contrast-agent 3.8.4

data/lib/contrast/agent/rewriter.rb

@@ -0,0 +1,244 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+# intentional -- we're using a << operator here
+
+cs__scoped_require 'contrast/agent/class_reopener'
+cs__scoped_require 'contrast/agent/patching/policy/patch_status'
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/ruby_ast_rewriter'
+
+module Contrast
+  module Agent
+    # Used for Ruby 2.4 & 2.5 to allow us to rewrite those methods which have
+    # interpolation in them.
+    # @deprecated Changes to this class are discouraged as this approach is
+    #   being phased out with support for those language versions.
+    class Rewriter
+      include Contrast::Components::Interface
+      access_component :logging, :scope
+
+      SELF_DEFINITION = 'def self.'.cs__freeze
+      DEFINITION = 'def '.cs__freeze
+
+      class << self
+        def rewrite_class module_data, redo_rewrite = false
+          mod = module_data.mod
+          return unless mod
+
+          status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
+          return if (status.rewritten? || status.rewriting?) && !redo_rewrite
+
+          status.rewriting!
+
+          # default-initialize to nil within top-level method scope
+          # so that it's available w/in the `ensure` block
+          opener = nil
+          with_contrast_scope do
+            unless should_rewrite?(module_data)
+              status.no_rewrite!
+              return
+            end
+
+            opener = Contrast::Agent::ClassReopener.new(module_data)
+            if opener.nil? || (instance_methods.empty? && singleton_methods.empty?)
+              status.no_rewrite!
+              return
+            end
+
+            rewrite_all_methods(opener, mod, mod.public_instance_methods(false), :PUBLIC_INSTANCE)
+            rewrite_all_methods(opener, mod, mod.protected_instance_methods(false), :PROTECTED_INSTANCE)
+            rewrite_all_methods(opener, mod, mod.private_instance_methods(false), :PRIVATE_INSTANCE)
+            rewrite_all_methods(opener, mod, mod.singleton_methods(false), :SINGLETON)
+            status.rewritten!
+          end
+        rescue SyntaxError, StandardError => e
+          opener = nil
+          mod ||= module_data.mod
+          logger.debug(e, "Reopening #{ mod } threw a handled exception - skipping rewriting")
+          status ||= Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
+          status.failed_rewrite!
+        ensure
+          with_contrast_scope do
+            opener&.commit_patches
+          end
+          logger.debug(
+              nil,
+              "Rewriting #{ module_data.name } resulted in #{ Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod).rewrite_status }")
+        end
+
+        private
+
+        def rewrite_all_methods opener, clazz, methods, type
+          methods.each do |method|
+            # Skip contrast woven methods.
+            # There should be a better way to do this
+            next if method.to_s.start_with?('cs__')
+
+            original_source_code = source_code(opener, clazz, method, type)
+            next if original_source_code.nil?
+            next if unrepeatable?(original_source_code)
+            next unless interpolations?(original_source_code)
+
+            replace_method_definition(opener, clazz, method, original_source_code, type)
+          end
+        end
+
+        def source_code opener, clazz, method_name, type
+          return unless method_exists?(clazz, method_name, type)
+
+          method_instance = method_instance(clazz, method_name, type)
+          return nil if method_instance.nil?
+
+          location = method_instance.source_location
+          return nil if location.nil?
