contrast-agent 3.8.4

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -0,0 +1,76 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the totality of the target and then those sections
+          # which have been removed from the target are removed from the
+          # tags. The target's preexisting tags are also updated by this
+          # removal.
+          class Remove < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # For the source, append its tags to the target.
+              # Once the tag is applied, remove the section that was removed by the delete.
+              # Unlike additive propagation, this currently only supports one source
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+
+                target.cs__copy_from(source, 0, propagation_node.untags)
+
+                source_chars = source.is_a?(String) ? source.chars : source.string.chars
+                handle_removal(source_chars, target)
+              end
+
+              def handle_removal source_chars, target
+                source_idx = 0
+
+                target_chars = target.chars
+                target_idx = 0
+
+                remove_ranges = []
+                current_range = nil
+
+                # loop over the target, the result of the delete
+                # every range of characters that it differs from the source
+                # represents a section that was deleted. these sections
+                # need to have their tags updated
+                target_len = target_chars.length
+                while target_idx < target_len
+                  target_char = target_chars[target_idx]
+                  source_char = source_chars[source_idx]
+                  if target_char == source_char
+                    target_idx += 1
+                    if current_range
+                      current_range.stop = source_idx
+                      remove_ranges << current_range
+                      current_range = nil
+                    end
+                  else
+                    current_range ||= Contrast::Agent::Assess::AdjustedSpan.new(source_idx)
+                  end
+                  source_idx += 1
+                end
+
+                # once we're done looping over the target, anything left
+                # over is extra from the source that was deleted. tags
+                # applying to it need to be removed.
+                if source_idx != source_chars.length
+                  remove_ranges << Contrast::Agent::Assess::AdjustedSpan.new(
+                      source_idx,
+                      source_chars.length)
+                end
+
+                # handle deleting the removed ranges
+                target.cs__properties.delete_tags_at_ranges(remove_ranges)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/replace.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target exactly as they are in the source. The
+          # target's preexisting tags are all removed.
+          class Replace < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # Replace means we're replacing the target w/ the source. Anything
+              # on the source should be passed to the target.
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+                target.cs__properties.clear_tags
+                target.cs__copy_from(source, 0, propagation_node.untags)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/reverse.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target in reverse of how they are in the source. The
+          # target's preexisting tags are unaffected beyond any merging of
+          # overlapping tags.
+          class Reverse < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+
+                target.cs__copy_from(source, 0, propagation_node.untags)
+
+                length = target.length
+                target.cs__properties.tag_keys.each do |key|
+                  tags = target.cs__properties.fetch_tag(key)
+                  tags.each do |tag|
+                    new_end = length - tag.start_idx
+                    new_start = new_end - tag.length
+                    tag.repurpose(new_start, new_end)
+                  end
+                end
+
+                target.cs__properties.cleanup_tags
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/select.rb

@@ -0,0 +1,86 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # This class is specifically for String#select propagation
+          #
+          # Disclaimer: there may be a better way, but we're
+          # in a 'get it work' state. hopefully, we'll be in
+          # a 'get it right' state soon.
+          class Select
+            include Contrast::Components::Interface
+            access_component :logging
+
+            class << self
+              def select_tagger patcher, preshift, ret, _block
+                source = preshift.object
+                args = preshift.args
+
+                # 'gotcha'
+                # Additionally, an empty string is returned when the starting index for
+                # a character range is at the end of the string. Let's just skip that
+                # and only track a string that has length
+                return unless source.cs__tracked? && ret && !ret.empty?
+
+                source.cs__properties.events.each do |event|
+                  ret.cs__properties.events << event
+                end
+                ret.cs__properties.build_event(
+                    patcher,
+                    ret,
+                    source,
+                    ret,
+                    args)
+
+                range = determine_select_range(source, args)
+                return unless range
+
+                tags = source.cs__properties.tags_at_range(range)
+                ret.cs__properties.clear_tags
+                tags.each_pair do |key, value|
+                  ret.cs__properties.set_tags(key, value)
+                end
+                ret
+              end
+
+              private
+
+              def determine_select_range source, args
+                arg = args[0]
+                case arg
+                when Integer
+                  length = args[1] || 1
+                  # (void) negative range
+                  arg += source.length if arg.negative?
