RubyGems - contrast-agent - Versions diffs - 3.8.4 - Mend

contrast-agent 3.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (500) hide show

checksums.yaml +7 -0
data/.clang-format +5 -0
data/.dockerignore +10 -0
data/.gitignore +58 -0
data/.gitmodules +6 -0
data/.rspec +6 -0
data/.simplecov +4 -0
data/Gemfile +7 -0
data/LICENSE.txt +12 -0
data/Rakefile +15 -0
data/exe/contrast_service +29 -0
data/ext/build_funchook.rb +48 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.c +47 -0
data/ext/cs__assess_active_record_named/cs__active_record_named.h +10 -0
data/ext/cs__assess_active_record_named/extconf.rb +2 -0
data/ext/cs__assess_array/cs__assess_array.c +38 -0
data/ext/cs__assess_array/cs__assess_array.h +9 -0
data/ext/cs__assess_array/extconf.rb +2 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +50 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +17 -0
data/ext/cs__assess_basic_object/extconf.rb +2 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +86 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +34 -0
data/ext/cs__assess_fiber_track/extconf.rb +2 -0
data/ext/cs__assess_hash/cs__assess_hash.c +64 -0
data/ext/cs__assess_hash/cs__assess_hash.h +24 -0
data/ext/cs__assess_hash/extconf.rb +2 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +36 -0
data/ext/cs__assess_kernel/cs__assess_kernel.h +10 -0
data/ext/cs__assess_kernel/extconf.rb +2 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +47 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +18 -0
data/ext/cs__assess_marshal_module/extconf.rb +2 -0
data/ext/cs__assess_module/cs__assess_module.c +78 -0
data/ext/cs__assess_module/cs__assess_module.h +25 -0
data/ext/cs__assess_module/extconf.rb +2 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +48 -0
data/ext/cs__assess_regexp/cs__assess_regexp.h +22 -0
data/ext/cs__assess_regexp/extconf.rb +2 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +63 -0
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +29 -0
data/ext/cs__assess_regexp_track/extconf.rb +2 -0
data/ext/cs__assess_string/cs__assess_string.c +38 -0
data/ext/cs__assess_string/cs__assess_string.h +19 -0
data/ext/cs__assess_string/extconf.rb +2 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +31 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +13 -0
data/ext/cs__assess_string_interpolation26/extconf.rb +2 -0
data/ext/cs__common/cs__common.c +60 -0
data/ext/cs__common/cs__common.h +28 -0
data/ext/cs__common/extconf.rb +20 -0
data/ext/cs__contrast_patch/cs__contrast_patch.c +445 -0
data/ext/cs__contrast_patch/cs__contrast_patch.h +196 -0
data/ext/cs__contrast_patch/extconf.rb +2 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +37 -0
data/ext/cs__protect_kernel/cs__protect_kernel.h +11 -0
data/ext/cs__protect_kernel/extconf.rb +2 -0
data/ext/cs__scope/cs__scope.c +96 -0
data/ext/cs__scope/cs__scope.h +33 -0
data/ext/cs__scope/extconf.rb +2 -0
data/ext/extconf_common.rb +49 -0
data/funchook/LICENSE +360 -0
data/funchook/Makefile +29 -0
data/funchook/Makefile.in +29 -0
data/funchook/README.md +121 -0
data/funchook/appveyor.yml +42 -0
data/funchook/autogen.sh +3 -0
data/funchook/autom4te.cache/output.0 +4976 -0
data/funchook/autom4te.cache/requests +78 -0
data/funchook/autom4te.cache/traces.0 +364 -0
data/funchook/config.guess +1530 -0
data/funchook/config.log +490 -0
data/funchook/config.status +1016 -0
data/funchook/config.sub +1773 -0
data/funchook/configure +4976 -0
data/funchook/configure.ac +59 -0
data/funchook/distorm/COPYING +26 -0
data/funchook/distorm/MANIFEST +25 -0
data/funchook/distorm/MANIFEST.in +4 -0
data/funchook/distorm/README.md +12 -0
data/funchook/distorm/disOps/disOps.py +795 -0
data/funchook/distorm/disOps/x86db.py +404 -0
data/funchook/distorm/disOps/x86header.py +247 -0
data/funchook/distorm/disOps/x86sets.py +1664 -0
data/funchook/distorm/examples/cs/TestdiStorm/Program.cs +79 -0
data/funchook/distorm/examples/cs/TestdiStorm/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/TestdiStorm/TestdiStorm.csproj +69 -0
data/funchook/distorm/examples/cs/distorm-net.sln +26 -0
data/funchook/distorm/examples/cs/distorm-net/CodeInfo.cs +23 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedInst.cs +15 -0
data/funchook/distorm/examples/cs/distorm-net/DecodedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedInst.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/DecomposedResult.cs +14 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.cs +1268 -0
data/funchook/distorm/examples/cs/distorm-net/Opcodes.tt +37 -0
data/funchook/distorm/examples/cs/distorm-net/Operand.cs +25 -0
data/funchook/distorm/examples/cs/distorm-net/Properties/AssemblyInfo.cs +36 -0
data/funchook/distorm/examples/cs/distorm-net/diStorm3.cs +411 -0
data/funchook/distorm/examples/cs/distorm-net/distorm-net.csproj +80 -0
data/funchook/distorm/examples/cs/readme +3 -0
data/funchook/distorm/examples/ddk/README +48 -0
data/funchook/distorm/examples/ddk/distorm.ini +11 -0
data/funchook/distorm/examples/ddk/dummy.c +15 -0
data/funchook/distorm/examples/ddk/main.c +91 -0
data/funchook/distorm/examples/ddk/makefile +1 -0
