contrast-agent 3.8.4

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -0,0 +1,192 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/core_extensions/object'
+
+module Contrast
+  module Agent
+    module Patching
+      module Policy
+        # This indicates the status of the Module into which Contrast is being
+        # woven
+        class PatchStatus
+          class << self
+            # Gives the current status for the provided module, setting one if
+            # one does not exist.
+            #
+            # @param mod [Module] the Module for which the status is asked
+            # @return [Contrast::Agent::Patching::Policy::PolicyStatus]
+            def get_status mod
+              if mod.cs__const_defined?(status_key, false)
+                mod.cs__const_get(status_key, false)
+              else
+                s = new
+                mod.cs__const_set(status_key, s)
+                s
+              end
+            end
+
+            # Allows our C patches to look up the :MethodPolicy for a given
+            # Module and method
+            #
+            # @param mod [Module or Class] the entity on which the patch has
+            #   been placed
+            # @param method [Symbol] the name of the method to which the patch
+            #   applies
+            # @param is_instance_method [Boolean] is the method being patched
+            #   an instance method or not (not implying class method).
+            # @return [Contrast::Agent::Patching::Policy::MethodPolicy]
+            def info_for mod, method, is_instance_method
+              mod = mod.cs__class unless mod.cs__is_a?(Module)
+              method_key = method_name_key(method, is_instance_method)
+              # Ideally, we'll get to a point where this is all that is needed
+              ret = find_info_for_one(mod, method_key)
+              return ret if ret
+
+              # But to start, the lookup will be on the ancestor, not the
+              # calling class. We need to traverse the ancestors, included
+              # modules, and Module itself the first time a method is called in
+              # a given class. Then we save that lookup to the class
+              ret = find_info_for(mod.ancestors, method_key)
+              ret ||= find_info_for(mod.cs__singleton_class.included_modules, method_key)
+              ret ||= find_info_for(MOD_ARRAY, method_key)
+              update_holder(mod, method_key, ret) if ret
+              ret
+            end
+
+            # Allows our C patches to set the :MethodPolicy for a given
+            # Module and method
+            #
+            # @param mod [Module or Class] the entity on which the patch will
+            #   be placed
+            # @param method [Symbol] the name of the method to which the patch
+            #   applies
+            # @param method_policy [:MethodPolicy] the policy that applies to
+            #   the given mod & method
+            # @param is_instance_method [Boolean] is the method being patched
+            #   an instance method or not (not implying class method).
+            # @param cs_method [Symbol] the name to which the original method
+            #   was aliased, cached for performance reasons
+            def set_info_for mod, method, method_policy, is_instance_method, cs_method
+              mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
+              holder = mod.instance_variable_get(method_info_key)
+              holder[method_name_key(method, is_instance_method)] = [method_policy, cs_method] unless holder.key?(method)
+            end
+
+            private
+
+            def method_info_key
+              :@cs__patched_method_info
+            end
+
+            # holder for each method - instance combination we've seen, done to
+            # avoid rebuilding the key on every method invocation.
+            def translated_names
+              @_translated_names ||= {}
+            end
+
+            # @param method [Symbol] the name of the method to which the patch
+            #   applies
+            # @param is_instance_method [Boolean] is the method being patched
+            #   an instance method or not (not implying class method).
+            # @return [Symbol] :"method[true|false]"
+            def method_name_key method, is_instance_method
+              translated_names[method] = [] unless translated_names.key?(method)
+              pre_built = translated_names[method]
+              idx = is_instance_method ? 0 : 1
+              pre_built[idx] = :"#{ method }#{ is_instance_method }" unless pre_built[idx]
+              pre_built[idx]
+            end
+
+            def status_key
+              :CONTRAST_PATCH_POLICY_STATUS
+            end
+
+            def update_holder mod, method, ret
+              mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
+              holder = mod.instance_variable_get(method_info_key)
+              holder[method] = ret
+            end
+
+            def find_info_for candidates, method
+              candidates.each do |candidate|
+                new_ret = find_info_for_one(candidate, method)
+                return new_ret if new_ret
+              end
+              nil
+            end
+
+            def find_info_for_one mod, method
+              return unless mod.instance_variable_defined?(method_info_key)
+
+              holder = mod.instance_variable_get(method_info_key)
+              return unless holder&.key?(method)
+
+              holder[method]
+            end
+
+            MOD_ARRAY = [Module].cs__freeze
+          end
+
+          attr_reader :patch_status, :rewrite_status
+
+          def patching!
