RubyGems - contrast-agent - Versions diffs - 3.8.4 - Mend

contrast-agent 3.8.4

Files changed (500) hide show

checksums.yaml +7 -0
data/.clang-format +5 -0
data/.dockerignore +10 -0
data/.gitignore +58 -0
data/.gitmodules +6 -0
data/.rspec +6 -0
data/.simplecov +4 -0
data/Gemfile +7 -0
data/LICENSE.txt +12 -0
data/Rakefile +15 -0
data/exe/contrast_service +29 -0
data/ext/build_funchook.rb +48 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.c +47 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.h +10 -0
data/ext/cs__assess_active_record_named/extconf.rb +2 -0
data/ext/cs__assess_array/cs__assess_array.c +38 -0
data/ext/cs__assess_array/cs__assess_array.h +9 -0
data/ext/cs__assess_array/extconf.rb +2 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +50 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +17 -0
data/ext/cs__assess_basic_object/extconf.rb +2 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +86 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +34 -0
data/ext/cs__assess_fiber_track/extconf.rb +2 -0
data/ext/cs__assess_hash/cs__assess_hash.c +64 -0
data/ext/cs__assess_hash/cs__assess_hash.h +24 -0
data/ext/cs__assess_hash/extconf.rb +2 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +36 -0
data/ext/cs__assess_kernel/cs__assess_kernel.h +10 -0
data/ext/cs__assess_kernel/extconf.rb +2 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +47 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +18 -0
data/ext/cs__assess_marshal_module/extconf.rb +2 -0
data/ext/cs__assess_module/cs__assess_module.c +78 -0
data/ext/cs__assess_module/cs__assess_module.h +25 -0
data/ext/cs__assess_module/extconf.rb +2 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +48 -0
data/ext/cs__assess_regexp/cs__assess_regexp.h +22 -0
data/ext/cs__assess_regexp/extconf.rb +2 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +63 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +29 -0
data/ext/cs__assess_regexp_track/extconf.rb +2 -0
data/ext/cs__assess_string/cs__assess_string.c +38 -0
data/ext/cs__assess_string/cs__assess_string.h +19 -0
data/ext/cs__assess_string/extconf.rb +2 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +31 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +13 -0
data/ext/cs__assess_string_interpolation26/extconf.rb +2 -0
data/ext/cs__common/cs__common.c +60 -0
data/ext/cs__common/cs__common.h +28 -0
data/ext/cs__common/extconf.rb +20 -0
data/ext/cs__contrast_patch/cs__contrast_patch.c +445 -0
data/ext/cs__contrast_patch/cs__contrast_patch.h +196 -0
data/ext/cs__contrast_patch/extconf.rb +2 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +37 -0
data/ext/cs__protect_kernel/cs__protect_kernel.h +11 -0
data/ext/cs__protect_kernel/extconf.rb +2 -0
data/ext/cs__scope/cs__scope.c +96 -0
data/ext/cs__scope/cs__scope.h +33 -0
data/ext/cs__scope/extconf.rb +2 -0
data/ext/extconf_common.rb +49 -0
data/funchook/LICENSE +360 -0
data/funchook/Makefile +29 -0
data/funchook/Makefile.in +29 -0
data/funchook/README.md +121 -0
data/funchook/appveyor.yml +42 -0
data/funchook/autogen.sh +3 -0
data/funchook/autom4te.cache/output.0 +4976 -0
data/funchook/autom4te.cache/requests +78 -0
data/funchook/autom4te.cache/traces.0 +364 -0
data/funchook/config.guess +1530 -0
data/funchook/config.log +490 -0
data/funchook/config.status +1016 -0
data/funchook/config.sub +1773 -0
data/funchook/configure +4976 -0
data/funchook/configure.ac +59 -0
data/funchook/distorm/COPYING +26 -0
data/funchook/distorm/MANIFEST +25 -0
data/funchook/distorm/MANIFEST.in +4 -0
data/funchook/distorm/README.md +12 -0
data/funchook/distorm/disOps/disOps.py +795 -0
data/funchook/distorm/disOps/x86db.py +404 -0
data/funchook/distorm/disOps/x86header.py +247 -0
data/funchook/distorm/disOps/x86sets.py +1664 -0
data/funchook/distorm/examples/cs/TestdiStorm/Program.cs +79 -0
data/funchook/distorm/examples/cs/TestdiStorm/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/TestdiStorm/TestdiStorm.csproj +69 -0
data/funchook/distorm/examples/cs/distorm-net.sln +26 -0
data/funchook/distorm/examples/cs/distorm-net/CodeInfo.cs +23 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedInst.cs +15 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedInst.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.cs +1268 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.tt +37 -0
data/funchook/distorm/examples/cs/distorm-net/Operand.cs +25 -0
data/funchook/distorm/examples/cs/distorm-net/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/diStorm3.cs +411 -0
data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj +80 -0
data/funchook/distorm/examples/cs/readme +3 -0
data/funchook/distorm/examples/ddk/README +48 -0
data/funchook/distorm/examples/ddk/distorm.ini +11 -0
data/funchook/distorm/examples/ddk/dummy.c +15 -0
data/funchook/distorm/examples/ddk/main.c +91 -0
data/funchook/distorm/examples/ddk/makefile +1 -0
data/funchook/distorm/examples/ddk/sources +10 -0
data/funchook/distorm/examples/java/Makefile +23 -0
