contrast-agent 3.8.4

data/lib/contrast/utils/heap_dump_util.rb

@@ -0,0 +1,113 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'objspace'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # Implementation of a heap dump util to automate generation
+    class HeapDumpUtil
+      include Contrast::Components::Interface
+      access_component :logging, :heap_dump
+
+      LOG_ERROR_DUMPS = 'Unable to generate heap dumps'
+      FILE_WRITE_FLAGS = 'w'
+
+      class << self
+        def run
+          return unless heap_dump_enabled?
+
+          log_enabled_warning
+          dir = heap_dump_control[:path]
+          Dir.mkdir(dir) unless Dir.exist?(dir)
+          return unless File.writable?(dir)
+
+          delay = heap_dump_control[:delay]
+          Contrast::Agent::Thread.new do
+            logger.info("HEAP DUMP THREAD INITIALIZED.  WAITING #{ delay } SECONDS TO BEGIN.")
+            sleep(delay)
+            capture_heap_dump
+          end
+        rescue StandardError => e
+          logger.info(LOG_ERROR_DUMPS, e)
+        end
+
+        def log_enabled_warning
+          dir    = heap_dump_control[:path]
+          window = heap_dump_control[:window]
+          count  = heap_dump_control[:count]
+          delay  = heap_dump_control[:delay]
+          clean  = heap_dump_control[:clean]
+
+          logger.info <<~WARNING
+            *****************************************************
+            ********      HEAP DUMP HAS BEEN ENABLED     ********
+            *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+            *****************************************************
+
+            Heap dump is a debugging tool that snapshots the entire
+            state of the Ruby VM. It is an exceptionally expensive
+            process, and should only be used to debug especially
+            pernicious errors.
+
+            It will write multiple memory snaphots, which are liable
+            to be multiple gigabytes in size.
+            They will be named "[unix timestamp]-heap.dump",
+            e.g.: 1020304050-heap.dump
+
+            It will then call Ruby `exit()`.
+
+            If this is not your specific intent, you can (and should)
+            disable this option in your Contrast config file.
+
+            HEAP DUMP PARAMETERS:
+            \t[write files to this directory]             dir:     #{ dir    }
+            \t[wait this many seconds in between dumps]   window:  #{ window }
+            \t[heap dump this many times]                 count:   #{ count  }
+            \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+            \t[perform gc pass before dump]               clean:   #{ clean  }
+
+            *****************************************************
+            ********        YOU HAVE BEEN WARNED         ********
+            *****************************************************
+          WARNING
+        end
+
+        def capture_heap_dump
+          dir    = heap_dump_control[:path]
+          window = heap_dump_control[:window]
+          count  = heap_dump_control[:count]
+          clean  = heap_dump_control[:clean]
+          logger.info(nil, 'HEAP DUMP MAIN LOOP')
+          ObjectSpace.trace_object_allocations_start
+          count.times do |i|
+            logger.info(nil, "STARTING HEAP DUMP PASS #{ i + 1 } OF #{ count }")
+            output = "#{ Time.now.to_f }-heap.dump"
+            output = File.join(dir, output)
+            begin
+              logger.info(nil, "OPENING FILE #{ dir }/#{ output } FOR HEAP DUMP")
+              file = File.new(output, FILE_WRITE_FLAGS)
+              if clean
+                logger.info(nil, 'PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
+                GC.start
+              end
+              ObjectSpace.dump_all(output: file)
+              logger.info(nil, "FINISHING HEAP DUMP PASS #{ i + 1 } OF #{ count }")
+            ensure
+              file.close
+            end