+            @patch_status = :PATCHING
+          end
+
+          def partial_patch!
+            @patch_status = :PARTIAL
+          end
+
+          def no_patch!
+            @patch_status = :NONE
+          end
+
+          def patched!
+            @patch_status = :PATCHED
+          end
+
+          def failed_patch!
+            @patch_status = :FAILED
+          end
+
+          def patching?
+            @patch_status == :PATCHING
+          end
+
+          def patched?
+            @patch_status == :PATCHED ||
+                @patch_status == :NONE ||
+                @patch_status == :FAILED
+          end
+
+          def rewriting!
+            @rewrite_status = :REWRITING
+          end
+
+          def no_rewrite!
+            @rewrite_status = :NO_REWRITE
+          end
+
+          def rewritten!
+            @rewrite_status = :REWRITTEN
+          end
+
+          def failed_rewrite!
+            @rewrite_status = :FAILED_REWRITE
+          end
+
+          def rewriting?
+            @rewrite_status == :REWRITING
+          end
+
+          def rewritten?
+            @rewrite_status == :REWRITTEN ||
+                @rewrite_status == :NO_REWRITE ||
+                @rewrite_status == :FAILED_REWRITE
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -0,0 +1,310 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'monitor'
+
+# base
+cs__scoped_require 'contrast/agent/patching/policy/patch_status'
+cs__scoped_require 'contrast/agent/patching/policy/method_policy'
+cs__scoped_require 'contrast/agent/patching/policy/module_policy'
+cs__scoped_require 'contrast/agent/patching/policy/policy_unpatcher'
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/class_util'
+cs__scoped_require 'contrast/utils/scope_util'
+
+# assess
+cs__scoped_require 'contrast/agent/assess/policy/policy'
+cs__scoped_require 'contrast/agent/assess/policy/policy_scanner'
+cs__scoped_require 'contrast/agent/assess/policy/rewriter_patch'
+cs__scoped_require 'contrast/agent/assess/policy/source_method'
+cs__scoped_require 'contrast/agent/assess/policy/trigger_method'
+
+# deadzone
+cs__scoped_require 'contrast/agent/deadzone/policy/policy'
+
+# inventory
+cs__scoped_require 'contrast/agent/inventory/policy/policy'
+
+# protect
+cs__scoped_require 'contrast/agent/protect/policy/policy'
+
+# patch
+cs__scoped_require 'contrast/agent/patching/policy/patch'
+
+# after load patched
+cs__scoped_require 'contrast/agent/patching/policy/after_load_patcher'
+
+module Contrast
+  module Agent
+    module Patching
+      module Policy
+        # This is how we patch into our customer's code. It provides a way to
+        # track which classes we need to patch into and, once we've woven,
+        # provides a map for which methods our renamed functions need to call
+        # and how.
+        module Patcher
+          extend Contrast::Utils::ScopeUtil
+          extend Contrast::Agent::Patching::Policy::AfterLoadPatcher
+
+          include Contrast::Components::Interface
+          access_component :logging, :analysis, :agent, :scope
+
+          class << self
+            # Hook to install the Contrast changes needed to allow for the
+            # instrumentation of the application - this only occurs once, during
+            # startup to catchup on everything we didn't see get loaded
+            def patch
+              logger.debug_with_time("\tPatching") do
+                catchup_after_load_patches
+                patch_methods
+                Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
+                Contrast::Agent::Patching::Policy::PolicyUnpatcher.revert_conflicting_patches
+              end
+            end
+
+            # Hook to only monkeypatch Contrast. This will not trigger any
+            # other functions, like rewriting or scanning. Exposed for those
+            # situations, like ActiveRecord dynamically defining functions,
+            # where only a subset of the Assess changes are needed.
+            PATCH_MONITOR = Monitor.new
+
+            def patch_methods
+              PATCH_MONITOR.synchronize do
+                t = Contrast::Agent::Thread.new do
+                  synchronized_patch_methods
+                end
+                # aborting on exception makes exceptions propagate.
