contrast-agent 3.8.4

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -0,0 +1,81 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # This class is specifically for String#tr(_s) propagation
+          #
+          # Disclaimer: there may be a better way, but we're
+          # in a 'get it work' state. hopefully, we'll be in
+          # a 'get it right' state soon.
+          class Trim
+            class << self
+              def tr_tagger patcher, preshift, ret, _block
+                return ret unless ret && !ret.empty?
+
+                source = preshift.object
+                args = preshift.args
+                ret.cs__copy_from(source)
+                replace_string = args[1]
+                source_chars = source.chars
+                # if the replace string is empty, then there's a bunch of deletes. this
+                # functions the same as the Removal propagation.
+                if replace_string == Contrast::Utils::ObjectShare::EMPTY_STRING
+                  Contrast::Agent::Assess::Policy::Propagator::Remove.handle_removal(source_chars, ret)
+                else
+                  remove_ranges = []
+                  ret_chars = ret.chars
+                  curr_span = nil
+                  source_chars.each_with_index do |char, idx|
+                    if ret_chars[idx] == char
+                      next unless curr_span
+
+                      curr_span.stop = idx
+                      remove_ranges << curr_span
+                      curr_span = nil
+                    else
+                      curr_span ||= Contrast::Agent::Assess::AdjustedSpan.new(idx)
+                    end
+                  end
+                  # account for the last char being different
+                  if curr_span
+                    curr_span.stop = source_chars.length
+                    remove_ranges << curr_span
+                  end
+                  ret.cs__properties.delete_tags_at_ranges(remove_ranges, false)
+                end
+
+                ret.cs__properties.build_event(
+                    patcher,
+                    ret,
+                    source,
+                    ret,
+                    args,
+                    1)
+                ret
+              end
+
+              def tr_s_tagger patcher, preshift, ret, _block
+                return unless ret && !ret.empty?
+
+                source = preshift.object
+                args = preshift.args
+                source.cs__splat_tags(ret)
+                ret.cs__properties.build_event(
+                    patcher,
+                    ret,
+                    source,
+                    ret,
+                    args)
+                ret
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -0,0 +1,79 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/agent/patching/policy/patch_status'
+cs__scoped_require 'contrast/agent/module_data'
+cs__scoped_require 'contrast/agent/rewriter'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        # This is our interface from the Patcher to the Rewriter
+        # functionality
+        #
+        # TODO: RUBY-534 remove w/ EOL of 2.5
+        module RewriterPatch
+          include Contrast::Components::Interface
+          access_component :agent, :analysis, :logging
+
+          class << self
+            def rewrite_interpolations
+              return unless ASSESS.enabled?
+              return unless AGENT.rewrite_interpolation?
+
+              logger.debug_with_time("\t\tRunning Assess interpolation rewrite") do
+                ObjectSpace.each_object(Module) do |mod|
+                  rewrite_interpolation(mod)
+                end
+              end
+            end
+
+            # Rails is being a jerk, again. It passes in a class before it is
+            # done being defined. There is a state where the files have been
+            # loaded, but the class definition is not complete, so the
+            # methods of the class are not defined despite the class existing
+            #
+            # To get around this, we have those methods tell us the class
+            # isn't ready
+            def mid_defining? mod
+              mod.instance_variable_defined?(:@cs__defining_class) &&
+                  mod.instance_variable_get(:@cs__defining_class)
+            end
+
+            def rewrite_interpolation mod, redo_rewrite = false
+              return unless ASSESS.enabled?
+              return unless AGENT.rewrite_interpolation?
+              return unless AGENT.interpolation_enabled?
+              return if mod.cs__frozen?
+              return if mod.singleton_class?
+              return if mid_defining?(mod)
+
+              status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
+              return if (status&.rewritten? || status&.rewriting?) && !redo_rewrite
+
+              module_name = mod.cs__name
+              return unless module_name
+
+              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START, Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+                status.no_rewrite!