data/funchook/distorm/examples/java/distorm/src/Main.java +43 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java +27 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java +32 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java +89 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/OpcodeEnum.java +131 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Opcodes.java +1123 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Operand.java +24 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/distorm3.java +41 -0
data/funchook/distorm/examples/java/jdistorm.c +405 -0
data/funchook/distorm/examples/java/jdistorm.h +40 -0
data/funchook/distorm/examples/java/jdistorm.sln +20 -0
data/funchook/distorm/examples/java/jdistorm.vcproj +208 -0
data/funchook/distorm/examples/linux/Makefile +15 -0
data/funchook/distorm/examples/linux/main.c +181 -0
data/funchook/distorm/examples/tests/Makefile +15 -0
data/funchook/distorm/examples/tests/main.cpp +42 -0
data/funchook/distorm/examples/tests/main.py +66 -0
data/funchook/distorm/examples/tests/test_distorm3.py +1672 -0
data/funchook/distorm/examples/tests/tests.sln +20 -0
data/funchook/distorm/examples/tests/tests.vcxproj +82 -0
data/funchook/distorm/examples/tests/tests.vcxproj.filters +22 -0
data/funchook/distorm/examples/win32/disasm.sln +25 -0
data/funchook/distorm/examples/win32/disasm.vcxproj +201 -0
data/funchook/distorm/examples/win32/disasm.vcxproj.filters +14 -0
data/funchook/distorm/examples/win32/main.cpp +163 -0
data/funchook/distorm/include/distorm.h +482 -0
data/funchook/distorm/include/mnemonics.h +301 -0
data/funchook/distorm/make/linux/Makefile +28 -0
data/funchook/distorm/make/mac/Makefile +24 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj +239 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj.filters +80 -0
data/funchook/distorm/make/win32/distorm.sln +25 -0
data/funchook/distorm/make/win32/resource.h +14 -0
data/funchook/distorm/make/win32/resource.rc +99 -0
data/funchook/distorm/python/distorm3/__init__.py +957 -0
data/funchook/distorm/python/distorm3/sample.py +51 -0
data/funchook/distorm/setup.cfg +10 -0
data/funchook/distorm/setup.py +266 -0
data/funchook/distorm/src/config.h +169 -0
data/funchook/distorm/src/decoder.c +641 -0
data/funchook/distorm/src/decoder.h +33 -0
data/funchook/distorm/src/distorm.c +413 -0
data/funchook/distorm/src/instructions.c +597 -0
data/funchook/distorm/src/instructions.h +463 -0
data/funchook/distorm/src/insts.c +7939 -0
data/funchook/distorm/src/insts.h +64 -0
data/funchook/distorm/src/mnemonics.c +284 -0
data/funchook/distorm/src/operands.c +1290 -0
data/funchook/distorm/src/operands.h +28 -0
data/funchook/distorm/src/prefix.c +368 -0
data/funchook/distorm/src/prefix.h +64 -0
data/funchook/distorm/src/textdefs.c +172 -0
data/funchook/distorm/src/textdefs.h +57 -0
data/funchook/distorm/src/wstring.c +47 -0
data/funchook/distorm/src/wstring.h +35 -0
data/funchook/distorm/src/x86defs.h +82 -0
data/funchook/include/funchook.h +123 -0
data/funchook/install-sh +527 -0
data/funchook/src/Makefile +70 -0
data/funchook/src/Makefile.in +70 -0
data/funchook/src/__strerror.h +109 -0
data/funchook/src/config.h +101 -0
data/funchook/src/config.h.in +100 -0
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.c +440 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_internal.h +155 -0
data/funchook/src/funchook_io.c +182 -0
data/funchook/src/funchook_io.h +64 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.S +134 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.c +480 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_windows.c +397 -0
data/funchook/src/funchook_x86.c +622 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.c +115 -0
data/funchook/src/os_func.h +75 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.c +94 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/os_func_windows.c +32 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.c +1688 -0
data/funchook/src/printf_base.h +46 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +43 -0
data/funchook/test/Makefile.in +43 -0
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.c +25 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test2.c +18 -0
data/funchook/test/suffix.list +600 -0
data/funchook/test/test_main.c +430 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.S +10 -0
data/funchook/test/x86_64_test.o +0 -0
data/funchook/test/x86_test.S +339 -0
data/funchook/win32/config.h +1 -0
data/funchook/win32/funchook.sln +52 -0
data/funchook/win32/funchook.vcxproj +188 -0
data/funchook/win32/funchook.vcxproj.filters +84 -0
data/funchook/win32/funchook_test.vcxproj +170 -0
data/funchook/win32/funchook_test.vcxproj.filters +22 -0
data/funchook/win32/funchook_test_dll.vcxproj +184 -0
data/funchook/win32/funchook_test_dll.vcxproj.filters +30 -0
data/funchook/win32/funchook_test_exe.def +3 -0
data/lib/contrast-agent.rb +8 -0
data/lib/contrast.rb +57 -0
data/lib/contrast/agent.rb +80 -0
data/lib/contrast/agent/assess.rb +45 -0
data/lib/contrast/agent/assess/adjusted_span.rb +25 -0
data/lib/contrast/agent/assess/class_reverter.rb +82 -0
data/lib/contrast/agent/assess/contrast_event.rb +398 -0
data/lib/contrast/agent/assess/frozen_properties.rb +41 -0
data/lib/contrast/agent/assess/insulator.rb +53 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +78 -0