+          return nil if location.empty? || location[0].empty? || location[0].include?('eval')
+          return nil if opener.written_from_location?(location)
+
+          opener.source_code(location, method_name)
+        rescue SyntaxError
+          logger.debug(nil, "SyntaxError: Can't parse method source from #{ clazz }##{ method_name }")
+        rescue StandardError => e
+          if defined?(MethodSource) && defined?(MethodSource::SourceNotFoundError)
+            logger.debug(nil, "SourceNotFoundError: Can't parse method source from #{ clazz }##{ method_name }")
+          else
+            logger.debug(e, "Method source lookup of #{ clazz }##{ method_name } failed")
+          end
+        end
+
+        def method_exists? clazz, method_name, type
+          case type
+          when :SINGLETON
+            clazz.cs__singleton_class.public_method_defined?(method_name)
+          when :PUBLIC_INSTANCE
+            clazz.public_method_defined?(method_name)
+          when :PROTECTED_INSTANCE
+            clazz.protected_method_defined?(method_name)
+          when :PRIVATE_INSTANCE
+            clazz.private_method_defined?(method_name)
+          end
+        end
+
+        def method_instance clazz, method_name, type
+          case type
+          when :SINGLETON
+            clazz.singleton_method(method_name)
+          else
+            clazz.instance_method(method_name)
+          end
+        end
+
+        def replace_method_definition opener, clazz, method, original_source_code, type
+          new_method_source = rewrite_method(original_source_code)
+          return unless valid_code?(new_method_source)
+
+          case type
+          when :SINGLETON
+            opener.public_singleton_methods << new_method_source
+          when :PUBLIC_INSTANCE
+            opener.public_instance_methods << new_method_source
+          when :PROTECTED_INSTANCE
+            opener.protected_instance_methods << new_method_source
+          when :PRIVATE_INSTANCE
+            opener.private_instance_methods << new_method_source
+          end
+        rescue StandardError => e
+          logger.debug(e, "Error in rewriter class_eval for of #{ clazz }##{ method }")
+        end
+
+        def rewrite_method original_source_code
+          new_code = rewrite(original_source_code)
+          new_code = remove_self_definition(new_code)
+          new_code
+        end
+
+        def rewrite source
+          @rewriter ||= Contrast::Utils::RubyAstRewriter.new
+          @rewriter.rewrite(source)
+        end
+
+        def remove_self_definition new_code
+          new_code.gsub(SELF_DEFINITION, DEFINITION)
+        end
+
+        # attempt to generate an AST for the rewritten code, if one can be generated we can assume it is at least valid ruby
+        # if it returns nil that means that the AST was unable to build due to an error and we should use the original source code
+        def valid_code? new_content
+          !Ripper.sexp(new_content).nil?
+        end
+
+        def interpolations? method_source
+          method_source.match?(/^.*".*#(\$\w+|@\w+|@@\w+|\{.*\}).*".*$/)
+        end
+
+        # These functions cannot be repeated -- when doing replace things, we
+        # should comment these lines out.
+        # cannot repeat class foo <
+        #                         bar
+        UNREPEATABLE_FUNCTIONS = /(^|\s)(class\s*\W.*<|included(\s+do|\s*{))/.cs__freeze
+
+        # these methods dynamically create functions. replacing them in rails
+        # resulted in a lot of undefined_ errors. i know we'll have to figure
+        # out how to support them, but baby steps
+        UNREPEATABLE_ACCESSOR_FUNCTIONS =
+          /(^|\s)((cattr_accessor|cattr_reader|cattr_writer|attr_reader|attr_writer|attr_accessor|mattr_accessor|mattr_reader|mattr_writer|public) )/.cs__freeze
+        # evals are scary and terrify me. we shouldn't rewrite them if we don't
+        # have to
+        POTENTIALLY_UNREPEATABLE_FUNCTIONS =
+          /(class_eval|instance_eval|method_eval|eval|module_eval|define_method|define_method_attribute|require_dependency|instance_predicate)/.cs__freeze
+        # Binding a Constant, ie starting with ::, affects the lookup of that
+        # Constant. Since we're effectively moving the file in which it would
+        # be declared, we cannot repeat this lookup, so we cannot replace this
+        # file
+        BOUND_CONSTANTS = /(^|\s)::\w/.cs__freeze
+
+        DISABLE_FUNCTIONS_REGEXP = /(^|\s)((undef|include|extend|alias|alias_method|require|require_relative|send) )/.cs__freeze
+        def unrepeatable? original_source_code
+          (original_source_code.index('__dir__') ||
+            original_source_code.index('File.dirname') ||
+            original_source_code.index('__FILE__') ||
+            original_source_code.match?(UNREPEATABLE_FUNCTIONS) ||
+            original_source_code.match?(UNREPEATABLE_ACCESSOR_FUNCTIONS) ||
+            original_source_code.match?(POTENTIALLY_UNREPEATABLE_FUNCTIONS) ||
+            original_source_code.match?(BOUND_CONSTANTS) ||
+            original_source_code.match?(DISABLE_FUNCTIONS_REGEXP))
+        end
+
+        UNTOUCHABLE_MODULES = %w[
+          AbstractController
+          ActionCable ActionController ActionDispatch ActionMailer ActionPack ActionView
+          ActiveModel ActiveRecord ActiveSupport
+          Brakeman
+          Contrast
+          Debase
+          Debugger
+          Erubis
+          GraphQL
+          NewRelic
+          Pry
+          Puma
+          PhusionPassenger
+          Rails::Application Rails::Engine Rails::Railtie
+          Rake
+          RSpec
+          Warden
+          WEBrick
+        ].cs__freeze
+        def should_rewrite? module_data
+          clazz = module_data.mod
+          name = module_data.name
+          return false unless clazz
+
+          # Name can be nil for anonymous modules. We won't work on them.
