contrast-agent 3.8.4

data/lib/contrast/agent/assess/policy/propagator.rb

@@ -0,0 +1,35 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        # This is the base module for our assess propagator classes. It is
+        # intended to facilitate the patching of the application for Assess
+        # functionality. Any class under this namespace should be required
+        # here, providing a single point of require for this functionality.
+        module Propagator
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/base'
+
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/append'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/center'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/custom'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/database_write'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/insert'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/keep'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/next'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/prepend'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/remove'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/replace'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/reverse'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/select'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/splat'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/split'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/substitution'
+          cs__scoped_require 'contrast/agent/assess/policy/propagator/trim'
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/append.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the end of the target. The target's preexisting tags are
+          # unaffected beyond any merging of overlapping tags.
+          class Append < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # For the source, append its tags to the target.
+              # if the target length is greater than the source
+              # copy tags from the param to the target in chunks of param size or less
+              # if param is appended in space less than param length
+              def propagate propagation_node, preshift, target
+                sources = propagation_node.sources
+                source1 = find_source(sources[0], preshift)
+                # Some appends have two args. If they don't this is probably something
+                # obnoxious, like String.*
+                source2 = sources[1] ? find_source(sources[1], preshift) : source1
+
+                # if the object and the return are the same length just copy the tags
+                # from the object(since nothing from args was added to return)
+                if source1.length == target.length
+                  target.cs__copy_from(source1, 0, propagation_node.untags)
+                else
+                  # find original in the target, copy tags to the new position in
+                  # target
+                  original_start_index = target.index(source1)
+                  target.cs__copy_from(source1, original_start_index, propagation_node.untags)
+
+                  start = original_start_index + source1.length
+                  while start < target.length
+                    target.cs__copy_from(source2, start, propagation_node.untags)
+                    start += source2.length
+                    next unless start > target.length
+
+                    target.cs__properties.tags_at(start - source2.length).each do |tag|
+                      tag.update_end(target.length)
+                    end
+                  end
+                end
+                target.cs__properties.cleanup_tags
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/base.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # A propagator is a method which can transform data, as described by
+          # the Contrast::Agent::Assess::Policy::PropagationNode class. Each
+          # type of propagator does so differently, but always acts on a Source
+          # to pass tags from it to a Target.
+          class Base
+            class << self
+              def find_source source, preshift
+                case source
+                when Contrast::Utils::ObjectShare::OBJECT_KEY
+                  preshift.object
+                else
+                  preshift.args[source]
+                end
+              end
+
+              def tracked_value? value
+                Contrast::Utils::DuckUtils.quacks_to?(value, :cs__tracked?) && value.cs__tracked?
+              end
+
+              def propagate _propagation_node, _preshift, _target
+                raise NotImplementedError("Expected Base propagator subclass: #{ cs__class } to implement #propagate")
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -0,0 +1,73 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target at its middle. The target's preexisting tags
+          # are unaffected beyond any merging of overlapping tags.
+          class Center < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              def propagate propagation_node, preshift, target
+                sources = propagation_node.sources
+                source1 = find_source(sources[0], preshift)
+
+                if source1.length == target.length
+                  target.cs__copy_from(source1, 0, propagation_node.untags)
+                  target.cs__properties.cleanup_tags
+                  return
+                end
+
+                # find original in the target, copy tags to the new position in target
+                original_start_index = target[0..target.length / 2 + 1].rindex(source1)
+                original_start_index ||= 1
+                target.cs__copy_from(source1, original_start_index, propagation_node.untags)
+
+                return unless sources[1]
+
+                original_end_index = original_start_index + source1.length - 1
+                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index, original_end_index)
+              end
+
+              private
+
+              # If the input passed in to wrap around the existing object has
+              # tags, we have to prepend and append those tags to the centered
+              # value.
+              # @param target [Object] the thing to apply tags to.
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+              #   the node that indicates how this propagation should be
+              #   handled.
+              # @param source_location [String] the marker to indicate where in
+              #   the preshift the source is located.
+              # @param preshift [Contrast::Agent::Assess::Preshift] the state
+              #   of the call before the method was executed.
+              # @param start_index [Integer] where the centered object starts.
+              # @param end_index [Integer] where the centered object ends.
+              def handle_incoming_tags target, propagation_node, source_location, preshift, start_index, end_index
+                source = find_source(source_location, preshift)
+                iterate_tags(target, propagation_node, source, 0, start_index)
+                iterate_tags(target, propagation_node, source, end_index, target.length)
+              end
+
+              def iterate_tags target, propagation_node, source, start, stop
+                while start < stop
+                  target.cs__copy_from(source, start, propagation_node.untags)
+                  start += source.length
+                  next unless start > stop
+
+                  target.cs__properties.tags_at(start - source.length).each do |tag|
+                    tag.update_end(stop)
+                  end
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/custom.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/core_extensions/module'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in some complex or specific translation
+          # of tags from the source to the target. Each node with the CUSTOM
+          # action knows the class and method it should call to preform this
+          # action.
+          class Custom
+            class << self
+              def propagate propagation_node, preshift, ret, block
+                clazz = propagation_node.patch_class
+                method = propagation_node.patch_method
+
+                # We cannot flip the String to a Module at patcher creation time -
+                # the Module may not exist yet. Instead, we have to defer until the
+                # first time the patcher is used.
+                if clazz.is_a?(String)
+                  clazz = Object.cs__const_get(clazz)
+                  propagation_node.patch_class = clazz
+                end
+                clazz.send(method, propagation_node, preshift, ret, block)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target. Unlike other propagators, this actually
+          # results in new source nodes to track which columns in the database
+          # have been tainted.
+          class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
+            include Contrast::Components::Interface
+            access_component :analysis
+
+            class << self
+              def propagate propagation_node, preshift, target
+                class_type = preshift.object.cs__class
+                class_name = class_type.cs__name
+                tainted_columns = {}
+
+                known_tainted = ASSESS.tainted_columns[class_name]
+                propagation_node.sources.each do |source|
+                  arg = preshift.args[source]
+                  next unless arg.cs__respond_to?(:each_pair)
+
+                  arg.each_pair do |key, value|
+                    next unless value
+                    next if known_tainted&.include?(key)
+
+                    # TODO: RUBY-540 handle sanitization, handle nested objects
+                    Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
+                    value.cs__properties.build_event(propagation_node, value, preshift.object, target, preshift.args)
+                    next unless tracked_value?(value)
+
+                    tainted_columns[key] = value.cs__properties.events
+                  end
+                end
+
+                return if tainted_columns.empty?
+
+                if known_tainted
+                  known_tainted.concat(tainted_columns.keys)
+                else
+                  unless class_type < Contrast::CoreExtensions::Assess::AssessExtension
+                    class_type.send(:include, Contrast::CoreExtensions::Assess::AssessExtension)
+                  end
+                  ASSESS.tainted_columns[class_name] = tainted_columns.keys
+                end
+
+                Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/insert.rb