+                t.abort_on_exception = true
+                t.priority = Thread.current.priority + 1
+                t.join
+              end
+            end
+
+            # This method is called by TracePointHook to instrument a specific class during a require
+            # or eval of dynamic class definition
+            def patch_specific_module mod
+              mod_name = mod.cs__name
+              return unless Module.cs__truly_defined?(mod_name)
+
+              load_patches_for_module(mod_name)
+
+              return unless all_module_names.any? { |name| name == mod_name }
+
+              module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
+              patch_into_module(module_data)
+              all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
+            rescue StandardError => e
+              logger.error("Unable to patch into #{ mod_name }", e)
+            end
+
+            # We did it, team. We found a patcher(s) that applies to the given
+            # class (or module) and the given method. Time to do some tracking.
+            #
+            # @param mod [Module] the module in which the patch should be
+            #   placed.
+            # @param methods [Array(Symbol)] all the instance or singleton
+            #   methods in this clazz.
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+            #   the policy that applies to the given method_name.
+            # @return [Boolean] if patched, either by this invocation or a
+            #   previous, or not
+            def patch_method mod, methods, method_policy
+              return false unless methods&.any? # don't even build the name if there are no methods
+
+              if Contrast::Utils::ClassUtil.prepended_method?(mod, method_policy)
+                Contrast::Agent::Patching::Policy::Patch.instrument_with_prepend(mod, method_policy)
+              else
+                Contrast::Agent::Patching::Policy::Patch.instrument_with_alias(mod, methods, method_policy)
+              end
+            end
+
+            private
+
+            POLICIES = [
+              Contrast::Agent::Assess::Policy::Policy,
+              Contrast::Agent::Inventory::Policy::Policy,
+              Contrast::Agent::Protect::Policy::Policy,
+              Contrast::Agent::Deadzone::Policy::Policy
+            ].cs__freeze
+
+            def status_type
+              Contrast::Agent::Patching::Policy::PatchStatus
+            end
+
+            # Find, and return, the constant with the given name. If none
+            # exists, return nil.
+            #
+            # @param name [String] the constant whose value should be retrieved
+            # @return [Object, nil]
+            def patchable name
+              return unless Module.cs__truly_defined?(name)
+
+              Module.cs__const_get(name)
+            end
+
+            # @return [Array<String>] the names of all the Modules for which
+            #   there patches in our policies
+            def all_module_names
+              @_all_module_names ||= POLICIES.each_with_object(Set.new) { |policy, set| set.merge(policy.instance.module_names) }
+            end
+
+            # Hook to only monkeypatch Contrast. This will not trigger any
+            # other functions, like rewriting or scanning. This method should
+            # only be invoked by the patch_methods method above in order to
+            # ensure it is wrapped in a synchronize call
+            def synchronized_patch_methods
+              # logger.trace_with_time("\t\tRunning patching") do # TODO: RUBY-547
+              patched = []
+              all_module_names.each do |patchable_name|
+                patchable_mod = patchable(patchable_name)
+                next unless patchable_mod
+
+                module_data = Contrast::Agent::ModuleData.new(patchable_mod, patchable_name)
+                patch_into_module(module_data)
+                patched << patchable_name if status_type.get_status(patchable_mod).patched?
+              end
+              all_module_names.subtract(patched)
+              # end
+            end
+
+            # Given the patchers that apply to this class that may apply, patch
+            # Contrast method calls into the methods for which we have rules.
+            #
+            # @param module_data [Contrast::Agent::ModuleData] the module, and
+            #   its name, that's being patched into
+            # @param redo_patch [Boolean] a trigger to force patching
+            #   regardless of the state of the
+            #   Contrast::Agent::Patching::Policy::PatchStatus status on the
+            #   Module
+            def patch_into_module module_data, redo_patch = false
+              status = status_type.get_status(module_data.mod)
+              return if (status&.patched? || status&.patching?) && !redo_patch
+
+              # Begin patching our sources into the given clazz (or module)
+              # Any patcher that has the name of the clazz will be evaluated for
+              # patching.
+              # Find all the patchers that apply to this class, sorted by type.
+              module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.name)
+
+              clazz = module_data.mod
+
+              status = status_type.get_status(clazz)
+              return if (status.patched? || status.patching?) && !redo_patch
+
+              status.patching!