+                return
+
+              end
+              module_data = Contrast::Agent::ModuleData.new(mod, module_name)
+              logger.debug_with_time("\t\t\tRewriting #{ module_name }") do
+                Contrast::Agent::Rewriter.rewrite_class(module_data, redo_rewrite)
+              end
+            rescue StandardError => e
+              logger.error(
+                  e,
+                  "Unable to patch assess into the module #{ mod }")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -0,0 +1,209 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# This class is responsible for the origination of traces. A Source is any method
+# that returns an untrusted value. In general, these sources are request methods
+# as the request object is user controlled.
+#
+# Going forward, we may add in Dynamic sources (determined at runtime) based on
+# database configs or other variables (used for Stored XSS or other persisted
+# vulnerability detection rules)
+cs__scoped_require 'set'
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/utils/sha256_builder'
+cs__scoped_require 'contrast/agent/assess/adjusted_span'
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        # This class controls the actions we take on Sources, as determined by
+        # our Assess policy. It indicates what actions we should take in order
+        # to mark data as User Input and treat it as untrusted, starting the
+        # dataflows used in Assess vulnerability detection.
+        module SourceMethod
+          include Contrast::Components::Interface
+          access_component :logging, :analysis
+
+          def self.determine_target source_node, object, ret, args
+            source_target = source_node.targets[0]
+            case source_target
+            when Contrast::Utils::ObjectShare::RETURN_KEY
+              ret
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              object
+            else
+              if source_target.is_a?(Integer)
+                args[source_target]
+                # If this isn't an index param, it's a named one. R.I.P.
+              else
+                arg = nil
+                args.each do |search|
+                  next unless search.is_a?(Hash)
+
+                  arg = search[source_target]
+                  break if arg
+                end
+                arg
+              end
+            end
+          end
+
+          # This is called from within our woven proc. It will be called as if it
+          # were inline in the Rack application.
+          def self.source_patchers method_policy, object, ret, args
+            return if method_policy.source_node.nil?
+
+            current_context = Contrast::Agent::REQUEST_TRACKER.current
+            return unless current_context&.analyze_request? && ASSESS.enabled?
+
+            replaced_return = nil
+            source_node = method_policy.source_node
+
+            target = determine_target(source_node, object, ret, args)
+
+            # We don't propagate to frozen things that haven't been tracked
+            # before. By definition, something that is a source has not
+            # previously been tracked; therefore, we can break out early.
+            if target.cs__frozen?
+              # That being said, we don't have enough context to know if we
+              # can make this assumption and still function, so we'll allow for
+              # source tracking of frozen things by a common config setting.
+              #
+              # Rails' StrongParameters make a case for this to be default
+              # behavior
+              return replaced_return unless ASSESS.track_frozen_sources?
+
+              # If we're tracking the frozen target, we need to unfreeze
+              # (dup) it to track and then freeze that result. For
+              # simplicities sake, we ONLY do this if the return is the
+              # target (I don't want to have to deal with unfreezing self)
+              return replaced_return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+              restore_frozen_state = true
+              ret = Contrast::Utils::FreezeUtil.unfreeze_dup(ret)
+              target = ret
+            end
+
+            SourceMethod.cs__apply_source(current_context, source_node, target, object, ret, *args)
+
+            ret.cs__freeze if restore_frozen_state
+            ret
+          end
+
+          # This is our method that actually taints the object our source_node
+          # targets.
+          def self.cs__apply_source context, source_node, target, object, ret, *args
+            return unless context
+
+            source_node_source = source_node.sources[0]
+            source_name = case source_node_source
+                          when nil
+                            nil
+                          when Contrast::Utils::ObjectShare::RETURN_KEY
+                            ret
+                          when Contrast::Utils::ObjectShare::OBJECT_KEY
+                            self
+                          else
+                            args[source_node_source]
+                          end
+            _cs__apply_source context, source_node, target, object, ret, source_node.type, source_name, 0, *args
+          end
+
+          # I lied above. We had to figure out what the target of the source was.
+          # Now that we know, we'll actually tag it.
+          def self._cs__apply_source context, source_node, target, object, ret, source_type, source_name = nil, invoked = 0, *args
+            return unless context && source_node && target
+
+            # We know we only work on certain things.