+          return false unless name
+          return false if name == Contrast::Utils::ObjectShare::CLASS
+          return false if name == Contrast::Utils::ObjectShare::MODULE
+
+          # We've ran into issues rewriting these Modules. Ideally, we'll solve
+          # the issues and this check will go away
+          UNTOUCHABLE_MODULES.none? { |untouchable| name.include?(untouchable) }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/scope.rb

@@ -0,0 +1,28 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# Scope lets us disable Contrast for certain code calls. We need to do this so
+# that we don't propagate through our own code.
+#
+# Think logging: If you have
+# something like "The source was '" + source + "'", and source is tracked,
+# you'll trigger propagation with the + method. This in turn would cause
+# propagation if you log there "The target ''" + target + "' was propagated'"
+# Which would then cause another propagation with the '+' method, forever.
+#
+# Instead, we should say "If I'm already doing Contrast things, don't track
+# this"
+#
+# NOTE: DO NOT DO ANYTHING IN THIS CLASS THAT COULD RESULT IN A MONKEY PATCHED
+# ACTION. WE CAN'T ENTER SCOPE BEFORE WE HAVE A SCOPE! YOU HAVE BEEN WARNED!!!
+module Contrast
+  module Agent
+    class Scope
+      # At first, all scopes are 0, meaning we're not in Contrast land
+      # NOTE: DO NOT DO ANYTHING IN THIS CLASS THAT COULD RESULT IN A MONKEY
+      # PATCHED ACTION. WE CAN'T ENTER SCOPE BEFORE WE HAVE A SCOPE! YOU HAVE
+      # BEEN WARNED!!! (again)
+    end
+  end
+end
+cs__scoped_require 'cs__scope/cs__scope'

data/lib/contrast/agent/service_heartbeat.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    # The ServiceHeartbeat functions to keep the Contrast Service alive and
+    # ensure that it maintains this Agent's ApplicationContext.
+    class ServiceHeartbeat
+      include Contrast::Components::Interface
+      access_component :contrast_service, :logging
+
+      # Spec recommends 30 seconds, we're going with 15.
+      REFRESH_INTERVAL_SEC = 15
+
+      def updater_thread
+        @_updater_thread ||= Contrast::Agent::Thread.new do
+          logger.debug(nil, 'Starting heartbeat thread.')
+          loop do
+            begin
+              logger.debug(nil, 'Sending Heartbeat...')
+              # TODO: RUBY-672: Change noop to poll messages
+              CONTRAST_SERVICE.queue_message(Contrast::Api::Dtm::Noop.new)
+            end
+            sleep REFRESH_INTERVAL_SEC
+          end
+        end
+      end
+      alias_method :start, :updater_thread
+
+      def stop
+        Thread.kill(@_updater_thread) if @_updater_thread&.alive?
+      end
+    end
+  end
+end

data/lib/contrast/agent/settings_state.rb

@@ -0,0 +1,148 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'securerandom'
+cs__scoped_require 'set'
+
+cs__scoped_require 'contrast/utils/assess/sampling_util'
+cs__scoped_require 'contrast/utils/assess/tracking_util'
+cs__scoped_require 'contrast/utils/environment_util'
+cs__scoped_require 'contrast/utils/env_configuration_item'
+cs__scoped_require 'contrast/utils/gemfile_reader'
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/utils/performs_logging'
+cs__scoped_require 'contrast/utils/string_utils'
+cs__scoped_require 'contrast/agent/reaction_processor'
+cs__scoped_require 'contrast/agent/require_state'
+cs__scoped_require 'contrast/agent/assess/policy/patcher'
+cs__scoped_require 'contrast/agent/patching/policy/patcher'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    # This class functions as a way to query the Agent for its current
+    # configuration without having to expose other sections of code to the
+    # decision tree needed to make that determination.