data/lib/contrast/agent/assess/policy/patcher.rb +85 -0
data/lib/contrast/agent/assess/policy/policy.rb +116 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +289 -0
data/lib/contrast/agent/assess/policy/policy_scanner.rb +44 -0
data/lib/contrast/agent/assess/policy/preshift.rb +94 -0
data/lib/contrast/agent/assess/policy/propagation_method.rb +260 -0
data/lib/contrast/agent/assess/policy/propagation_node.rb +127 -0
data/lib/contrast/agent/assess/policy/propagator.rb +35 -0
data/lib/contrast/agent/assess/policy/propagator/append.rb +54 -0
data/lib/contrast/agent/assess/policy/propagator/base.rb +37 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +36 -0
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +62 -0
data/lib/contrast/agent/assess/policy/propagator/insert.rb +55 -0
data/lib/contrast/agent/assess/policy/propagator/keep.rb +26 -0
data/lib/contrast/agent/assess/policy/propagator/next.rb +42 -0
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +50 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +76 -0
data/lib/contrast/agent/assess/policy/propagator/replace.rb +27 -0
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +38 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +86 -0
data/lib/contrast/agent/assess/policy/propagator/splat.rb +60 -0
data/lib/contrast/agent/assess/policy/propagator/split.rb +49 -0
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +169 -0
data/lib/contrast/agent/assess/policy/propagator/trim.rb +81 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +79 -0
data/lib/contrast/agent/assess/policy/source_method.rb +209 -0
data/lib/contrast/agent/assess/policy/source_node.rb +62 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +209 -0
data/lib/contrast/agent/assess/policy/trigger_node.rb +198 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +77 -0
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +31 -0
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +40 -0
data/lib/contrast/agent/assess/properties.rb +392 -0
data/lib/contrast/agent/assess/rule.rb +18 -0
data/lib/contrast/agent/assess/rule/base.rb +72 -0
data/lib/contrast/agent/assess/rule/csrf.rb +66 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +28 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +69 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +132 -0
data/lib/contrast/agent/assess/rule/provider.rb +21 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +62 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +73 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +121 -0
data/lib/contrast/agent/assess/rule/redos.rb +68 -0
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +47 -0
data/lib/contrast/agent/assess/rule/response_watcher.rb +36 -0
data/lib/contrast/agent/assess/rule/watcher.rb +36 -0
data/lib/contrast/agent/assess/tag.rb +151 -0
data/lib/contrast/agent/at_exit_hook.rb +33 -0
data/lib/contrast/agent/class_reopener.rb +195 -0
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +26 -0
data/lib/contrast/agent/deadzone/policy/policy.rb +57 -0
data/lib/contrast/agent/disable_reaction.rb +24 -0
data/lib/contrast/agent/exclusion_matcher.rb +190 -0
data/lib/contrast/agent/feature_state.rb +379 -0
data/lib/contrast/agent/inventory/policy/policy.rb +32 -0
data/lib/contrast/agent/inventory/policy/trigger_node.rb +22 -0
data/lib/contrast/agent/logger_manager.rb +116 -0
data/lib/contrast/agent/middleware.rb +352 -0
data/lib/contrast/agent/module_data.rb +16 -0
data/lib/contrast/agent/patching/policy/after_load_patch.rb +37 -0
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +58 -0
data/lib/contrast/agent/patching/policy/method_policy.rb +94 -0
data/lib/contrast/agent/patching/policy/module_policy.rb +116 -0
data/lib/contrast/agent/patching/policy/patch.rb +312 -0
data/lib/contrast/agent/patching/policy/patch_status.rb +192 -0
data/lib/contrast/agent/patching/policy/patcher.rb +310 -0
data/lib/contrast/agent/patching/policy/policy.rb +138 -0
data/lib/contrast/agent/patching/policy/policy_node.rb +80 -0
data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +28 -0
data/lib/contrast/agent/patching/policy/trigger_node.rb +81 -0
data/lib/contrast/agent/protect/policy/policy.rb +37 -0
data/lib/contrast/agent/protect/policy/trigger_node.rb +23 -0
data/lib/contrast/agent/protect/rule.rb +58 -0
data/lib/contrast/agent/protect/rule/base.rb +300 -0
data/lib/contrast/agent/protect/rule/base_service.rb +88 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +156 -0
data/lib/contrast/agent/protect/rule/csrf.rb +118 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +103 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +85 -0
data/lib/contrast/agent/protect/rule/default_scanner.rb +300 -0
data/lib/contrast/agent/protect/rule/deserialization.rb +193 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +80 -0
data/lib/contrast/agent/protect/rule/no_sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +40 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +143 -0
data/lib/contrast/agent/protect/rule/sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +16 -0
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +38 -0