data/funchook/distorm/examples/ddk/sources +10 -0
data/funchook/distorm/examples/java/Makefile +23 -0
data/funchook/distorm/examples/java/distorm/src/Main.java +43 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/CodeInfo.java +27 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedInst.java +32 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecodedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedInst.java +89 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/DecomposedResult.java +11 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/OpcodeEnum.java +131 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Opcodes.java +1123 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/Operand.java +24 -0
data/funchook/distorm/examples/java/distorm/src/diStorm3/distorm3.java +41 -0
data/funchook/distorm/examples/java/jdistorm.c +405 -0
data/funchook/distorm/examples/java/jdistorm.h +40 -0
data/funchook/distorm/examples/java/jdistorm.sln +20 -0
data/funchook/distorm/examples/java/jdistorm.vcproj +208 -0
data/funchook/distorm/examples/linux/Makefile +15 -0
data/funchook/distorm/examples/linux/main.c +181 -0
data/funchook/distorm/examples/tests/Makefile +15 -0
data/funchook/distorm/examples/tests/main.cpp +42 -0
data/funchook/distorm/examples/tests/main.py +66 -0
data/funchook/distorm/examples/tests/test_distorm3.py +1672 -0
data/funchook/distorm/examples/tests/tests.sln +20 -0
data/funchook/distorm/examples/tests/tests.vcxproj +82 -0
data/funchook/distorm/examples/tests/tests.vcxproj.filters +22 -0
data/funchook/distorm/examples/win32/disasm.sln +25 -0
data/funchook/distorm/examples/win32/disasm.vcxproj +201 -0
data/funchook/distorm/examples/win32/disasm.vcxproj.filters +14 -0
data/funchook/distorm/examples/win32/main.cpp +163 -0
data/funchook/distorm/include/distorm.h +482 -0
data/funchook/distorm/include/mnemonics.h +301 -0
data/funchook/distorm/make/linux/Makefile +28 -0
data/funchook/distorm/make/mac/Makefile +24 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj +239 -0
data/funchook/distorm/make/win32/cdistorm.vcxproj.filters +80 -0
data/funchook/distorm/make/win32/distorm.sln +25 -0
data/funchook/distorm/make/win32/resource.h +14 -0
data/funchook/distorm/make/win32/resource.rc +99 -0
data/funchook/distorm/python/distorm3/__init__.py +957 -0
data/funchook/distorm/python/distorm3/sample.py +51 -0
data/funchook/distorm/setup.cfg +10 -0
data/funchook/distorm/setup.py +266 -0
data/funchook/distorm/src/config.h +169 -0
data/funchook/distorm/src/decoder.c +641 -0
data/funchook/distorm/src/decoder.h +33 -0
data/funchook/distorm/src/distorm.c +413 -0
data/funchook/distorm/src/instructions.c +597 -0
data/funchook/distorm/src/instructions.h +463 -0
data/funchook/distorm/src/insts.c +7939 -0
data/funchook/distorm/src/insts.h +64 -0
data/funchook/distorm/src/mnemonics.c +284 -0
data/funchook/distorm/src/operands.c +1290 -0
data/funchook/distorm/src/operands.h +28 -0
data/funchook/distorm/src/prefix.c +368 -0
data/funchook/distorm/src/prefix.h +64 -0
data/funchook/distorm/src/textdefs.c +172 -0
data/funchook/distorm/src/textdefs.h +57 -0
data/funchook/distorm/src/wstring.c +47 -0
data/funchook/distorm/src/wstring.h +35 -0
data/funchook/distorm/src/x86defs.h +82 -0
data/funchook/include/funchook.h +123 -0
data/funchook/install-sh +527 -0
data/funchook/src/Makefile +70 -0
data/funchook/src/Makefile.in +70 -0
data/funchook/src/__strerror.h +109 -0
data/funchook/src/config.h +101 -0
data/funchook/src/config.h.in +100 -0
data/funchook/src/decoder.o +0 -0
data/funchook/src/distorm.o +0 -0
data/funchook/src/funchook.c +440 -0
data/funchook/src/funchook.o +0 -0
data/funchook/src/funchook_internal.h +155 -0
data/funchook/src/funchook_io.c +182 -0
data/funchook/src/funchook_io.h +64 -0
data/funchook/src/funchook_io.o +0 -0
data/funchook/src/funchook_syscall.S +134 -0
data/funchook/src/funchook_syscall.o +0 -0
data/funchook/src/funchook_unix.c +480 -0
data/funchook/src/funchook_unix.o +0 -0
data/funchook/src/funchook_windows.c +397 -0
data/funchook/src/funchook_x86.c +622 -0
data/funchook/src/funchook_x86.o +0 -0
data/funchook/src/instructions.o +0 -0
data/funchook/src/insts.o +0 -0
data/funchook/src/libfunchook.so +0 -0
data/funchook/src/mnemonics.o +0 -0
data/funchook/src/operands.o +0 -0
data/funchook/src/os_func.c +115 -0
data/funchook/src/os_func.h +75 -0
data/funchook/src/os_func.o +0 -0
data/funchook/src/os_func_unix.c +94 -0
data/funchook/src/os_func_unix.o +0 -0
data/funchook/src/os_func_windows.c +32 -0
data/funchook/src/prefix.o +0 -0
data/funchook/src/printf_base.c +1688 -0
data/funchook/src/printf_base.h +46 -0
data/funchook/src/printf_base.o +0 -0
data/funchook/src/textdefs.o +0 -0
data/funchook/src/wstring.o +0 -0
data/funchook/test/Makefile +43 -0
data/funchook/test/Makefile.in +43 -0
data/funchook/test/funchook_test +0 -0
data/funchook/test/libfunchook_test.c +25 -0
data/funchook/test/libfunchook_test.so +0 -0
data/funchook/test/libfunchook_test2.c +18 -0
data/funchook/test/suffix.list +600 -0
data/funchook/test/test_main.c +430 -0
data/funchook/test/test_main.o +0 -0
data/funchook/test/x86_64_test.S +10 -0