+    # It should not be accessed directly, but should instead be inherited from
+    #
+    # @abstract Use the methods in FeatureState to access this data
+    class SettingsState
+      include Contrast::Utils::PerformsLogging
+      include Contrast::Components::Interface
+
+      INVALID_CONFIG = '!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!'
+
+      access_component :agent, :analysis, :settings, :config, :contrast_service
+
+      MODE_WHITELIST = %i[NO_ACTION BLOCK_AT_PERIMETER MONITOR BLOCK].cs__freeze
+
+      # These are components.
+      attr_accessor :last_update,
+                    :log_file,
+                    :log_level
+
+      # These represent process-level attributes,
+      # not directly related to Contrast function itself.
+      attr_reader :pid,
+                  :ppid
+
+      def initialize
+        @instrumentation_mutex = Mutex.new
+        @instrumented_packages = {}
+
+        # Last we heard from the Contrast Service
+        @last_update = nil
+
+        # keep track of which process instantiated this instance
+        @pid  = Process.pid.to_i
+        @ppid = Process.ppid.to_i
+
+        init_log_queueing
+
+        check_config
+
+        flush_log_queues
+      end
+
+      def check_config
+        SETTINGS.reset_state
+
+        if CONFIG.invalid?
+          AGENT.disable!
+          self.class.log_error(INVALID_CONFIG)
+          abort_log_queues
+          elseif CONFIG.disabled?
+          AGENT.disable!
+          self.class.log_warn(LOG_CONFIGURATION_DISABLED)
+        else
+          AGENT.enable!
+        end
+      end
+
+      # workaround to mixed use of class/instance
+      def self.logger
+        instance.logger
+      end
+
+      def logger
+        logger_manager.current
+      end
+
+      def logger_manager
+        (@_logger_manager ||= Contrast::Agent::LoggerManager.new.tap(&:update))
+      end
+
+      def assess_rule name
+        ASSESS.rule name
+      end
+
+      def instrument package
+        return if @instrumented_packages[package] # double check is intentional
+
+        @instrumentation_mutex.synchronize do
+          return if @instrumented_packages[package]
+
+          @instrumented_packages[package] = true
+        end
+
+        self.class.debug_with_time("instrumenting #{ package }") do
+          cs__scoped_require(package)
+        end
+      rescue LoadError, StandardError => e
+        @instrumented_packages[package] = false
+        self.class.log_error("[e.class: #{ e.class }] unable to instrument: #{ package }", e)
+      end
+
+      def protect_rule name
+        PROTECT.rule name
+      end
+
+      def send_inventory_message
+        return unless INVENTORY.enabled?
+
+        msg = Contrast::Api::Dtm::ApplicationUpdate.new
+        msg.platform = Contrast::Api::Dtm::Platform.new
+        msg.platform.major, msg.platform.minor, msg.platform.build = *Contrast::Utils::EnvironmentUtil.platform
+
+        Contrast::Utils::EnvironmentUtil.add_library_to_app_update(msg, protobuf_format(CONFIG.root.inventory.tags))
+        Contrast::Utils::EnvironmentUtil.scan_views(msg)
+        Contrast::Utils::EnvironmentUtil.scan_routes(msg)
+        Contrast::Utils::InventoryUtil.append_db_config(msg)
+
+        CONTRAST_SERVICE.queue_message msg
+      end
+
+      def present? str
+        Contrast::Utils::EnvironmentUtil.present?(str)
+      end
+
+      # CONTRAST-35326, move this responsibility toward the protobuf object
+      def protobuf_format param, truncate: true
+        param = param&.to_s
+        param = Contrast::Utils::StringUtils.force_utf8(param)
+        param = Contrast::Utils::StringUtils.truncate(param) if truncate
+        param
+      end
+    end
+  end
+end