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +22 -0
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +19 -0
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
data/lib/contrast/agent/protect/rule/xss.rb +24 -0
data/lib/contrast/agent/protect/rule/xxe.rb +120 -0
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +82 -0
data/lib/contrast/agent/railtie.rb +30 -0
data/lib/contrast/agent/reaction_processor.rb +47 -0
data/lib/contrast/agent/request.rb +493 -0
data/lib/contrast/agent/request_context.rb +225 -0
data/lib/contrast/agent/require_state.rb +61 -0
data/lib/contrast/agent/response.rb +215 -0
data/lib/contrast/agent/rewriter.rb +244 -0
data/lib/contrast/agent/scope.rb +28 -0
data/lib/contrast/agent/service_heartbeat.rb +37 -0
data/lib/contrast/agent/settings_state.rb +148 -0
data/lib/contrast/agent/socket_client.rb +125 -0
data/lib/contrast/agent/thread.rb +26 -0
data/lib/contrast/agent/tracepoint_hook.rb +51 -0
data/lib/contrast/agent/version.rb +8 -0
data/lib/contrast/api.rb +17 -0
data/lib/contrast/api/.gitkeep +0 -0
data/lib/contrast/api/connection_status.rb +49 -0
data/lib/contrast/api/socket.rb +43 -0
data/lib/contrast/api/speedracer.rb +206 -0
data/lib/contrast/api/tcp_socket.rb +31 -0
data/lib/contrast/api/unix_socket.rb +25 -0
data/lib/contrast/common_agent_configuration.rb +86 -0
data/lib/contrast/components/agent.rb +85 -0
data/lib/contrast/components/app_context.rb +188 -0
data/lib/contrast/components/assess.rb +67 -0
data/lib/contrast/components/config.rb +135 -0
data/lib/contrast/components/contrast_service.rb +113 -0
data/lib/contrast/components/heap_dump.rb +34 -0
data/lib/contrast/components/interface.rb +178 -0
data/lib/contrast/components/inventory.rb +23 -0
data/lib/contrast/components/logger.rb +92 -0
data/lib/contrast/components/protect.rb +38 -0
data/lib/contrast/components/sampling.rb +41 -0
data/lib/contrast/components/scope.rb +106 -0
data/lib/contrast/components/settings.rb +140 -0
data/lib/contrast/config.rb +33 -0
data/lib/contrast/config/agent_configuration.rb +24 -0
data/lib/contrast/config/application_configuration.rb +27 -0
data/lib/contrast/config/assess_configuration.rb +22 -0
data/lib/contrast/config/assess_rules_configuration.rb +18 -0
data/lib/contrast/config/base_configuration.rb +105 -0
data/lib/contrast/config/default_value.rb +16 -0
data/lib/contrast/config/exception_configuration.rb +21 -0
data/lib/contrast/config/heap_dump_configuration.rb +23 -0
data/lib/contrast/config/inventory_configuration.rb +20 -0
data/lib/contrast/config/logger_configuration.rb +20 -0
data/lib/contrast/config/protect_configuration.rb +20 -0
data/lib/contrast/config/protect_rule_configuration.rb +37 -0
data/lib/contrast/config/protect_rules_configuration.rb +30 -0
data/lib/contrast/config/root_configuration.rb +26 -0
data/lib/contrast/config/ruby_configuration.rb +39 -0
data/lib/contrast/config/sampling_configuration.rb +22 -0
data/lib/contrast/config/server_configuration.rb +23 -0
data/lib/contrast/config/service_configuration.rb +22 -0
data/lib/contrast/configuration.rb +214 -0
data/lib/contrast/core_extensions/assess.rb +51 -0
data/lib/contrast/core_extensions/assess/array.rb +58 -0
data/lib/contrast/core_extensions/assess/assess_extension.rb +145 -0
data/lib/contrast/core_extensions/assess/basic_object.rb +15 -0
data/lib/contrast/core_extensions/assess/erb.rb +42 -0
data/lib/contrast/core_extensions/assess/exec_trigger.rb +48 -0
data/lib/contrast/core_extensions/assess/fiber.rb +125 -0
data/lib/contrast/core_extensions/assess/hash.rb +22 -0
data/lib/contrast/core_extensions/assess/kernel.rb +95 -0
data/lib/contrast/core_extensions/assess/module.rb +14 -0
data/lib/contrast/core_extensions/assess/regexp.rb +206 -0
data/lib/contrast/core_extensions/assess/string.rb +75 -0
data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +73 -0
data/lib/contrast/core_extensions/delegator.rb +14 -0
data/lib/contrast/core_extensions/eval_trigger.rb +52 -0
data/lib/contrast/core_extensions/inventory.rb +22 -0
data/lib/contrast/core_extensions/inventory/datastores.rb +37 -0
data/lib/contrast/core_extensions/module.rb +42 -0
data/lib/contrast/core_extensions/object.rb +27 -0
data/lib/contrast/core_extensions/protect.rb +20 -0
data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +70 -0
data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +58 -0
data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +81 -0
data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +119 -0
data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +63 -0
data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +141 -0
data/lib/contrast/core_extensions/protect/kernel.rb +30 -0
data/lib/contrast/core_extensions/protect/psych.rb +7 -0
data/lib/contrast/core_extensions/thread.rb +31 -0
data/lib/contrast/internal_exception.rb +8 -0
data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +48 -0
data/lib/contrast/rails_extensions/assess/active_record.rb +32 -0
data/lib/contrast/rails_extensions/assess/active_record_named.rb +61 -0
data/lib/contrast/rails_extensions/assess/configuration.rb +26 -0
data/lib/contrast/rails_extensions/buffer.rb +30 -0
data/lib/contrast/rails_extensions/rack.rb +45 -0