+            # Skip if this isn't one of them
+            if Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
+
+              # don't apply second source -- probably needs tuning later if we
+              # use more than 'UNTRUSTED' in our sources
+              return if target.cs__tracked? || target.cs__frozen?
+
+              # otherwise for each tag this source_node applies, create a tag range
+              # on the target object
+              # I realize this looping is counter-intuitive from the above
+              # message, that's why we're revisiting.
+              source_node.tags.each do |tag|
+                length = Contrast::Utils::StringUtils.ret_length(target)
+                target.cs__properties.add_tag(tag, Contrast::Agent::Assess::AdjustedSpan.new(0, length))
+                target.cs__properties.add_properties(source_node.properties)
+                logger.debug(nil, "Source #{ source_node.id } detected: #{ target.__id__ } tagged with #{ tag }")
+              end
+
+              # make a representation of this method that TeamServer can render
+              target.cs__properties.build_event(source_node, target, object, ret, args, invoked, source_type, source_name)
+
+              # While we don't taint hashes themselves, we may taint the things
+              # they hold. Let's pass their keys and values back to ourselves and
+              # try again
+            elsif Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(target)
+              source_key_type = invoked.zero? ? key_type(source_type) : source_type
+              invoked += 1
+              to_replace = []
+              target.each_pair do |key, value|
+                # We only do this for Strings b/c of the way Hash lookup works.
+                # To replace another object would break hash lookup and,
+                # therefore, the application
+                if ASSESS.track_frozen_sources? &&
+                      key.is_a?(String) &&
+                      Contrast::Utils::DuckUtils.quacks_to?(target, :delete)
+                  key = Contrast::Utils::FreezeUtil.unfreeze_dup(key)
+                  to_replace << key
+                end
+                _cs__apply_source(context, source_node, key, object, ret, source_key_type, key, invoked, *args)
+                _cs__apply_source(context, source_node, value, object, ret, source_type, key, invoked, *args)
+              end
+
+              # Hash is designed to keep one instance of the string key in it.
+              # We need to remove the existing one and replace it with our new
+              # tracked one.
+              to_replace.each do |key|
+                key.cs__freeze
+                value = target[key]
+                target.delete(key)
+                target[key] = value
+              end
+              # While we don't taint arrays themselves, we may taint the things
+              # they hold. Let's pass their keys and values back to ourselves and
+              # try again
+            elsif Contrast::Utils::DuckUtils.quacks_like_tracked_enumerable?(target)
+              invoked += 1
+              target.each { |value| _cs__apply_source(context, source_node, value, object, ret, source_type, source_name, invoked, *args) }
+            end
+          rescue StandardError => e
+            logger.warn(e, "Unable to apply source for source_node #{ source_node.id }")
+          end
+
+          # Silly helper method so that TeamServer can properly mark up
+          # the source of this trace, if this source ends up in a trigger
+          PARAMETER_TYPE     = 'PARAMETER'
+          PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
+          HEADER_TYPE        = 'HEADER'
+          HEADER_KEY_TYPE    = 'HEADER_KEY'
+          COOKIE_TYPE        = 'COOKIE'
+          COOKIE_KEY_TYPE    = 'COOKIE_KEY'
+
+          def self.key_type source_type
+            case source_type
+            when PARAMETER_TYPE
+              PARAMETER_KEY_TYPE
+            when HEADER_TYPE
+              HEADER_KEY_TYPE
+            when COOKIE_TYPE
+              COOKIE_KEY_TYPE
+            else
+              source_type
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/source_node.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        # This class functions to translate our policy.json into an actionable
+        # Ruby object, allowing for dynamic patching over hardcoded patching,
+        # specifically for those methods which result in the source of
+        # untrusted data (indicate points in the application where user
+        # controlled input is accessed).