data/funchook/test/x86_64_test.o +0 -0
data/funchook/test/x86_test.S +339 -0
data/funchook/win32/config.h +1 -0
data/funchook/win32/funchook.sln +52 -0
data/funchook/win32/funchook.vcxproj +188 -0
data/funchook/win32/funchook.vcxproj.filters +84 -0
data/funchook/win32/funchook_test.vcxproj +170 -0
data/funchook/win32/funchook_test.vcxproj.filters +22 -0
data/funchook/win32/funchook_test_dll.vcxproj +184 -0
data/funchook/win32/funchook_test_dll.vcxproj.filters +30 -0
data/funchook/win32/funchook_test_exe.def +3 -0
data/lib/contrast-agent.rb +8 -0
data/lib/contrast.rb +57 -0
data/lib/contrast/agent.rb +80 -0
data/lib/contrast/agent/assess.rb +45 -0
data/lib/contrast/agent/assess/adjusted_span.rb +25 -0
data/lib/contrast/agent/assess/class_reverter.rb +82 -0
data/lib/contrast/agent/assess/contrast_event.rb +398 -0
data/lib/contrast/agent/assess/frozen_properties.rb +41 -0
data/lib/contrast/agent/assess/insulator.rb +53 -0
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +78 -0
data/lib/contrast/agent/assess/policy/patcher.rb +85 -0
data/lib/contrast/agent/assess/policy/policy.rb +116 -0
data/lib/contrast/agent/assess/policy/policy_node.rb +289 -0
data/lib/contrast/agent/assess/policy/policy_scanner.rb +44 -0
data/lib/contrast/agent/assess/policy/preshift.rb +94 -0
data/lib/contrast/agent/assess/policy/propagation_method.rb +260 -0
data/lib/contrast/agent/assess/policy/propagation_node.rb +127 -0
data/lib/contrast/agent/assess/policy/propagator.rb +35 -0
data/lib/contrast/agent/assess/policy/propagator/append.rb +54 -0
data/lib/contrast/agent/assess/policy/propagator/base.rb +37 -0
data/lib/contrast/agent/assess/policy/propagator/center.rb +73 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +36 -0
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +62 -0
data/lib/contrast/agent/assess/policy/propagator/insert.rb +55 -0
data/lib/contrast/agent/assess/policy/propagator/keep.rb +26 -0
data/lib/contrast/agent/assess/policy/propagator/next.rb +42 -0
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +50 -0
data/lib/contrast/agent/assess/policy/propagator/remove.rb +76 -0
data/lib/contrast/agent/assess/policy/propagator/replace.rb +27 -0
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +38 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +86 -0
data/lib/contrast/agent/assess/policy/propagator/splat.rb +60 -0
data/lib/contrast/agent/assess/policy/propagator/split.rb +49 -0
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +169 -0
data/lib/contrast/agent/assess/policy/propagator/trim.rb +81 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +79 -0
data/lib/contrast/agent/assess/policy/source_method.rb +209 -0
data/lib/contrast/agent/assess/policy/source_node.rb +62 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +209 -0
data/lib/contrast/agent/assess/policy/trigger_node.rb +198 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +77 -0
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +31 -0
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +40 -0
data/lib/contrast/agent/assess/properties.rb +392 -0
data/lib/contrast/agent/assess/rule.rb +18 -0
data/lib/contrast/agent/assess/rule/base.rb +72 -0
data/lib/contrast/agent/assess/rule/csrf.rb +66 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +28 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +69 -0
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +132 -0
data/lib/contrast/agent/assess/rule/provider.rb +21 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +62 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +73 -0
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +121 -0
data/lib/contrast/agent/assess/rule/redos.rb +68 -0
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +47 -0
data/lib/contrast/agent/assess/rule/response_watcher.rb +36 -0
data/lib/contrast/agent/assess/rule/watcher.rb +36 -0
data/lib/contrast/agent/assess/tag.rb +151 -0
data/lib/contrast/agent/at_exit_hook.rb +33 -0
data/lib/contrast/agent/class_reopener.rb +195 -0
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +26 -0
data/lib/contrast/agent/deadzone/policy/policy.rb +57 -0
data/lib/contrast/agent/disable_reaction.rb +24 -0
data/lib/contrast/agent/exclusion_matcher.rb +190 -0
data/lib/contrast/agent/feature_state.rb +379 -0
data/lib/contrast/agent/inventory/policy/policy.rb +32 -0
data/lib/contrast/agent/inventory/policy/trigger_node.rb +22 -0
data/lib/contrast/agent/logger_manager.rb +116 -0
data/lib/contrast/agent/middleware.rb +352 -0
data/lib/contrast/agent/module_data.rb +16 -0
data/lib/contrast/agent/patching/policy/after_load_patch.rb +37 -0
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +58 -0
data/lib/contrast/agent/patching/policy/method_policy.rb +94 -0
data/lib/contrast/agent/patching/policy/module_policy.rb +116 -0
data/lib/contrast/agent/patching/policy/patch.rb +312 -0
data/lib/contrast/agent/patching/policy/patch_status.rb +192 -0
data/lib/contrast/agent/patching/policy/patcher.rb +310 -0
data/lib/contrast/agent/patching/policy/policy.rb +138 -0
data/lib/contrast/agent/patching/policy/policy_node.rb +80 -0