data/lib/contrast/security_exception.rb +14 -0
data/lib/contrast/sinatra_extensions/assess/cookie.rb +26 -0
data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +59 -0
data/lib/contrast/tasks/service.rb +95 -0
data/lib/contrast/utils/assess/sampling_util.rb +96 -0
data/lib/contrast/utils/assess/tracking_util.rb +39 -0
data/lib/contrast/utils/boolean_util.rb +33 -0
data/lib/contrast/utils/cache.rb +69 -0
data/lib/contrast/utils/class_util.rb +58 -0
data/lib/contrast/utils/comment_range.rb +19 -0
data/lib/contrast/utils/data_store_util.rb +23 -0
data/lib/contrast/utils/duck_utils.rb +58 -0
data/lib/contrast/utils/env_configuration_item.rb +52 -0
data/lib/contrast/utils/environment_util.rb +152 -0
data/lib/contrast/utils/freeze_util.rb +36 -0
data/lib/contrast/utils/gemfile_reader.rb +191 -0
data/lib/contrast/utils/hash_digest.rb +148 -0
data/lib/contrast/utils/heap_dump_util.rb +113 -0
data/lib/contrast/utils/invalid_configuration_util.rb +88 -0
data/lib/contrast/utils/inventory_util.rb +126 -0
data/lib/contrast/utils/io_util.rb +61 -0
data/lib/contrast/utils/object_share.rb +117 -0
data/lib/contrast/utils/operating_environment.rb +38 -0
data/lib/contrast/utils/os.rb +49 -0
data/lib/contrast/utils/path_util.rb +151 -0
data/lib/contrast/utils/performs_logging.rb +152 -0
data/lib/contrast/utils/preflight_util.rb +13 -0
data/lib/contrast/utils/prevent_serialization.rb +52 -0
data/lib/contrast/utils/rack_assess_session_cookie.rb +104 -0
data/lib/contrast/utils/rails_assess_configuration.rb +95 -0
data/lib/contrast/utils/random_util.rb +22 -0
data/lib/contrast/utils/resource_loader.rb +23 -0
data/lib/contrast/utils/ruby_ast_rewriter.rb +74 -0
data/lib/contrast/utils/scope_util.rb +99 -0
data/lib/contrast/utils/service_response_util.rb +116 -0
data/lib/contrast/utils/service_sender_util.rb +98 -0
data/lib/contrast/utils/sha256_builder.rb +69 -0
data/lib/contrast/utils/sinatra_helper.rb +49 -0
data/lib/contrast/utils/stack_trace_utils.rb +209 -0
data/lib/contrast/utils/string_utils.rb +72 -0
data/lib/contrast/utils/tag_util.rb +139 -0
data/lib/contrast/utils/thread_tracker.rb +54 -0
data/lib/contrast/utils/timer.rb +78 -0
data/resources/assess/policy.json +1673 -0
data/resources/csrf/inject.js +44 -0
data/resources/deadzone/policy.json +55 -0
data/resources/factory-bot-spec/spec_helper.rb +30 -0
data/resources/inventory/policy.json +110 -0
data/resources/protect/policy.json +417 -0
data/resources/rubocops/kernel/catch_cop.rb +37 -0
data/resources/rubocops/kernel/require_cop.rb +37 -0
data/resources/rubocops/kernel/require_relative_cop.rb +33 -0
data/resources/rubocops/module/autoload_cop.rb +37 -0
data/resources/rubocops/module/const_defined_cop.rb +37 -0
data/resources/rubocops/module/const_get_cop.rb +37 -0
data/resources/rubocops/module/const_set_cop.rb +37 -0
data/resources/rubocops/module/constants_cop.rb +37 -0
data/resources/rubocops/module/name_cop.rb +37 -0
data/resources/rubocops/object/class_cop.rb +37 -0
data/resources/rubocops/object/freeze_cop.rb +37 -0
data/resources/rubocops/object/frozen_cop.rb +37 -0
data/resources/rubocops/object/is_a_cop.rb +37 -0
data/resources/rubocops/object/method_cop.rb +37 -0
data/resources/rubocops/object/respond_to_cop.rb +37 -0
data/resources/rubocops/object/singleton_class_cop.rb +37 -0
data/resources/rubocops/regexp/spelling_cop.rb +44 -0
data/resources/rubocops/thread/new_cop.rb +39 -0
data/resources/ruby-spec/ancestors_spec.rb +70 -0
data/resources/ruby-spec/modulo_spec.rb +831 -0
data/resources/ruby-spec/parameters_spec.rb +261 -0
data/resources/ruby-spec/ruby_spec_spec_helper.rb +35 -0
data/resources/test_marker.txt +1 -0
data/ruby-agent.gemspec +129 -0
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +1 -0
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +945 -0

data/lib/contrast/config/sampling_configuration.rb ADDED

@@ -0,0 +1,22 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Config
+    # Common Configuration settings. Those in this section pertain to the
+    # sampling functionality of the Agent.
+    class SamplingConfiguration < BaseConfiguration
+      KEYS = {
+          enable: EMPTY_VALUE,
+          baseline: EMPTY_VALUE,
+          request_frequency: EMPTY_VALUE,
+          response_frequency: EMPTY_VALUE,
+          window_ms: EMPTY_VALUE
+      }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/server_configuration.rb ADDED

@@ -0,0 +1,23 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Config
+    # Common Configuration settings. Those in this section pertain to the
+    # server identification functionality of the Agent.
+    class ServerConfiguration < BaseConfiguration
+      KEYS = {
+          name: EMPTY_VALUE,
+          path: EMPTY_VALUE,
+          type: EMPTY_VALUE,
+          tags: EMPTY_VALUE,
+          environment: EMPTY_VALUE,
+          version: EMPTY_VALUE
+      }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/service_configuration.rb ADDED

@@ -0,0 +1,22 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Config
+    # Common Configuration settings. Those in this section pertain to the
+    # communication between the Agent & the Service.