@@ -0,0 +1,55 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target at the point of insertion. The target's
+          # preexisting tags are shifted to account for this insertion.
+          class Insert < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # For the source, append its tags to the target.
+              # Once the tag is applied, shift it to the location of the insert
+              # Unlike additive propagation, this currently only supports one source
+              # We assume that insert changes the preshift target
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+
+                patcher_target = propagation_node.targets[0]
+                preshift_target = case patcher_target
+                                  when Contrast::Utils::ObjectShare::OBJECT_KEY
+                                    preshift.object
+                                  else
+                                    preshift.args[int]
+                                  end
+
+                # Find the first difference between the source to which
+                # we inserted and the result. That is the insertion
+                # point on which all tags need to be adjusted
+                # If the insertion point is the end of the string, preshift length is returned
+                # https://stackoverflow.com/questions/31714522/find-the-first-differing-character-between-two-strings-in-ruby
+                insert_point = (0...preshift_target.length).find { |i| preshift_target[i] != target[i] } || preshift_target.length
+                # Depending what's inserted, we might be wrong. For instance, inserting 'foo'
+                # into 'asdfasdf' could result in 'asdfoofasdf'. we'd be off by one b/c of the 'f'
+                insert_point = target.rindex(source, insert_point)
+
+                overflow = Contrast::Agent::Assess::AdjustedSpan.new(
+                    insert_point,
+                    insert_point + source.length)
+
+                # handle shifting the inserted range
+                target.cs__properties.shift_tags([overflow])
+
+                target.cs__copy_from(source, insert_point, propagation_node.untags)
+                target.cs__properties.cleanup_tags
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/keep.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target exactly as is. The target's preexisting tags
+          # are unaffected beyond any merging of overlapping tags.
+          class Keep < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # Keep means the tags just pass from the source to the target
+              # as is.
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+                target.cs__copy_from(source, 0, propagation_node.untags)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/next.rb

@@ -0,0 +1,42 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target. In those cases where overflow occurred,
+          # the overflow is tagged the same as the character which preceded it.
+          # The target's preexisting tags are shifted to account for this.
+          class Next < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # String has some silly methods like next. Basically, this flips a
+              # character in a predictable manner
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+
+                target.cs__copy_from(source, 0, propagation_node.untags)
+
+                # this means the char that was shifted overflowed and created new
+                # chars (i.e 'z' "wraps" to create 'aa' )
+                unless target.length == source.length
+                  target.cs__copy_from(source, 0, propagation_node.untags)
+
+                  first_difference = (0...source.length).find { |i| source[i] != target[i] } || source.length
+
+                  target.cs__properties.tags_at(first_difference).each do |tag|
+                    tag.shift_end(target.length - source.length)
+                  end
+                end
+
+                target.cs__properties.cleanup_tags
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/prepend.rb

@@ -0,0 +1,50 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the beginning of the target. The target's preexisting
+          # tags are shifted to account for this.
+          class Prepend < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # For the source, prepend its tags to the target. It's basically the
+              # opposite of append. :-P
+              def propagate propagation_node, preshift, target
+                sources = propagation_node.sources
+                source1 = find_source(sources[0], preshift)
+
+                source2 = sources[1] ? find_source(sources[1], preshift) : source1
+
+                original_start_index = target.rindex(source1) || 0
+                # if the object and the return are the same length just copy the
+                # tags from the object(since nothing from args was added to
+                # return)
+                if source1.length == target.length
+                  target.cs__copy_from(source1, 0, propagation_node.untags)
+                else
+                  # find original in the target, copy tags to the new position in target
+                  target.cs__copy_from(source1, original_start_index, propagation_node.untags)
+                  start = 0
+                  while start < original_start_index
+                    target.cs__copy_from(source2, start, propagation_node.untags)
+                    start += source2.length
+                    next unless start > original_start_index
+
+                    target.cs__properties.tags_at(start - source2.length).each do |tag|
+                      tag.update_end(original_start_index)
+                    end
+                  end
+                end
+                target.cs__properties.cleanup_tags
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end