data/lib/contrast/agent/patching/policy/policy_unpatcher.rb +28 -0
data/lib/contrast/agent/patching/policy/trigger_node.rb +81 -0
data/lib/contrast/agent/protect/policy/policy.rb +37 -0
data/lib/contrast/agent/protect/policy/trigger_node.rb +23 -0
data/lib/contrast/agent/protect/rule.rb +58 -0
data/lib/contrast/agent/protect/rule/base.rb +300 -0
data/lib/contrast/agent/protect/rule/base_service.rb +88 -0
data/lib/contrast/agent/protect/rule/cmd_injection.rb +156 -0
data/lib/contrast/agent/protect/rule/csrf.rb +118 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +103 -0
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +85 -0
data/lib/contrast/agent/protect/rule/default_scanner.rb +300 -0
data/lib/contrast/agent/protect/rule/deserialization.rb +193 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +80 -0
data/lib/contrast/agent/protect/rule/no_sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +40 -0
data/lib/contrast/agent/protect/rule/path_traversal.rb +143 -0
data/lib/contrast/agent/protect/rule/sqli.rb +101 -0
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +16 -0
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +38 -0
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +22 -0
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +19 -0
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +20 -0
data/lib/contrast/agent/protect/rule/xss.rb +24 -0
data/lib/contrast/agent/protect/rule/xxe.rb +120 -0
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +82 -0
data/lib/contrast/agent/railtie.rb +30 -0
data/lib/contrast/agent/reaction_processor.rb +47 -0
data/lib/contrast/agent/request.rb +493 -0
data/lib/contrast/agent/request_context.rb +225 -0
data/lib/contrast/agent/require_state.rb +61 -0
data/lib/contrast/agent/response.rb +215 -0
data/lib/contrast/agent/rewriter.rb +244 -0
data/lib/contrast/agent/scope.rb +28 -0
data/lib/contrast/agent/service_heartbeat.rb +37 -0
data/lib/contrast/agent/settings_state.rb +148 -0
data/lib/contrast/agent/socket_client.rb +125 -0
data/lib/contrast/agent/thread.rb +26 -0
data/lib/contrast/agent/tracepoint_hook.rb +51 -0
data/lib/contrast/agent/version.rb +8 -0
data/lib/contrast/api.rb +17 -0
data/lib/contrast/api/.gitkeep +0 -0
data/lib/contrast/api/connection_status.rb +49 -0
data/lib/contrast/api/socket.rb +43 -0
data/lib/contrast/api/speedracer.rb +206 -0
data/lib/contrast/api/tcp_socket.rb +31 -0
data/lib/contrast/api/unix_socket.rb +25 -0
data/lib/contrast/common_agent_configuration.rb +86 -0
data/lib/contrast/components/agent.rb +85 -0
data/lib/contrast/components/app_context.rb +188 -0
data/lib/contrast/components/assess.rb +67 -0
data/lib/contrast/components/config.rb +135 -0
data/lib/contrast/components/contrast_service.rb +113 -0
data/lib/contrast/components/heap_dump.rb +34 -0
data/lib/contrast/components/interface.rb +178 -0
data/lib/contrast/components/inventory.rb +23 -0
data/lib/contrast/components/logger.rb +92 -0
data/lib/contrast/components/protect.rb +38 -0
data/lib/contrast/components/sampling.rb +41 -0
data/lib/contrast/components/scope.rb +106 -0
data/lib/contrast/components/settings.rb +140 -0
data/lib/contrast/config.rb +33 -0
data/lib/contrast/config/agent_configuration.rb +24 -0
data/lib/contrast/config/application_configuration.rb +27 -0
data/lib/contrast/config/assess_configuration.rb +22 -0
data/lib/contrast/config/assess_rules_configuration.rb +18 -0
data/lib/contrast/config/base_configuration.rb +105 -0
data/lib/contrast/config/default_value.rb +16 -0
data/lib/contrast/config/exception_configuration.rb +21 -0
data/lib/contrast/config/heap_dump_configuration.rb +23 -0
data/lib/contrast/config/inventory_configuration.rb +20 -0
data/lib/contrast/config/logger_configuration.rb +20 -0
data/lib/contrast/config/protect_configuration.rb +20 -0
data/lib/contrast/config/protect_rule_configuration.rb +37 -0
data/lib/contrast/config/protect_rules_configuration.rb +30 -0
data/lib/contrast/config/root_configuration.rb +26 -0
data/lib/contrast/config/ruby_configuration.rb +39 -0
data/lib/contrast/config/sampling_configuration.rb +22 -0
data/lib/contrast/config/server_configuration.rb +23 -0
data/lib/contrast/config/service_configuration.rb +22 -0
data/lib/contrast/configuration.rb +214 -0
data/lib/contrast/core_extensions/assess.rb +51 -0
data/lib/contrast/core_extensions/assess/array.rb +58 -0
data/lib/contrast/core_extensions/assess/assess_extension.rb +145 -0
data/lib/contrast/core_extensions/assess/basic_object.rb +15 -0
data/lib/contrast/core_extensions/assess/erb.rb +42 -0
data/lib/contrast/core_extensions/assess/exec_trigger.rb +48 -0
data/lib/contrast/core_extensions/assess/fiber.rb +125 -0
data/lib/contrast/core_extensions/assess/hash.rb +22 -0
data/lib/contrast/core_extensions/assess/kernel.rb +95 -0
data/lib/contrast/core_extensions/assess/module.rb +14 -0
data/lib/contrast/core_extensions/assess/regexp.rb +206 -0
data/lib/contrast/core_extensions/assess/string.rb +75 -0
data/lib/contrast/core_extensions/assess/tilt_template_trigger.rb +73 -0
data/lib/contrast/core_extensions/delegator.rb +14 -0
data/lib/contrast/core_extensions/eval_trigger.rb +52 -0