+    class ServiceConfiguration < BaseConfiguration
+      KEYS = {
+          enable: EMPTY_VALUE,
+          host: EMPTY_VALUE,
+          port: EMPTY_VALUE,
+          socket: EMPTY_VALUE,
+          logger: Contrast::Config::LoggerConfiguration
+      }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/configuration.rb ADDED

@@ -0,0 +1,214 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'yaml'
+cs__scoped_require 'fileutils'
+cs__scoped_require 'contrast/config'
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  # This is how we read in the local settings for the Agent, both ENV/ CMD line
+  # and from properties files, in order to determine which settings, if any,
+  # the user has overridden.
+  class Configuration
+    extend Forwardable
+    include Contrast::Components::Interface
+    access_component :scope
+    def_delegator :root, :assign_value_to_path_array
+    attr_reader :default_name, :root
+    DEFAULT_YAML_PATH  = 'contrast_security.yaml'
+    DEFAULT_HOST       = '127.0.0.1'
+    DEFAULT_PORT       = '30555'
+    MILLISECOND_MARKER = '_ms'
+    CONVERSION = {
+        'agent.service.enable' => 'agent.start_bundled_service'
+    }.cs__freeze
+    CONFIG_BASE_PATHS = [
+      '',
+      'config/',
+      '/etc/contrast/ruby/',
+      '/etc/contrast/',
+      '/etc/'
+    ].cs__freeze
+    REMOVE_FIELDS = [
+      'contrast'
+    ].cs__freeze
+    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
+      @default_name = default_name
+      # Load config_kv from file
+      config_kv = deep_stringify_all_keys(load_config)
+      # Overlay CLI options - they take precedence over config file
+      cli_options = deep_stringify_all_keys(cli_options)
+      config_kv = deep_merge(cli_options, config_kv) if cli_options
+      # Some in-flight rewrites to maintain backwards compatibility
+      config_kv = update_prop_keys(config_kv)
+      config_kv = deprecate_fields(config_kv)
+      @root = Contrast::Config::RootConfiguration.new(config_kv)
+    end
+    # Because we call this method to determine the need for scoping, it itself
+    # must be executed inside a Contrast scope. Failure to do so could result
+    # in an infinite loop on the to_sym method used later.
+    def method_missing symbol, *args
+      with_contrast_scope do
+        begin
+          root.public_send(symbol, *args)
+        rescue NoMethodError => _e
+          super
+        end
+      end
+    end
+    def respond_to_missing? method_name, *args
+      root&.cs__respond_to?(method_name) || super
+    end
+    protected
+    # TODO: RUBY-546 move utility methods to auxiliary classes
+    def load_config
+      config = {}
+      configuration_paths.find do |path|
+        found = File.exist?(path)
+        next unless found
+        readable = File.readable?(path)
+        unless readable
+          puts "!!! Contrast - Configuration file at #{ path } is not readable by current user"
+          next
+        end
+        config = yaml_to_hash(path)
+        break
+      end
+      if config.empty?
+        puts "!!! Contrast - working directory: #{ Dir.pwd }"
+        puts '!!! Contrast - configuration file could not be found at any of the search paths'
+        puts 'Valid configuration paths are: '
+        configuration_paths.each do |path|
+          puts(path)
+        end
+      end
+      config
+    end
+    def yaml_to_hash path
+      if path && File.readable?(path)
+        begin
+          yaml = IO.read(path)
+          yaml = ERB.new(yaml).result if defined?(ERB)
+          return YAML.safe_load(yaml)
+        rescue RuntimeError => e
+          puts "ERROR: unable to load configuration from path due to #{ e }"
+          puts "ERROR: path=#{ path } pwd=#{ Dir.pwd }"
+        end
+      end
+      {}
+    end
+    # We're updating properties loaded from the configuration
+    # files to match the new agreed upon standard configuration
+    # names, so that one file works for all agents
+    def update_prop_keys config
+      converted = false
+      CONVERSION.each_pair do |old_method, new_method|
+        # See if the old value was set and needs to be translated
+        deprecated_keys = old_method.split('.')
+        old_value = config
+        deprecated_keys.each do |key|
+          old_value = old_value[key]
+          break if old_value.nil?
+        end
+        next if old_value.nil?
+        converted = true
+        puts "The deprecated property #{ old_method } is being set."
+        puts "Please update your config to use the property #{ new_method } instead."
+        new_keys = new_method.split('.')
+        # We changed the seconds values into ms values. Multiply them accordingly
+        old_value = old_value.to_i * 1000 if new_method.end_with?(MILLISECOND_MARKER)
+        new_value = config
+        end_idx = new_keys.length - 1
+        new_keys.each_with_index do |new_key, index|
+          if index == end_idx
+            new_value[new_key] = old_value if new_value[new_key].nil?
+          else
+            new_value = {} if new_value.nil?
+            new_value[new_key] = {} if new_value[new_key].nil?
+            new_value = new_value[new_key]
+          end
+        end
+      end
+      config
+    end
+    def deprecate_fields hash
+      REMOVE_FIELDS.each do |field|
+        path = field.split('.')