+              patched = include_module(module_data)
+
+              counts = 0
+              # Monkey patch any methods in this class that have matching nodes in the policy
+              unless module_policy.empty?
+                instance_methods = all_instance_methods(clazz, true)
+                singleton_methods = clazz.singleton_methods(false)
+                counts += patch_into_methods(clazz, instance_methods, module_policy, true)
+                counts += patch_into_methods(clazz, singleton_methods, module_policy, false)
+                counts = module_policy.num_expected_patches if adjust_for_prepend(clazz)
+                patched = true
+              end
+
+              if patched
+                if module_policy.num_expected_patches == counts
+                  status.patched!
+                else
+                  status.partial_patch!
+                end
+              else
+                status.no_patch!
+              end
+            rescue StandardError => e
+              status ||= status_type.get_status(module_data.mod)
+              status.failed_patch!
+              logger.warn(e, "Unable to patch into #{ module_data.name }")
+            ensure
+              logger.debug(nil, "Patching #{ module_data.name } resulted in #{ status_type.get_status(module_data.mod).patch_status }")
+            end
+
+            # Includes the given module with the
+            # Contrast::CoreExtensions::Assess::AssessExtension
+            # @param module_data [Contrast::Agent::ModuleData] the module, and
+            #   its name, that's being patched into
+            def include_module module_data
+              return false unless Contrast::Agent::Assess::Policy::Policy.instance.tracked_classes.include?(module_data.name)
+
+              module_data.mod.send(:include, Contrast::CoreExtensions::Assess::AssessExtension)
+              true
+            end
+
+            # Get all of the instance methods on the given module, excluding
+            # those from super classes. this list will always include the
+            # initialize method
+            #
+            # @param mod [Module] The module from which to retrieve instance
+            #   methods.
+            # @param private [Boolean] Indicate if the query should include
+            #   private, as well as public, instance methods
+            # @return [Array<Symbol>]
+            def all_instance_methods mod, private = false
+              instance_methods = mod.instance_methods(false)
+              # C magic rb_define_global_function creates private instance
+              # methods. We need to instrument those dudes
+              # https://www.thecodingforums.com/threads/object-private_instance_methods-kernel-singleton_methods.843013/
+              instance_methods.concat(mod.private_instance_methods(false)) if private
+              # initialize is an exception to the inheritance rule.
+              instance_methods << :initialize unless instance_methods.include?(:initialize)
+              instance_methods
+            end
+
+            # We've found the patchers that apply to this class (or module). Now we'll
+            # filter on the given method.
+            #
+            # @param mod [Module] The module from which to retrieve instance
+            #   methods.
+            # @param methods [Array<Symbol>] The names of all the methods in
+            #   in this module
+            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy]
+            #   All the patchers that apply to this class, sorted by type.
+            # @param is_instance_method [Boolean] Indicates if these methods
+            #   are the instance or singleton methods for this module.
+            # @return [Integer] number of methods patched
+            def patch_into_methods mod, methods, module_policy, is_instance_method
+              count = 0
+              methods.each do |method|
+                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.build_method_policy(method, module_policy, is_instance_method)
+                next if method_policy.empty?
+
+                patched = patch_method(mod, methods, method_policy)
+                count += 1 if patched
+              end
+              count
+            end
+
+            # CGI falls pray to the weirdness that is the history of a
+            # previously included Module being prepended - the class that has
+            # already included the Module does not learn about the prepend and
+            # it has to be reapplied.
+            # TODO: RUBY-620 should remove the need for this
+            #
+            # @param mod[Module] the Module for which a prepend action needs to
+            #   be accounted
+            # @return [Boolean] if an adjustment was made or not
+            def adjust_for_prepend mod
+              return false unless mod.cs__name == 'CGI::Util'
+
+              CGI.include(CGI::Util)
+              CGI.extend(CGI::Util)
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+# core extensions
+cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/core_extensions/assess'
+cs__scoped_require 'contrast/core_extensions/inventory'
+cs__scoped_require 'contrast/core_extensions/protect'
+cs__scoped_require 'contrast/core_extensions/protect/kernel'
+
+cs__scoped_require 'cs__contrast_patch/cs__contrast_patch'