data/lib/contrast/core_extensions/inventory.rb +22 -0
data/lib/contrast/core_extensions/inventory/datastores.rb +37 -0
data/lib/contrast/core_extensions/module.rb +42 -0
data/lib/contrast/core_extensions/object.rb +27 -0
data/lib/contrast/core_extensions/protect.rb +20 -0
data/lib/contrast/core_extensions/protect/applies_command_injection_rule.rb +70 -0
data/lib/contrast/core_extensions/protect/applies_deserialization_rule.rb +58 -0
data/lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb +81 -0
data/lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb +119 -0
data/lib/contrast/core_extensions/protect/applies_sqli_rule.rb +63 -0
data/lib/contrast/core_extensions/protect/applies_xxe_rule.rb +141 -0
data/lib/contrast/core_extensions/protect/kernel.rb +30 -0
data/lib/contrast/core_extensions/protect/psych.rb +7 -0
data/lib/contrast/core_extensions/thread.rb +31 -0
data/lib/contrast/internal_exception.rb +8 -0
data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb +48 -0
data/lib/contrast/rails_extensions/assess/active_record.rb +32 -0
data/lib/contrast/rails_extensions/assess/active_record_named.rb +61 -0
data/lib/contrast/rails_extensions/assess/configuration.rb +26 -0
data/lib/contrast/rails_extensions/buffer.rb +30 -0
data/lib/contrast/rails_extensions/rack.rb +45 -0
data/lib/contrast/security_exception.rb +14 -0
data/lib/contrast/sinatra_extensions/assess/cookie.rb +26 -0
data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb +59 -0
data/lib/contrast/tasks/service.rb +95 -0
data/lib/contrast/utils/assess/sampling_util.rb +96 -0
data/lib/contrast/utils/assess/tracking_util.rb +39 -0
data/lib/contrast/utils/boolean_util.rb +33 -0
data/lib/contrast/utils/cache.rb +69 -0
data/lib/contrast/utils/class_util.rb +58 -0
data/lib/contrast/utils/comment_range.rb +19 -0
data/lib/contrast/utils/data_store_util.rb +23 -0
data/lib/contrast/utils/duck_utils.rb +58 -0
data/lib/contrast/utils/env_configuration_item.rb +52 -0
data/lib/contrast/utils/environment_util.rb +152 -0
data/lib/contrast/utils/freeze_util.rb +36 -0
data/lib/contrast/utils/gemfile_reader.rb +191 -0
data/lib/contrast/utils/hash_digest.rb +148 -0
data/lib/contrast/utils/heap_dump_util.rb +113 -0
data/lib/contrast/utils/invalid_configuration_util.rb +88 -0
data/lib/contrast/utils/inventory_util.rb +126 -0
data/lib/contrast/utils/io_util.rb +61 -0
data/lib/contrast/utils/object_share.rb +117 -0
data/lib/contrast/utils/operating_environment.rb +38 -0
data/lib/contrast/utils/os.rb +49 -0
data/lib/contrast/utils/path_util.rb +151 -0
data/lib/contrast/utils/performs_logging.rb +152 -0
data/lib/contrast/utils/preflight_util.rb +13 -0
data/lib/contrast/utils/prevent_serialization.rb +52 -0
data/lib/contrast/utils/rack_assess_session_cookie.rb +104 -0
data/lib/contrast/utils/rails_assess_configuration.rb +95 -0
data/lib/contrast/utils/random_util.rb +22 -0
data/lib/contrast/utils/resource_loader.rb +23 -0
data/lib/contrast/utils/ruby_ast_rewriter.rb +74 -0
data/lib/contrast/utils/scope_util.rb +99 -0
data/lib/contrast/utils/service_response_util.rb +116 -0
data/lib/contrast/utils/service_sender_util.rb +98 -0
data/lib/contrast/utils/sha256_builder.rb +69 -0
data/lib/contrast/utils/sinatra_helper.rb +49 -0
data/lib/contrast/utils/stack_trace_utils.rb +209 -0
data/lib/contrast/utils/string_utils.rb +72 -0
data/lib/contrast/utils/tag_util.rb +139 -0
data/lib/contrast/utils/thread_tracker.rb +54 -0
data/lib/contrast/utils/timer.rb +78 -0
data/resources/assess/policy.json +1673 -0
data/resources/csrf/inject.js +44 -0
data/resources/deadzone/policy.json +55 -0
data/resources/factory-bot-spec/spec_helper.rb +30 -0
data/resources/inventory/policy.json +110 -0
data/resources/protect/policy.json +417 -0
data/resources/rubocops/kernel/catch_cop.rb +37 -0
data/resources/rubocops/kernel/require_cop.rb +37 -0
data/resources/rubocops/kernel/require_relative_cop.rb +33 -0
data/resources/rubocops/module/autoload_cop.rb +37 -0
data/resources/rubocops/module/const_defined_cop.rb +37 -0
data/resources/rubocops/module/const_get_cop.rb +37 -0
data/resources/rubocops/module/const_set_cop.rb +37 -0
data/resources/rubocops/module/constants_cop.rb +37 -0
data/resources/rubocops/module/name_cop.rb +37 -0
data/resources/rubocops/object/class_cop.rb +37 -0
data/resources/rubocops/object/freeze_cop.rb +37 -0
data/resources/rubocops/object/frozen_cop.rb +37 -0
data/resources/rubocops/object/is_a_cop.rb +37 -0
data/resources/rubocops/object/method_cop.rb +37 -0
data/resources/rubocops/object/respond_to_cop.rb +37 -0
data/resources/rubocops/object/singleton_class_cop.rb +37 -0
data/resources/rubocops/regexp/spelling_cop.rb +44 -0
data/resources/rubocops/thread/new_cop.rb +39 -0
data/resources/ruby-spec/ancestors_spec.rb +70 -0
data/resources/ruby-spec/modulo_spec.rb +831 -0
data/resources/ruby-spec/parameters_spec.rb +261 -0
data/resources/ruby-spec/ruby_spec_spec_helper.rb +35 -0
data/resources/test_marker.txt +1 -0
data/ruby-agent.gemspec +129 -0
data/service_executables/.gitkeep +0 -0
data/service_executables/VERSION +1 -0
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +945 -0