+            sleep(window)
+          end
+        ensure
+          ObjectSpace.trace_object_allocations_stop
+          logger.info(nil, '*****************************************************')
+          logger.info(nil, '********        HEAP DUMP HAS CONCLUDED      ********')
+          logger.info(nil, '***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+          logger.info(nil, '*****************************************************')
+          exit # We weren't kidding!
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -0,0 +1,88 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # This utility allows us to report invalid configurations detected in
+    # customer applications, as determined by Configuration Rules at runtime.
+    module InvalidConfigurationUtil
+      include Contrast::Components::Interface
+      access_component :agent, :analysis, :contrast_service, :logging
+
+      CS__PATH = 'path'.cs__freeze
+      CS__SESSION_ID = 'sessionId'.cs__freeze
+      CS__SNIPPET = 'snippet'.cs__freeze
+
+      # Build and report a finding for the given rule
+      #
+      # @param rule_id [String] the rule that was violated by the configuration
+      # @param user_provided_options [Hash] the configuration value(s) which
+      #   violated the rule
+      # @param call_location [Thread::Backtrace::Location] the location where
+      #   the bad configuration was set
+      def cs__report_finding rule_id, user_provided_options, call_location
+        finding = Contrast::Api::Dtm::Finding.new
+        finding.rule_id = rule_id
+        path = call_location.path
+        # just get the file name, not the full path
+        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
+        session_id = user_provided_options[:key].to_s if user_provided_options
+
+        finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
+        finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
+        finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
+        file_path = call_location.absolute_path
+        snippet = file_snippet(file_path, call_location)
+        finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
+
+        hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
+        finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
+        finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
+
+        activity = Contrast::Api::Dtm::Activity.new
+        activity.findings << finding
+
+        # If assess is enabled, we can just send the activity
+        if ASSESS.enabled?
+          build_tags(activity)
+          CONTRAST_SERVICE.queue_message activity
+        # Otherwise, if the Agent isn't ready, we have to queue the messages
+        # until we know the starting state.
+        else
+          Contrast::Utils::ServiceSenderUtil.add_to_assess_messages activity
+        end
+      rescue StandardError => e
+        logger.error(e, "Unable to build a finding for #{ rule_id }")
+      end
+
+      private
+
+      # This seems silly to pull out, but we can ONLY call this in the case
+      # where we have a configuration. Doing otherwise results in a bad error
+      # case where we try to do other things, like logging, which behave
+      # strangely without a config
+      def build_tags activity
+        activity.finding_tags = Contrast::Utils::StringUtils.force_utf8(ASSESS.tags)
+      end
+
+      def file_snippet file_path, call_location
+        idx = call_location&.lineno
+        if file_path && idx && File.exist?(file_path)
+          idx = idx > 5 ? idx - 5 : 0
+          snippet = ''
+          File.foreach(file_path).with_index do |line, line_num|
+            next unless line_num >= idx
+            break if line_num > idx + 10
+
+            snippet << line
+            snippet << Contrast::Utils::ObjectShare::NEW_LINE
+          end
+          return snippet
+        end
+        call_location&.label&.dup
+      end
+    end
+  end
+end