+                  Contrast::Agent::Assess::AdjustedSpan.new(arg, arg + length)
+                when String
+                  idx = source.index(arg)
+                  Contrast::Agent::Assess::AdjustedSpan.new(idx, idx + arg.length)
+                when Regexp
+                  match_data = arg.match(source)
+                  # nil has the same meaning as 0. use full match
+                  group = args[1] || 0
+                  Contrast::Agent::Assess::AdjustedSpan.new(match_data.begin(group), match_data.end(group))
+                when Range
+                  start = arg.begin
+                  finish = arg.end
+
+                  # (void) negative range
+                  start += source.length if start.negative?
+                  finish += source.length if finish.negative?
+                  finish += 1 unless arg.exclude_end?
+
+                  Contrast::Agent::Assess::AdjustedSpan.new(start, finish)
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -0,0 +1,60 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the totality of the target. The target's preexisting
+          # tags are unaffected beyond any merging of overlapping tags.
+          class Splat < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              def propagate propagation_node, preshift, target
+                tracked_inputs = []
+
+                propagation_node.sources.each do |source|
+                  case source
+                  when Contrast::Utils::ObjectShare::OBJECT_KEY
+                    tracked_inputs << preshift.object if preshift.object.cs__tracked?
+                  else
+                    arg = preshift.args[source]
+                    if arg.is_a?(String)
+                      tracked_inputs << arg if arg.cs__tracked?
+                    elsif Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(arg)
+                      arg.each_pair do |key, value|
+                        tracked_inputs << key if tracked_value?(key)
+                        tracked_inputs << value if tracked_value?(value)
+                      end
+                    elsif Contrast::Utils::DuckUtils.quacks_like_tracked_enumerable?(arg)
+                      arg.each do |value|
+                        tracked_inputs << value if tracked_value?(value)
+                      end
+                    end
+                  end
+                end
+
+                splat_tags(tracked_inputs, target)
+                target.cs__properties.cleanup_tags
+              end
+
+              def splat_tags tracked_inputs, target
+                return if tracked_inputs.empty?
+
+                tracked_inputs.each do |input|
+                  unless input == target
+                    input.cs__properties.events.each do |event|
+                      target.cs__properties.events << event
+                    end
+                  end
+                  input.cs__splat_tags(target)
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -0,0 +1,49 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # This class is specifically for String#split & String#grapheme_clusters propagation
+          # it propagates tag ranges from a string to elements within an untracked array
+          class Split < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              def propagate propagation_node, preshift, target
+                source = find_source(propagation_node.sources[0], preshift)
+
+                separator_length = if propagation_node.method_name == :grapheme_clusters
+                                     # grapheme_clusters break the string apart based on each "user-perceived" character
+                                     0
+                                   else
+                                     # The default for String#split is to use a single whitespace
+                                     preshift&.args&.first&.to_s&.length || $FIELD_SEPARATOR&.to_s&.length || 1
+                                   end
+
+                current_index = 0
+
+                target.each do |elem|
+                  elem_length = elem.length
+                  range = Contrast::Agent::Assess::AdjustedSpan.new(current_index, current_index + elem_length)
+                  tags = source.cs__properties.tags_at_range(range)
+
+                  elem.cs__properties.clear_tags
+                  tags.each_pair do |key, value|
+                    elem.cs__properties.set_tags(key, value)
+                  end
+                  source.cs__properties.events.each do |event|
+                    elem.cs__properties.add_event(event)
+                  end
+                  elem.cs__properties.build_event(propagation_node, elem, preshift.object, target, preshift.args, 0)
+                  elem.cs__properties.add_properties(propagation_node.properties)
+                  current_index = current_index + elem_length + separator_length
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -0,0 +1,169 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # This class is specifically for String#(g)sub propagation
+          #
+          # Disclaimer: there may be a better way, but we're
+          # in a 'get it work' state. hopefully, we'll be in
+          # a 'get it right' state soon.
+          class Substitution
+            include Contrast::Components::Interface
+            access_component :logging
+
+            CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
+            CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze
+
+            class << self
+              # gsub is hard. there are four versions of this method
+              # 1) pattern, replacement (my fav)
+              # 2) pattern, hash        (not bad)
+              # 3) pattern, block       (are you kidding me?)
+              # 4) pattern              (plz no)
+              #
+              # In addition, it requires things from $~ & $1-9, which
+              # are method scoped. Rather than fight that, we'll
+              # call gsub from C land using a CUSTOM patch.
+              def gsub_tagger patcher, preshift, ret, block
+                substitution_tagger(patcher, preshift, ret, !block.nil?)