+        active_path = hash
+        path.each_with_index do |delete_path, index|
+          if index == path.length - 1 && active_path
+            active_path.delete(delete_path)
+          elsif active_path
+            active_path = active_path[delete_path]
+          end
+        end
+      end
+      hash
+    end
+    # Base paths to check for the contrast configuration file, sorted by
+    # reverse order of precedence (first is most important).
+    def configuration_paths
+      @_configuration_paths ||= begin
+        basename = default_name.split('.').first
+        names = %w[yml yaml].map { |suffix| "#{ basename }.#{ suffix }" }
+        paths = []
+        paths << ENV['CONTRAST_CONFIG_PATH']     if ENV['CONTRAST_CONFIG_PATH']
+        paths << ENV['CONTRAST_SECURITY_CONFIG'] if ENV['CONTRAST_SECURITY_CONFIG']
+        tmp = CONFIG_BASE_PATHS.product(names)
+        paths += tmp.map!(&:join)
+        paths
+      end
+    end
+    def deep_merge cli_config, file_config
+      cli_config.merge(file_config) do |_key, cli_value, file_value|
+        cli_value.is_a?(Hash) && file_value.is_a?(Hash) ? deep_merge(cli_value, file_value) : cli_value
+      end
+    end
+    def deep_stringify_all_keys hash
+      return if hash.nil?
+      new_hash = {}
+      hash.each do |key, value|
+        new_hash[key.to_s] = value.is_a?(Hash) ? deep_stringify_all_keys(value) : value
+      end
+      new_hash
+    end
+  end
+end

data/lib/contrast/core_extensions/assess.rb ADDED

@@ -0,0 +1,51 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module CoreExtensions
+    # Our top level Protect namespace in the Core Extensions section of our
+    # code. These patches are those that are invoked directly from a patched
+    # Class.
+    #
+    # @deprecated This is one of our earliest designs and is not nearly as
+    #   relevant given the move to C based patching and the lessons learned
+    #   therein.
+    module Assess
+      cs__scoped_require 'contrast/agent/patching/policy/patcher'
+      cs__scoped_require 'contrast/utils/tag_util'
+      # provider rules - have to come before policy
+      cs__scoped_require 'contrast/agent/assess/rule/provider'
+      # tagging / dataflow
+      cs__scoped_require 'contrast/agent/assess/adjusted_span'
+      cs__scoped_require 'contrast/agent/assess/policy/policy_node'
+      cs__scoped_require 'contrast/agent/assess/policy/source_node'
+      cs__scoped_require 'contrast/agent/assess/policy/source_method'
+      cs__scoped_require 'contrast/agent/assess/policy/propagation_node'
+      cs__scoped_require 'contrast/agent/assess/policy/propagation_method'
+      cs__scoped_require 'contrast/agent/assess/policy/trigger_node'
+      cs__scoped_require 'contrast/agent/assess/policy/trigger_method'
+      cs__scoped_require 'contrast/agent/assess/policy/policy'
+      cs__scoped_require 'contrast/agent/assess/policy/patcher'
+      # classes that don't play nice w/ our standard propagation
+      cs__scoped_require 'contrast/agent/assess/frozen_properties'
+      cs__scoped_require 'contrast/core_extensions/assess/assess_extension'
+      # this needs to come first b/c array and others work on strings and
+      # expect them to be trackable
+      cs__scoped_require 'contrast/core_extensions/assess/string'
+      cs__scoped_require 'contrast/core_extensions/assess/array'
+      cs__scoped_require 'contrast/core_extensions/assess/erb'
+      cs__scoped_require 'contrast/core_extensions/assess/fiber'
+      cs__scoped_require 'contrast/core_extensions/assess/hash'
+      cs__scoped_require 'contrast/core_extensions/assess/kernel'
+      cs__scoped_require 'contrast/core_extensions/assess/regexp'
+      cs__scoped_require 'contrast/core_extensions/assess/module'
+      cs__scoped_require 'contrast/core_extensions/assess/basic_object'
+      cs__scoped_require 'contrast/core_extensions/assess/tilt_template_trigger'
+    end
+  end
+end

data/lib/contrast/core_extensions/assess/array.rb ADDED

@@ -0,0 +1,58 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/patching/policy/patcher'
+cs__scoped_require 'contrast/components/interface'
+# This is our patch of the Array class required to handle propagation
+# Disclaimer: there may be a better way, but we're in a 'get it work' state.
+# Hopefully, we'll be in a 'get it right' state soon.
+class Array
+  include Contrast::Components::Interface
+  access_component :scope
+  ARRAY_JOIN_HASH = {
+      'class_name' => 'Array',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'join',
+      'action' => 'CUSTOM',
+      'source' => 'O',
+      'target' => 'R',
+      'patch_class' => 'NOOP',
+      'patch_method' => '__cs_track_join'
+  }.cs__freeze
+  ARRAY_JOIN_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(ARRAY_JOIN_HASH)
+  # When you call join, they use an internal thing, so there's no good way to get at the thing being returned.
+  # Multiple Strings are appended with the #join method. Because that
+  # operation happens in C, we have to do it here rather than rely on the
+  # patch of our String append or concat methods.
+  def __cs_track_join separator, ret
+    return ret if Contrast::Agent::Patching::Policy::Patcher.skip_assess_analysis?