data/lib/contrast/core_extensions/assess/basic_object.rb ADDED

@@ -0,0 +1,15 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/core_extensions/eval_trigger'
+cs__scoped_require 'contrast/agent/patching/policy/patcher'
+# Our patch into the BasicObject class, allowing us to track calls to the eval
+# method
+class BasicObject
+  class << self
+    include Contrast::CoreExtensions::Assess::EvalTrigger
+  end
+end
+cs__scoped_require 'cs__assess_basic_object/cs__assess_basic_object'

data/lib/contrast/core_extensions/assess/erb.rb ADDED

@@ -0,0 +1,42 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+# This module is used to track propagation through ERB template rendering
+module ERBPropagator
+  class << self
+    include Contrast::Components::Interface
+    access_component :logging
+    def result_tagger patcher, preshift, ret, _block
+      return unless preshift.args.length >= 1
+      logger.debug('ERBPropagator - running propagation')
+      used_binding = preshift.args[0]
+      binding_variable_set = used_binding.local_variables
+      erb_pre_result = preshift.object.src
+      binding_variable_set.each do |bound_var_symbol|
+        bound_variable_value = used_binding.local_variable_get(bound_var_symbol)
+        next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
+        next unless erb_pre_result.include?(bound_var_symbol.to_s)
+        start_index = ret.index(bound_variable_value)
+        next if start_index.nil?
+        logger.debug('ERBPropagator - found bound_variable in erb template result')
+        ret.cs__copy_from(bound_variable_value, start_index)
+      end
+      ret.cs__properties.build_event(
+          patcher,
+          ret,
+          preshift.object,
+          ret,
+          preshift.args,
+          1)
+      logger.debug('ERBPropgator - Finished erb result propagation')
+      ret
+    end
+  end
+end

data/lib/contrast/core_extensions/assess/exec_trigger.rb ADDED

@@ -0,0 +1,48 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module Contrast
+  module CoreExtensions
+    module Assess
+      # This Module allows us to track calls to the Kernel#exec method, which
+      # violates the design of most methods we track in that we have to apply
+      # the trigger at the start in order to account for the process hand off.
+      module ExecTrigger
+        include Contrast::Components::Interface
+        access_component :contrast_service
+        def apply_trigger source
+          current_context = Contrast::Agent::REQUEST_TRACKER.current
+          return unless current_context
+          # Since we know this is the source of the trigger, we can do some
+          # optimization here and return when it is not tracked
+          return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
+          # source might not be all the args passed in, but it is the one we care
+          # about. we could pass in all the args in the last param here if it
+          # becomes an issue in rendering on TS
+          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
+              current_context,
+              trigger_node,
+              source,
+              self,
+              '',
+              1,
+              source)
+          # Exec replaces the current process, if we occur in a forked process our appendage of this finding will not make it to TS
+          CONTRAST_SERVICE.send_message(current_context.activity)
+        end
+        private
+        def trigger_node
+          @_trigger_node ||= begin
+            Contrast::Agent::Assess::Policy::Policy.instance.find_node('cmd-injection', 'Kernel', :exec, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/core_extensions/assess/fiber.rb ADDED

@@ -0,0 +1,125 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'fiber'
+# In order to instrument some difficult methods like String#gsub, as it
+# returns an enumerator, we need to instrument methods on Fiber.
+# Specifically, we instrument 'rb_fiber_yield' and 'rb_fiber_new' in
+# order to track what happens within Enumerator#next.
+# TODO: RUBY-531 move these out of Fiber class
+class Fiber
+  include Contrast::CoreExtensions::Assess::AssessExtension
+  include Contrast::Components::Interface
+  access_component :analysis, :scope
+  FIBER_NEW_NODE_HASH = {
+      'class_name' => 'Fiber',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'c_new', # TODO: Why do we patch new here and not initalize? Historically, new has been problematic.
+      'action' => 'CUSTOM',
+      'source' => 'O',
+      'target' => 'R',
+      'patch_class' => 'NOOP',
+      'patch_method' => 'track_rb_fiber_new'
+  }.cs__freeze
+  FIBER_NEW_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(FIBER_NEW_NODE_HASH)
+  private_constant :FIBER_NEW_NODE_HASH
+  private_constant :FIBER_NEW_NODE
+  FIBER_YIELD_NODE_HASH = {
+      'class_name' => 'Fiber',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'c_yield',
+      'action' => 'CUSTOM',
+      'source' => 'O',
+      'target' => 'R',
+      'patch_class' => 'NOOP',
+      'patch_method' => 'track_rb_fiber_yield'
+  }.cs__freeze
+  FIBER_YIELD_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(FIBER_YIELD_NODE_HASH)
+  private_constant :FIBER_YIELD_NODE_HASH
+  private_constant :FIBER_YIELD_NODE
+  class << self
+    def track_rb_fiber_yield fiber, _method, results
+      # results will be nil if StopIteration was raised,
+      # otherwise an Array of the yielded arguments
+      return if results.nil?
+      return unless ASSESS.enabled?
+      with_contrast_scope do
+        results.each do |result|
+          next unless Contrast::Utils::DuckUtils.quacks_like_cs_patched?(result)
+          next if result.cs__frozen?
+          cs__splat_tags(result, fiber)
+          result.cs__properties.build_event(
+              FIBER_YIELD_NODE,
+              result,
+              fiber,
+              result,
+              [])
+        end
+      end
+    end
+    def track_rb_fiber_new fiber, _enum, _enum_method, underlying, _underlying_method
+      return unless Contrast::Utils::DuckUtils.quacks_like_cs_patched?(underlying)
+      return unless underlying.is_a?(String) && !underlying.empty?
+      return unless ASSESS.enabled?
+      with_contrast_scope do
+        cs__splat_tags(fiber, underlying)
+        fiber.cs__properties.build_event(
+            FIBER_NEW_NODE,
+            fiber,
+            underlying,
+            fiber,
+            [])
+      end
+    end
+    def instrument_fiber_track
+      @_instrument_fiber_variables ||= begin
+          cs__scoped_require 'cs__assess_fiber_track/cs__assess_fiber_track'
+          true
+        end
+    rescue StandardError => e
+      logger.error(e, 'Error loading fiber track patch')
+      false
+    end
+    # Some propagation occurred, but we're not sure what the
+    # exact transformation was. To be safe, we just explode
+    # all the tags from the source to the return.
+    #
+    # If the return already had that tag, the existing tag
+    # range is recycled to save us an object.
+    def cs__splat_tags ret, source = self
+      source.cs__properties.tag_keys.each do |key|
+        length = Contrast::Utils::StringUtils.ret_length(ret)
+        existing = ret.cs__properties.fetch_tag(key)
+        # if the tag already exists, drop all but the first range
+        # then change that range to cover the entire return
+        if existing&.any?
+          existing.drop(existing.length - 1)
+          range = existing[0]
+          range.repurpose(0, length)
+        else
+          span = Contrast::Agent::Assess::AdjustedSpan.new(0, length)
+          ret.cs__properties.add_tag(key, span)
+        end
+      end
+    end
+  end
+end
+Fiber.instrument_fiber_track