+        class SourceNode < PolicyNode
+          attr_accessor :type
+
+          DB_SOURCE_TYPE = 'TAINTED_DATABASE'
+          def self.build_dynamic_source _id, dynamic_source
+            dynamic_source_hash = {
+                JSON_CLASS_NAME => dynamic_source.class_name,
+                JSON_METHOD_NAME => dynamic_source.method_name,
+                JSON_INSTANCE_METHOD => dynamic_source.instance_method,
+                JSON_TYPE => DB_SOURCE_TYPE,
+                JSON_METHOD_VISIBILITY => 'public',
+                JSON_TARGET => dynamic_source.target,
+                JSON_PROPERTIES => dynamic_source.properties
+            }
+            Contrast::Agent::Assess::Policy::SourceNode.new(dynamic_source_hash)
+          end
+
+          JSON_TYPE = 'type'
+          JSON_SOURCE_NAME = 'source_name'
+          SOURCE_TAG = 'UNTRUSTED'
+          def initialize source_hash = {}
+            super(source_hash)
+            @type = source_hash[JSON_TYPE]
+            @tags << SOURCE_TAG
+          end
+
+          SOURCE = 'Source'
+          def node_class
+            SOURCE
+          end
+
+          # This is confusing. Sources are Creation action but
+          # Propagation type. Oh and also Type refers to input type,
+          # like parameter, so we have to call this node_type. :-/
+          def node_type
+            :TYPE_PROPAGATION
+          end
+
+          # Standard validation + TS trace version two rules:
+          # Must have source and type
+          def validate
+            super
+            raise(ArgumentError, "Source #{ id } did not have a proper target. Unable to create.") unless targets&.any?
+            raise(ArgumentError, "Source #{ id } did not have a proper type. Unable to create.") unless type
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -0,0 +1,209 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/utils/sha256_builder'
+cs__scoped_require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        # A trigger method is one which can perform a dangerous action, as
+        # described by the Contrast::Agent::Assess::Policy::TriggerNode class.
+        # Each such method will call to this module just after invocation in
+        # order to determine if the call was done safely. In those cases where
+        # it was not, a Finding report is issued to the Service
+        module TriggerMethod
+          include Contrast::Components::Interface
+          access_component :logging, :analysis
+
+          # The level of TeamServer compliance our traces meet
+          CURRENT_FINDING_VERSION = 2
+
+          def self.settings
+            Contrast::Agent::FeatureState.instance
+          end
+
+          def self.apply_trigger_rule trigger_node, object, ret, args
+            return if trigger_node.nil?
+
+            current_context = Contrast::Agent::REQUEST_TRACKER.current
+            return unless current_context&.analyze_request? && ASSESS.enabled?
+
+            if trigger_node.sources&.any?
+              trigger_node.sources.each do |marker|
+                source = determine_source(marker, object, ret, args)
+                TriggerMethod.cs__apply_trigger(current_context,
+                                                trigger_node,
+                                                source,
+                                                object,
+                                                ret,
+                                                1,
+                                                *args)
+              end
+            else
+              TriggerMethod.cs__apply_trigger(current_context,
+                                              trigger_node,
+                                              nil,
+                                              object,
+                                              ret,
+                                              1,
+                                              *args)
+            end
+          end
+
+          def self.cs__apply_trigger context, trigger_node, source, object, ret, invoked, *args
+            return unless context && trigger_node
+            return if trigger_node.rule_disabled?
+            return if trigger_node.dataflow? && source.nil?
+
+            invoked += 1
+            if trigger_node.regexp_rule?
+              apply_regexp_rule(context, trigger_node, source, object, ret, invoked, *args)
+            elsif trigger_node.custom_trigger?
+              trigger_node.apply_custom_trigger(context, trigger_node, source, object, ret, invoked, *args)
+            elsif trigger_node.dataflow?
+              apply_dataflow_rule(context, trigger_node, source, object, ret, invoked, *args)
+            else # trigger rule - just calling the method is dangerous
+              build_finding(context, trigger_node, source, object, ret, invoked, *args)
+            end
+          rescue StandardError => e
+            logger.warn(e, 'Unable to apply trigger.')
+          end
+
+          # Given the marker from the trigger_node (the pointer indicating the entity
+          # from which the taint originated), return the entity on which this
+          # trigger needs to operate.
+          #
+          # In an effort to speed up this lookup, we've changed the marker for
+          # parameters to be implicit - if it is not a return or an object, it
+          # must be a parameter, which we can reference either by index or by
+          # name.