data/lib/contrast/utils/inventory_util.rb

@@ -0,0 +1,126 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/timer'
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/utils/gemfile_reader'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # Utilities for getting inventory information from the application
+    class InventoryUtil
+      include Contrast::Components::Interface
+      access_component :logging
+
+      # TeamServer only accepts certain values for ArchitectureComponents.
+      # DO NOT CHANGE THIS!
+      AC_TYPE_DB = 'db'
+      # TeamServer only accepts certain values for FlowMap Services.
+      # DO NOT CHANGE THIS
+      DATABASE = 'Database'
+      ADAPTER = 'adapter'
+      HOST = 'host'
+      PORT = 'port'
+      DATABASE_LOWER = 'database'
+      DEFAULT = 'default'
+      LOCALHOST = 'localhost'
+
+      def self.inventory_class class_path
+        Contrast::Utils::GemfileReader.instance.map_class(class_path)
+      rescue StandardError => e
+        logger.error(e, "Unable to inventory #{ class_path }")
+      end
+
+      def self.active_record_config
+        return @_active_record_config if instance_variable_defined?(:@_active_record_config)
+
+        @_active_record_config = ActiveRecord::Base.connection_config rescue nil # rubocop:disable Style/RescueModifier
+      end
+
+      def self.append_db_config activity_or_update, hash_or_str = Contrast::Utils::InventoryUtil.active_record_config
+        arr = build_from_db_config(hash_or_str)
+        return unless arr&.any?
+
+        activity_or_update.technologies[DATABASE] = true
+        arr.each do |a|
+          next unless a
+
+          if activity_or_update.is_a?(Contrast::Api::Dtm::Activity)
+            activity_or_update.architectures << a
+          else
+            activity_or_update.components << a
+          end
+          next if a.vendor.empty?
+
+          activity_or_update.technologies[a.vendor] = true
+        end
+      rescue StandardError => e
+        logger.error(e, 'Unable to append db config')
+        nil
+      end
+
+      def self.build_from_db_config hash_or_str
+        return unless hash_or_str
+
+        if hash_or_str.is_a?(Hash)
+          build_from_db_hash(hash_or_str)
+        else
+          build_from_db_string(hash_or_str.to_s)
+        end
+      end
+
+      def self.build_from_db_hash hash
+        ac = Contrast::Api::Dtm::ArchitectureComponent.new
+        ac.vendor = hash[:adapter] || hash[ADAPTER] || Contrast::Utils::ObjectShare::EMPTY_STRING
+        ac.remote_host = host_from_hash(hash)
+        ac.remote_port = port_from_hash(hash)
+        ac.type = AC_TYPE_DB
+        ac.url = hash[:database] || hash[DATABASE_LOWER] || DEFAULT
+        [ac]
+      end
+
+      def self.host_from_hash hash
+        hash[:host] || hash[HOST] || Contrast::Utils::ObjectShare::EMPTY_STRING
+      end
+
+      def self.port_from_hash hash
+        p = hash[:port] || hash[PORT] || Contrast::Utils::ObjectShare::EMPTY_STRING
+        p.to_i
+      end
+
+      # Examples:
+      # mongodb://[user:pass@]host1[:port1][,host2[:port2],[,hostN[:portN]]][/[database][?options]]
+      # postgresql://scott:tiger@localhost/mydatabase
+      # mysql+mysqlconnector://scott:tiger@localhost/foo
+      def self.build_from_db_string str
+        adapter, hosts, database = split_connection_str(str)
+        acs = []
+        hosts.split(Contrast::Utils::ObjectShare::COMMA).map do |s|
+          host, port = s.split(Contrast::Utils::ObjectShare::COLON)
+
+          ac = Contrast::Api::Dtm::ArchitectureComponent.new
+          ac.vendor = Contrast::Utils::StringUtils.force_utf8(adapter)
+          ac.remote_host = Contrast::Utils::StringUtils.force_utf8(host)
+          ac.remote_port = port.to_i
+          ac.type = AC_TYPE_DB
+          ac.url = Contrast::Utils::StringUtils.force_utf8(database)
+          acs << ac
+        end
+        acs
+      end
+
+      def self.split_connection_str str
+        adapter, str = str.split(Contrast::Utils::ObjectShare::COLON_SLASH_SLASH)
+        _auth, str = str.split(Contrast::Utils::ObjectShare::AT)
+        # Not currently used
+        # user, pass = auth.split(Contrast::Utils::ObjectShare::COLON)
+        hosts, db_and_options = str.split(Contrast::Utils::ObjectShare::SLASH)
+        hosts << LOCALHOST if hosts.empty?
+        database, _options = db_and_options.split(Contrast::Utils::ObjectShare::QUESTION_MARK)
+
+        [adapter, hosts, database]
+      end
+    end
+  end
+end

data/lib/contrast/utils/io_util.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # Util for information about an IO
+    class IOUtil
+      include Contrast::Components::Interface
+
+      access_component :logging
+
+      # StringIO is a valid path because it logs directly to a string buffer
+      def self.write_permission? path
+        return false if path.nil?
+        return true if path.is_a?(StringIO)
+        return File.writable?(path) if File.exist?(path)
+
+        dir_name = File.dirname(File.absolute_path(path))
+        File.writable?(dir_name)
+      end
+
+      # We're only going to call rewind on things that we believe are safe to
+      # call it on. This method white lists those cases and returns false in
+      # all others.
+      def self.should_rewind? potential_io
+        return true if potential_io.is_a?(StringIO)
+        return false unless io?(potential_io)
+
+        should_rewind_io?(potential_io)
+      rescue StandardError => e
+        logger.debug(e, "Encountered an issue inspecting instance of #{ potential_io } - continuing without rewind")
+        false
+      end
+
+      # IO cannot be used with streams such as pipes, ttys, and sockets.
+      def self.should_rewind_io? io
+        return false if io.tty?
+
+        status = io.stat
+        return false unless status
+        return false if status.pipe?
+        return false if status.socket?
+
+        true
+      end
+
+      # A class is IO if it is a decedent or delegate of IO
+      def self.io? object
+        return true if object.is_a?(IO)
+
+        # DelegateClass, which is a Delegator, defines __getobj__ as a way to
+        # get the object that the class wraps around (delegates to)
+        return false unless object.is_a?(Delegator)
+
+        object.__getobj__.is_a?(IO)
+      end
+    end
+  end
+end