data/lib/contrast/core_extensions/assess/hash.rb ADDED

@@ -0,0 +1,22 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+# This Class provides us with a way to invoke Hash propagation for those
+# methods which are too complex to fit into one of the standard
+# Contrast::Agent::Assess::Policy::Propagator molds.
+class Hash
+  def self.cs__duplicate_and_freeze object
+    return object unless object.is_a?(String) && !object.cs__frozen?
+    return object unless object.cs__tracked?
+    object.dup.cs__freeze
+  rescue StandardError
+    logger.error("Unable to track dataflow through array for #{ object }")
+  end
+  def cs__bracket_set *args
+    Hash.cs__duplicate_and_freeze(args[0])
+  end
+end
+cs__scoped_require 'cs__assess_hash/cs__assess_hash'

data/lib/contrast/core_extensions/assess/kernel.rb ADDED

@@ -0,0 +1,95 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/core_extensions/assess/exec_trigger'
+# This module provides us with a way to invoke Kernel propagation for those
+# methods which are too complex to fit into one of the standard
+# Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
+# Kernel Module or exposing our methods there.
+module KernelPropagator
+  class << self
+    include Contrast::Components::Interface
+    include Contrast::CoreExtensions::Assess::ExecTrigger
+    access_component :logging
+    # We're 'tracking' sprintf now, meaning if anything is tracked on the way
+    # in, the entire result will be tracked out. We're going to take this
+    # approach for now b/c it's fast and easy. I don't super love it, and by
+    # that I mean I hate it.
+    #
+    # To actually track this, we'd have to find the index of the new things
+    # being added, then remove the tags at the range of the format marker,
+    # which is some arbitrary length thing, and add the new tags from the
+    # inserted string, shifted down by the length of the aforementioned
+    # marker.
+    #
+    # marker is in the format %[flags][width][.precision]type, type being a
+    # single character. We could regexp this with %.+[bBdiouxXeEfgGaAcps%]
+    #
+    # also, b/c Ruby hates us, there are things called absolute markers,
+    # (digit)$, that go in the flags section. These cannot be mixed w/ the
+    # order assumed type
+    #
+    # oh, and there's also %<name>type and %{name}... b/c of course there is
+    # -HM
+    def sprintf_tagger patcher, preshift, ret, _block
+      format_string = preshift.args[0]
+      args = preshift.args[1]
+      track_sprintf(ret, format_string, args)
+      ret.cs__properties.build_event(
+          patcher,
+          ret,
+          preshift.object,
+          ret,
+          preshift.args,
+          1)
+      ret
+    end
+    def track_sprintf result, format_string, args
+      tracked_inputs = []
+      tracked_inputs << format_string if format_string.cs__tracked?
+      if args.is_a?(String)
+        tracked_inputs << args if args.cs__tracked?
+      elsif args.is_a?(Hash)
+        args.each_value do |value|
+          next unless Contrast::Utils::DuckUtils.quacks_to?(
+              value,
+              :cs__tracked?)
+          next unless value.cs__tracked?
+          tracked_inputs << value
+        end
+      elsif args.is_a?(Array)
+        args.each do |value|
+          next unless Contrast::Utils::DuckUtils.quacks_to?(value, :cs__tracked?)
+          next unless value.cs__tracked?
+          tracked_inputs << value
+        end
+      end
+      return result if tracked_inputs.empty?
+      tracked_inputs.each do |input|
+        input.cs__properties.events.each do |event|
+          result.cs__properties.events << event
+        end
+        input.cs__splat_tags(result)
+      end
+      result
+    rescue StandardError => e
+      logger.error(
+          e,
+          'Unable to track dataflow through sprintf')
+      result
+    end
+  end
+end
+cs__scoped_require 'cs__assess_kernel/cs__assess_kernel'

data/lib/contrast/core_extensions/assess/module.rb ADDED

@@ -0,0 +1,14 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/core_extensions/eval_trigger'
+# Our patch into the Module class, allowing us to track calls to the eval
+# method
+class Module
+  class << self
+    include Contrast::CoreExtensions::Assess::EvalTrigger
+  end
+end
+cs__scoped_require 'cs__assess_module/cs__assess_module'