+          def self.determine_source marker, object, ret, args
+            case marker
+            when Contrast::Utils::ObjectShare::RETURN_KEY
+              ret
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              object
+            else # 'P'
+              if marker.is_a?(Integer)
+                args[marker]
+              else
+                arg = nil
+                args.each do |search|
+                  next unless search.is_a?(Hash)
+
+                  arg = search[marker]
+                  break if arg
+                end
+                arg
+              end
+            end
+          end
+
+          def self.apply_regexp_rule context, trigger_node, source, object, ret, invoked, *args
+            return unless source.is_a?(String)
+            return if trigger_node.good_value && source.match?(trigger_node.good_value)
+            return if trigger_node.bad_value && source !~ trigger_node.bad_value
+
+            invoked += 1
+            build_finding(context, trigger_node, source, object, ret, invoked, *args)
+          end
+
+          def self.apply_dataflow_rule context, trigger_node, source, object, ret, invoked, *args
+            return unless source
+
+            invoked += 1
+            if Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties)
+              return unless source.cs__tracked?
+              return unless trigger_node.violated?(source)
+
+              build_finding(context, trigger_node, source, object, ret, invoked, *args)
+            elsif Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(source)
+              invoked += 2 # the each & the block
+              source.each_pair do |key, value|
+                apply_dataflow_rule(context, trigger_node, key, object, ret, invoked, *args)
+                apply_dataflow_rule(context, trigger_node, value, object, ret, invoked, *args)
+              end
+            elsif Contrast::Utils::DuckUtils.quacks_like_tracked_enumerable?(source)
+              invoked += 2 # the each & the block
+              source.each do |value|
+                apply_dataflow_rule(context, trigger_node, value, object, ret, invoked, *args)
+              end
+            else
+              logger.warn(
+                  nil,
+                  "Target is a #{ source.cs__class.name } -- not sure how to inspect: #{ trigger_node.inspect }")
+              logger.debug(nil, source.to_s[0..99])
+            end
+          end
+
+          def self.build_finding context, trigger_node, source, object, ret, invoked, *args
+            return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
+
+            request = context.request
+            env = request.env
+            return if defined?(ActionController::Live) &&
+                env &&
+                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)
+
+            finding = Contrast::Api::Dtm::Finding.new
+            finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
+            finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
+            finding.version = CURRENT_FINDING_VERSION
+
+            build_from_source(finding, source)
+            trigger_event = Contrast::Agent::Assess::ContrastEvent.new(trigger_node, source, object, ret, args, invoked + 1).to_dtm_event
+            finding.events << trigger_event
+            build_hash(finding, source)
+            build_tags(context)
+            finding.routes << context.route if context.route
+            context.activity.findings << finding
+            logger.debug(nil, "Trigger #{ trigger_node.id } detected: #{ source.__id__ } triggered #{ trigger_node.rule_id }")
+          rescue StandardError => e
+            logger.error(e, "Unable to build a finding for #{ trigger_node.id }")
+          end
+
+          def self.build_from_source finding, source
+            return unless source
+            return unless Contrast::Utils::DuckUtils.quacks_to?(
+                source,
+                :cs__properties)
+            return unless source.cs__properties
+
+            # events could technically be nil, but we would have failed
+            # the rule check before getting here. not worth the nil check
+            source.cs__properties.events.each do |event|
+              finding.events << event.to_dtm_event
+            end
+
+            # Google::Protobuf::Map doesn't support merge!, so we have to do this
+            # long form
+            source_props = source.cs__properties.properties
+            return unless source_props
+
+            source_props.each_pair do |key, value|
+              key = Contrast::Utils::StringUtils.force_utf8(key)
+              finding.properties[key] = Contrast::Utils::StringUtils.force_utf8(value)
+            end
+          end
+
+          def self.build_hash finding, source
+            hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
+            finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
+            finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
+          end
+
+          def self.build_tags context
+            return unless ASSESS.tags
+
+            context.activity.finding_tags = Contrast::Utils::StringUtils.force_utf8(ASSESS.tags)
+          end
+        end
+      end
+    end
+  end
+end