+              end
+
+              def sub_tagger patcher, preshift, ret, block
+                substitution_tagger(patcher, preshift, ret, !block.nil?, false)
+              end
+
+              private
+
+              def substitution_tagger patcher, preshift, ret, block, global = true
+                return ret unless ret
+
+                begin
+                  source = preshift.object
+                  self_tracked = Contrast::Utils::DuckUtils.quacks_to?(source, :cs__tracked?) &&
+                      source.cs__tracked?
+                  args = preshift.args[1]
+                  incoming_tracked = args && determine_tracked(args)
+                  return ret unless self_tracked || incoming_tracked
+
+                  if block
+                    block_sub(self_tracked, source, ret)
+                  elsif args.is_a?(String)
+                    string_sub(self_tracked, preshift, ret, args, incoming_tracked, global)
+                  elsif args.is_a?(Hash)
+                    hash_sub(self_tracked, source, ret)
+                  else # Enumerator, only for gsub
+                    pattern_gsub(preshift, ret)
+                  end
+                  string_build_event(patcher, preshift, ret)
+                rescue StandardError => e
+                  logger.error('Unable to apply gsub propagator', e)
+                end
+                ret
+              end
+
+              def determine_tracked args
+                # if there's no arg, it can't be tracked
+                return false unless args
+
+                # if it's a string, just ask if it's tracked
+                if args.is_a?(String)
+                  Contrast::Utils::DuckUtils.quacks_to?(args, :cs__tracked?) && args.cs__tracked?
+                  # if it's a hash, ask if it has a tracked string
+                elsif args.is_a?(Hash)
+                  args.values.any? { |value| value.is_a?(String) && Contrast::Utils::DuckUtils.quacks_to?(value, :cs__tracked?) && value.cs__tracked? }
+                  # this should never happen
+                else
+                  false
+                end
+              end
+
+              def string_sub self_tracked, preshift, ret, incoming, incoming_tracked, global
+                pattern = preshift.args[0]
+                source = preshift.object
+
+                # We can't efficiently find the places that things were
+                # copied from regexp / captures. Trading accuracy for
+                # performance
+                if incoming.match?(CAPTURE_GROUP_REGEXP) || incoming.match?(CAPTURE_NAME_REGEXP)
+                  source.cs__splat_tags(ret) if self_tracked
+                  return
+                end
+
+                # if it's just a straight insert, that we can do
+                # Copy the tags from us to the return
+                ret.cs__copy_from(source)
+                # Figure out where inserts occurred
+                last_idx = 0
+                ranges = []
+                # For each insert, move the tag ranges
+                while last_idx
+                  idx = source.index(pattern, last_idx)
+                  break unless idx
+
+                  last_idx = idx ? idx + 1 : nil
+                  start_index = idx
+                  end_index = idx + incoming.length
+                  ranges << Contrast::Agent::Assess::AdjustedSpan.new(start_index, end_index)
+                  break unless global
+                end
+                ret.cs__properties.delete_tags_at_ranges(ranges)
+                ret.cs__properties.shift_tags(ranges)
+                return unless incoming_tracked
+
+                tags = incoming.cs__properties.tag_keys
+                ranges.each do |range|
+                  tags.each do |tag|
+                    ret.cs__properties.add_tag(tag, range)
+                  end
+                end
+              end
+
+              def block_sub self_tracked, source, ret
+                source.cs__splat_tags(ret) if self_tracked
+              end
+
+              def hash_sub self_tracked, source, ret
+                source.cs__splat_tags(ret) if self_tracked
+              end
+
+              def pattern_gsub preshift, ret
+                return unless ret
+
+                source = preshift.object
+                source.cs__properties.tag_keys.each do |key|
+                  span = Contrast::Agent::Assess::AdjustedSpan.new(0, 1)
+                  ret.cs__properties.add_tag(key, span)
+                end
+              end
+
+              def string_build_event patcher, preshift, ret
+                return unless Contrast::Utils::DuckUtils.quacks_to?(ret, :cs__tracked?) && ret.cs__tracked?
+
+                args = preshift.args
+                if args.length > 1
+                  arg = args[1]
+                  if Contrast::Utils::DuckUtils.quacks_to?(arg, :cs__properties)
+                    arg.cs__properties.events.each do |event|
+                      ret.cs__properties.events << event
+                    end
+                  end
+                end
+                ret.cs__properties.build_event(
+                    patcher,
+                    ret,
+                    preshift.object,
+                    ret,
+                    args,
+                    2)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end