+    with_contrast_scope do
+      shift = 0
+      separator_length = separator.nil? ? 0 : separator.to_s.length
+      each do |obj|
+        if obj # skip nil here
+          ret.cs__copy_from(obj, shift)
+          shift += obj.to_s.length
+        end
+        shift += separator_length
+      end
+      return ret unless ret.cs__tracked?
+      ret.cs__properties.cleanup_tags
+      ret.cs__properties.build_event(
+          ARRAY_JOIN_NODE,
+          ret,
+          self,
+          ret,
+          [separator])
+      ret
+    end
+  end
+end
+cs__scoped_require 'cs__assess_array/cs__assess_array'

data/lib/contrast/core_extensions/assess/assess_extension.rb ADDED

@@ -0,0 +1,145 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/assess/properties'
+cs__scoped_require 'contrast/agent/assess/frozen_properties'
+cs__scoped_require 'contrast/agent/assess/insulator'
+module Contrast
+  module CoreExtensions
+    module Assess
+      # This module is responsible for maintaining the data we need to
+      # construct a trace event for the object in which it is included. Rather
+      # than have this code all over the place, any class that wants to use
+      # dataflow features should be sent
+      # 'include Contrast::CoreExtensions::Assess::AssessExtension'
+      module AssessExtension
+        include Contrast::Utils::ScopeUtil
+        # Lazily build properties object. Only objects that have been tracked
+        # will have the @_cs__properties, but all will respond to the
+        # cs__properties method call. You should only call this method if you
+        # either intend to start tracking an object or you have already checked
+        # cs__tracked? and it is true.
+        def cs__properties
+          # If this object was tracked before being frozen, it'll have
+          # mutable properties we need inside of the insulator @_cs__properties
+          if cs__frozen?
+            if instance_variable_defined?(:@_cs__properties)
+              @_cs__properties.properties
+            else
+              Contrast::Agent::Assess::Insulator.generate_frozen.properties
+            end
+          else
+            @_cs__properties ||= Contrast::Agent::Assess::Insulator.generate
+            @_cs__properties.properties
+          end
+        end
+        def cs__properties?
+          instance_variable_defined?(:@_cs__properties)
+        end
+        # This is a way to check if we are already tracking an object without
+        # adding tracking to it. If the object already has been tracked we will
+        # return the tracking state of its properties. If the object hasn't
+        # already been tracked we will return false without starting to track
+        # it
+        def cs__tracked?
+          cs__properties? && cs__properties.tracked?
+        end
+        def cs__reset_properties
+          return unless cs__properties?
+          @_cs__properties = nil
+        end
+        # copy tags and info from object to self if object support methods
+        # obj: the object from which to copy tags and events
+        # shift: how far to shift the tags, negative moves left
+        # skip_tags: array of tags to skip copying
+        def cs__copy_from obj, shift = 0, skip_tags = nil
+          return if obj.equal?(self)
+          return unless Contrast::Utils::DuckUtils.quacks_to?(obj,
+                                                              :cs__tracked?)
+          return unless obj.cs__tracked?
+          return if cs__properties == Contrast::Agent::Assess::Insulator.generate_frozen.properties
+          # This was fun to find...
+          # the clone and dup methods don't apply to instance variables in the
+          # cloned/ duped thing, so the arrays in the properties were the same.
+          # The most infinite of infinite loops ensued.
+          # DO NOT TAKE THIS OUT!
+          cs__reset_properties if obj.cs__properties == cs__properties
+          obj.cs__properties.events.each do |event|
+            cs__properties.events << event
+          end
+          obj.cs__properties.tag_keys.each do |key|
+            next if skip_tags&.include?(key)
+            new_tags = []
+            value = obj.cs__properties.fetch_tag(key)
+            value.each do |tag|
+              new_tags << tag.copy_modified(shift)
+            end
+            existing = cs__properties.fetch_tag(key)
+            if existing
+              existing.concat(new_tags)
+            else
+              cs__properties.set_tags(key, new_tags)
+            end
+          end
+        end
+        # Some propagation occurred, but we're not sure what the
+        # exact transformation was. To be safe, we just explode
+        # all the tags from the source to the return.
+        #
+        # If the return already had that tag, the existing tag
+        # range is recycled to save us an object.
+        def cs__splat_tags ret, source = self
+          return unless Contrast::Utils::DuckUtils.quacks_to?(
+              ret,
+              :cs__tracked?)
+          splat_source = Contrast::Utils::DuckUtils.quacks_to?(
+              source,
+              :cs__tracked?)
+          splat_source &&= source.cs__tracked?
+          if splat_source
+            length = Contrast::Utils::StringUtils.ret_length(ret)
+            source.cs__properties.tag_keys.each do |key|
+              existing = ret.cs__properties.fetch_tag(key)
+              # if the tag already exists, drop all but the first range
+              # then change that range to cover the entire return
+              if existing
+                existing.drop(existing.length - 1)
+                range = existing[0]
+                range.repurpose(0, length)
+              else
+                span = Contrast::Agent::Assess::AdjustedSpan.new(0, length)
+                ret.cs__properties.add_tag(key, span)
+              end
+            end
+          end
+          return unless ret.cs__tracked?
+          length ||= Contrast::Utils::StringUtils.ret_length(ret)
+          ret.cs__properties.tag_keys.each do |key|
+            next unless key
+            existing = ret.cs__properties.fetch_tag(key)
+            next unless existing
+            existing.each do |range|
+              range.update_end(length) if range.end_idx > length
+            end
+          end
+        end
+      end
+    end
+  end
+end