move them!
+          @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
+          @parent_ids = find_parent_ids(policy_node, object, ret, args)
+          snapshot(tagged, object, ret, args)
+        end
+
+        # Parent IDs are the event ids of all the sources of this event which
+        # were tracked prior to this event occurring
+        def find_parent_ids policy_node, object, ret, args
+          return if policy_node.is_a?(Contrast::Agent::Assess::Policy::SourceNode)
+
+          mapped = policy_node.sources.map do |source|
+            value_of_source(source, object, ret, args)
+          end
+          selected = mapped.select do |source|
+            source &&
+                Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties) &&
+                source.cs__properties.events &&
+                source.cs__properties.events.last
+          end
+          selected.map do |source|
+            source.cs__properties.events.last.event_id
+          end
+        end
+
+        def snapshot tagged, object, ret, args
+          target = @policy_node.target
+          case target
+            # If the target is nil, this rule was violated simply by a method
+            # being called. We'll save all the information, but nothing will be
+            # marked up, as nothing need be tracked
+          when nil
+            @object = object.cs__inspect
+            @args = cs__class.safe_args_representation(args)
+            @ret = ret.cs__inspect
+            # If the target is O, then we dup the O and safely represent the rest
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            @object = cs__class.safe_dup(tagged)
+            @args = cs__class.safe_args_representation(args)
+            @ret = ret.cs__inspect
+            # If the target is R, then we dup the R and safely represent the rest
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            @object = object.cs__inspect
+            @args = cs__class.safe_args_representation(args)
+            @ret = cs__class.safe_dup(tagged)
+            # If the target is P*, then we need to dup things a differently. We
+            # need to find the true target inside so that we can mark it up
+            # later, but the other args should be represented as their safe form.
+          else
+            @object = object.cs__inspect
+            @args = cs__class.safe_args_representation(args)
+            @ret = ret.cs__inspect
+            save_target_arg(target, tagged)
+          end
+        end
+
+        # I know we're creating an extra string here since we replace the safe
+        # one w/ a dup, but good enough for now. Trying not to make this too
+        # complicated. - HM 8/8/19
+        def save_target_arg target, tagged
+          if target.is_a?(Integer)
+            @args[target] = cs__class.safe_dup(tagged)
+            return
+          end
+
+          @args.each_with_index do |search, index|
+            next unless search.is_a?(Hash)
+            next unless search[target]
+
+            search[target] = cs__class.safe_dup(tagged)
+            @highlight = index
+            break
+          end
+        end
+
+        def value_of_source source, object, ret, args
+          case source
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            if source.is_a?(Integer)
+              args[source]
+            else
+              args.each do |search|
+                next unless search.is_a?(Hash)
+
+                s = search[source]
+                return s if s
+              end
+            end
+          end
+        end
+
+        # each policy_node has a certain number of levels down it calls
+        # before getting here. since we know them, we can skip
+        # right to the part of the stack we care about.
+        #
+        # Note: if our callstack changes, this number has to change
+        def get_call_start policy_node, invoked
+          # TODO: RUBY-440 audit these numbers to get stacktraces to render
+          #   properly
+          base = case policy_node
+                 when Contrast::Agent::Assess::Policy::SourceNode
+                   6
+                 when Contrast::Agent::Assess::Policy::PropagationNode
+                   7
+                 when Contrast::Agent::Assess::Policy::TriggerNode
+                   7
+                 else
+                   2
+                 end
+          base + invoked
+        end
+
+        # Convert this event into a DTM that TeamServer can consume
+        def to_dtm_event
+          event = Contrast::Api::Dtm::TraceEvent.new
+
+          # Figure out what the target of this event was. It's a little
+          # annoying for us since P can be named (thanks, Ruby) where
+          # as for everyone else it is idx based.
+          taint_target = determine_taint_target(event)
+
+          event.type = @policy_node.node_type
+          event.action = @policy_node.build_action
+          event.timestamp_ms = @time.to_i
+          event.thread = Contrast::Utils::StringUtils.force_utf8(@thread)
+          truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
+          event.object = build_event_object(@object, truncate_obj)
+          truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
+          event.ret = build_event_object(@ret, truncate_ret)
+          built_args = build_event_args(taint_target)
+          built_args.each do |arg|
+            event.args << arg
+          end
+          taint_ranges = find_taint_ranges(@object, @args, @ret, taint_target)
+          taint_ranges.each do |range|
+            event.taint_ranges << range
+          end
+
+          # We delayed doing this as long as possible b/c it's expensive
+          stack = Contrast::Utils::StackTraceUtils.to_dtm_stack(
+              stack_locations: @caller,
+              rasp_element: false)
+          stack.each do |frame|
+            event.stack << frame
+          end
+
+          event.field_name = Contrast::Utils::StringUtils.force_utf8(source_name)
+
+          event_source_dtm = build_event_source_dtm
+          event.event_sources << event_source_dtm if event_source_dtm
+
+          event.object_id = event_id.to_i
+          @parent_ids&.each do |id|
+            parent = Contrast::Api::Dtm::ParentObjectId.new
+            parent.id = id.to_i
+            event.parent_object_ids << parent
+          end
+
+          # not to be confused w/ the partial signature
+          build_complete_signature(event)
+
+          event
+        end
+
+        def forced_source_type
+          @_forced_source_type ||= Contrast::Utils::StringUtils.force_utf8(source_type)
+        end
+
+        def forced_source_name
+          @_forced_source_name ||= Contrast::Utils::StringUtils.force_utf8(source_name)
+        end
+
+        # Probably only for source events, but we'll go
+        # with source_type instead. java & .net support source_type
+        # in propagation events, so we'll future proof this
+        def build_event_source_dtm
+          # You can have a source w/o a name, but not w/o a type
+          return unless source_type
+
+          dtm = Contrast::Api::Dtm::TraceEventSource.new
+          dtm.type = forced_source_type
+          dtm.name = forced_source_name
+          dtm
+        end
+
+        # We're not going to build the signature string here, b/c we have all
+        # the composite pieces of it. Instead, we're going to let TeamServer
+        # render this for us.