data/lib/contrast/core_extensions/assess/regexp.rb ADDED

@@ -0,0 +1,206 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+# Monkeypatch Ruby Regexp with Contrast Security tagging support
+class Regexp
+  include Contrast::Components::Interface
+  include Contrast::CoreExtensions::Assess::AssessExtension
+  access_component :analysis, :logging, :scope
+  def cs__regexp_tagger info_hash
+    return unless ASSESS.enabled?
+    # Because we have a special case for this propagation,
+    # it falls out of regular scoping. As such, any patch to the `=~` method
+    # that goes through normal channels, like that for the redos rule,
+    # will force this to be in a scope of 1 (instead of the normal 0).
+    # As such, a scope of 1 here indicates that,
+    # so we know that we're in the top level call for this method.
+    # normal patch [-alias-]> special case patch [-alias-]> original method
+    # TODO:  RUBY-686
+    return if scope_for_current_ec.instance_variable_get(:@contrast_scope) > 1
+    with_contrast_scope do
+      result = info_hash[:result]
+      return unless result
+      string = info_hash[:string] || nil
+      return unless string
+      regexp = info_hash[:regexp]
+      return unless (Contrast::Utils::DuckUtils.quacks_to?(string, :cs__tracked?) && string.cs__tracked?) ||
+          (Contrast::Utils::DuckUtils.quacks_to?(regexp, :cs__tracked?) && regexp.cs__tracked?)
+      Regexp.cs__splat_tags(info_hash[:back_ref], string)
+      Regexp.cs__build_event(ARRAY_NODE, info_hash[:back_ref], result, [string])
+    end
+  end
+  REGEXP_EQUAL_SQUIGGLE_HASH = {
+      'id' => 'regexp_100',
+      'class_name' => 'Regexp',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => '=~',
+      'source' => 'P0',
+      'target' => 'R',
+      'action' => 'KEEP'
+  }.cs__freeze
+  ARRAY_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(REGEXP_EQUAL_SQUIGGLE_HASH)
+  private_constant :REGEXP_EQUAL_SQUIGGLE_HASH
+  private_constant :ARRAY_NODE
+  REGEXP_MATCH_HASH = {
+      'id' => 'regexp_101',
+      'class_name' => 'Regexp',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'match',
+      'source' => 'P0',
+      'target' => 'R',
+      'action' => 'SPLAT'
+  }.cs__freeze
+  MATCH_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(REGEXP_MATCH_HASH)
+  private_constant :REGEXP_MATCH_HASH
+  private_constant :MATCH_NODE
+  POST_HASH = {
+      'class_name' => 'MatchData',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'post_match',
+      'source' => 'O',
+      'target' => 'R',
+      'action' => 'REMOVE'
+  }.cs__freeze
+  POST_WEAVER = Contrast::Agent::Assess::Policy::PropagationNode.new(POST_HASH)
+  private_constant :POST_HASH
+  private_constant :POST_WEAVER
+  PRE_HASH = {
+      'class_name' => 'MatchData',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'pre_match',
+      'source' => 'O',
+      'target' => 'R',
+      'action' => 'SPLAT'
+  }.cs__freeze
+  PRE_WEAVER = Contrast::Agent::Assess::Policy::PropagationNode.new(PRE_HASH)
+  private_constant :PRE_HASH
+  private_constant :PRE_WEAVER
+  LAST_PAREN_HASH = {
+      'class_name' => 'MatchData',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'last_paren',
+      'source' => 'O',
+      'target' => 'R',
+      'action' => 'SPLAT'
+  }.cs__freeze
+  LAST_PAREN_WEAVER = Contrast::Agent::Assess::Policy::PropagationNode.new(LAST_PAREN_HASH)
+  private_constant :LAST_PAREN_HASH
+  private_constant :LAST_PAREN_WEAVER
+  NTH_HASH = {
+      'class_name' => 'MatchData',
+      'instance_method' => true,
+      'method_visibility' => 'public',
+      'method_name' => 'nth_match',
+      'source' => 'O',
+      'target' => 'R',
+      'action' => 'SPLAT'
+  }.cs__freeze
+  NTH_WEAVER = Contrast::Agent::Assess::Policy::PropagationNode.new(NTH_HASH)
+  private_constant :NTH_HASH
+  private_constant :NTH_WEAVER
+  class << self
+    def track_rb_pre_match backref, target
+      track_rb_c(PRE_WEAVER, backref, target)
+    end
+    def track_rb_post_match backref, target
+      track_rb_c(POST_WEAVER, backref, target)
+    end
+    def track_rb_reg_match_last backref, target
+      track_rb_c(LAST_PAREN_WEAVER, backref, target)
+    end
+    def track_rb_n_match backref, target
+      track_rb_c(NTH_WEAVER, backref, target)
+    end
+    # Some propagation occurred, but we're not sure what the
+    # exact transformation was. To be safe, we just explode
+    # all the tags from the source to the return.
+    #
+    # If the return already had that tag, the existing tag
+    # range is recycled to save us an object.
+    def cs__splat_tags ret, source = self
+      source.cs__properties.tag_keys.each do |key|
+        length = Contrast::Utils::StringUtils.ret_length(ret)
+        existing = ret.cs__properties.fetch_tag(key)
+        # if the tag already exists, drop all but the first range
+        # then change that range to cover the entire return
+        if existing&.any?
+          existing.drop(existing.length - 1)
+          range = existing[0]
+          range.repurpose(0, length)
+        else
+          span = Contrast::Agent::Assess::AdjustedSpan.new(0, length)
+          ret.cs__properties.add_tag(key, span)
+        end
+      end
+    end
+    def cs__build_event node, target, ret, args
+      return unless Contrast::Utils::DuckUtils.quacks_to?(target, :cs__tracked?)
+      return unless target.cs__tracked?
+      target.cs__properties.build_event(
+          node,
+          target,
+          self,
+          ret,
+          args)
+    end
+    def instrument_regexp_track
+      @_instrument_regexp_variables ||= begin
+          cs__scoped_require 'cs__assess_regexp_track/cs__assess_regexp_track'
+          true
+        end
+    rescue StandardError => e
+      logger.error(e, 'Error loading regexp track patch')
+      false
+    end
+    private
+    def track_rb_c weaver, backref, target
+      return target unless ASSESS.enabled?
+      return target unless backref&.respond_to?(:cs__properties)
+      return target unless target.is_a?(String) && !target.empty?
+      with_contrast_scope do
+        cs__splat_tags(target, backref)
+        target.cs__properties.build_event(
+            weaver,
+            target,
+            self,
+            target,
+            [])
+        target
+      end
+    end
+  end
+end
+cs__scoped_require 'cs__assess_regexp/cs__assess_regexp'
+Regexp.instrument_regexp_track