+        def build_complete_signature event
+          signature = Contrast::Api::Dtm::TraceEventSignature.new
+          event.signature = signature
+          return_type = @ret ? @ret.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
+          signature.return_type = Contrast::Utils::StringUtils.force_utf8(return_type)
+          signature.class_name = Contrast::Utils::StringUtils.force_utf8(@policy_node.class_name)
+          signature.method_name = Contrast::Utils::StringUtils.force_utf8(@policy_node.method_name)
+          if @args
+            @args&.each do |arg|
+              arg_type = arg ? arg.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
+              signature.arg_types << Contrast::Utils::StringUtils.force_utf8(arg_type)
+            end
+          end
+          signature.constructor = @policy_node.method_name == :new
+          # if there's a ret, then this method isn't nil. not 100% full proof since you can
+          # return nil, but this is the best we've got currently.
+          signature.void_method = @ret.nil?
+          # 8 is STATIC in Java... we have to placate them for now
+          # it has been requested that flags be removed since it isn't used
+          signature.flags = 8 unless @policy_node.instance_method?
+        end
+
+        # Wrapper around build_event_object for the args array. Handles
+        # tainting the correct argument.
+        def build_event_args taint_target
+          event_args = []
+          @args.each_index do |idx|
+            truncate_arg = taint_target != idx
+            event_arg = build_event_object(@args[idx], truncate_arg)
+            event_args << event_arg
+          end
+          event_args
+        end
+
+        # Build the event object. We were originally going to include taint on
+        # each one, but TS doesn't accept / use that, so it is a waste of time.
+        #
+        # We'll truncate any object that isn't important to the taint ranges of
+        # this event, so that we don't murder TeamServer by, for instance,
+        # hypothetically sending the entire rendered HTML page >_>  <_<  >_>
+        ELLIPSIS = '...'
+        UNTRUNCATED_PORTION_LENGTH = 25
+        TRUNCATION_LENGTH = (UNTRUNCATED_PORTION_LENGTH * 2) + 3 # ELLIPSIS length
+        def build_event_object object, truncate
+          event_object = Contrast::Api::Dtm::TraceEventObject.new
+          obj_string = Contrast::Utils::StringUtils.force_utf8(object)
+          if truncate && Contrast::Utils::StringUtils.ret_length(obj_string) > TRUNCATION_LENGTH
+            tmp = []
+            tmp << obj_string[0, UNTRUNCATED_PORTION_LENGTH]
+            tmp << ELLIPSIS
+            tmp << obj_string[
+                obj_string.length - UNTRUNCATED_PORTION_LENGTH,
+                UNTRUNCATED_PORTION_LENGTH]
+            obj_string = tmp.join
+          end
+          event_object.value = Base64.encode64(obj_string)
+          event_object.tracked = Contrast::Utils::Assess::TrackingUtil.tracked?(object)
+          event_object
+        end
+
+        # We have to do a little work to figure out what our TS appropriate
+        # target is. To break this down, the logic is as follows:
+        # 1) If my policy_node has a target, work on targets. Else, work on sources.
+        #    Per TS law, each policy_node must have at least a source or a target.
+        #    The only type of policy_node w/o targets is a Trigger, but that may
+        #    change.
+        # 2) If I have a highlight, it means that I have a P target that is
+        #    not in integer form (it was a named / keyword type for which I had
+        #    to find the index). I need to address this so that TS can process
+        #    it.
+        # 3) I'll set the event's source and target to TS values.
+        # 4) Return the highlight or the first source/target as the taint
+        #    target.
+        def determine_taint_target event
+          if @policy_node&.targets&.any?
+            event.source = @policy_node.source_string if @policy_node.source_string
+            event.target = if @highlight
+                             "P#{ @highlight }"
+                           else
+                             @policy_node.target_string
+                           end
+            @highlight || @policy_node.targets[0]
+          elsif @policy_node&.sources&.any?
+            event.source = if @highlight
+                             "P#{ @highlight }"
+                           else
+                             @policy_node.source_string
+                           end
+            event.target = @policy_node.target_string if @policy_node.target_string
+            @highlight || @policy_node.sources[0]
+          end
+        end
+
+        # TeamServer only supports one object's taint ranges at a time.
+        # We'll find the taint ranges for the target and return those
+        def find_taint_ranges object, args, ret, taint_target
+          # If there's no taint_target, this isn't a dataflow trace, but a
+          # trigger one
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless taint_target
+
+          properties = case taint_target
+                       when Contrast::Utils::ObjectShare::OBJECT_KEY
+                         object.cs__properties
+                       when Contrast::Utils::ObjectShare::RETURN_KEY
+                         ret.cs__properties
+                       else
+                         target = args[taint_target]
+                         if target.is_a?(Hash)
+                           if @policy_node&.targets&.any?
+                             target[@policy_node.targets[0]].cs__properties
+                           else
+                             target[@policy_node.sources[0]].cs__properties
+                           end
+                         else
+                           target.cs__properties
+                         end
+                       end
+
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
+
+          properties.tags_to_dtm
+        end
+      end
+    end
+  end
+end