data/lib/contrast/utils/object_share.rb

@@ -0,0 +1,117 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# rubocop:disable  Object/Freeze
+module Contrast
+  module Utils
+    # A utility class where a series of commonly used Strings and other
+    # commonly used objects can be store and frozen to prevent unnecessary
+    # duplication.
+    class ObjectShare
+      # Strings
+      AND =           '&'
+      OR =            '||'
+      PIPE =          '|'
+      ASTERISK =      '*'
+      BACK_SLASH =    '\\'
+      EMPTY_STRING =  ''
+      COLON =         ':'
+      COMMA =         ','
+      DASH =          '-'
+      DOUBLE_QUOTE =  '"'
+      EQUALS =        '='
+      EXCLAMATION =   '!'
+      HTTP_SCORE =    'HTTP_'
+      HTTP_START =    'http:'
+      HTTPS_START =   'https:'
+      NEW_LINE =      "\n"
+      NIL_STRING =    'nil'
+      PERIOD =        '.'
+      PLUS_SIGN =     '+'
+      POUND_SIGN = HASH_CHAR = '#'
+      QUESTION_MARK = '?'
+      RETURN =        "\r"
+      SEMICOLON =     ';'
+      SINGLE_QUOTE =  '\''
+      SLASH =         '/'
+      SPACE =         ' '
+      UNDERSCORE =    '_'
+      DOUBLE_UNDERSCORE = '__'
+      AT =            '@'
+      LEFT_ANGLE =    '<'
+      RIGHT_ANGLE =   '>'
+      LEFT_BRACKET =   '['
+      RIGHT_BRACKET =  ']'
+      LEFT_PAREN =     '('
+      RIGHT_PAREN =    ')'
+      COLON_SLASH_SLASH = '://'
+      TICK =           '`'
+      BACK_TICK =      '`'
+      LEFT_CURLY =     '{'
+      RIGHT_CURLY =    '}'
+      DOLLAR_SIGN =    '$'
+      CARROT =         '^'
+      PERCENT =        '%'
+      LETTER_Q =       'Q'
+      OR_STRING =      'or'
+
+      DOUBLE_QUOTE_ESCAPED = '&quot;'
+
+      READ_FLAG =     'r'
+      WRITE_FLAG =    'w'
+      READ_WRITE_FLAG = 'rw'
+
+      PARENT_PATH =   '..'
+
+      RUBY = 'Ruby'
+      CACHE = 'cache'
+      GEM_SUFFIX = '.gem'
+
+      CONTRAST_METHOD_START = 'cs__'
+      CONTRAST_PATCHED_METHOD_START = 'cs__patched_'
+      CONTRAST_MODULE_START = 'Contrast::'
+      ANONYMOUS_CLASS_MARKER = '#<'
+      DOUBLE_COLON = '::'
+
+      EMPTY_ARRAY = [].freeze
+      EMPTY_HASH = {}.freeze
+      EMPTY_TRIPLE = [EMPTY_STRING, EMPTY_STRING, EMPTY_STRING].freeze
+
+      # RegExps
+      DIGIT_REGEXP =       /[[:digit:]]/.freeze
+      WHITE_SPACE_REGEXP = /\s/.freeze
+      NOT_WHITE_SPACE_REGEXP = /[^\s]/.freeze
+      WINDOWS_REGEXP = /cygwin|mswin|mingw|bccwin|wince|emx/.freeze
+
+      # Messages
+      OVERRIDE_MESSAGE = 'A security filter prevented original response from being returned.'
+
+      # Configs
+      TRUE = 'true'
+      FALSE = 'false'
+
+      CLASS = 'Class'
+      MODULE = 'Module'
+
+      BRACKET_INTERPOLATION_START = '#{'
+
+      OBJECT_KEY = 'O'
+      PARAMETER_KEY = 'P'
+      RETURN_KEY = 'R'
+      UNKNOWN = 'unknown'
+
+      INDEX = 'index'
+
+      VERSION_2_5_0 = '2.5.0'
+      VERSION_2_4_2 = '2.4.2'
+      VERSION_2_4_1 = '2.4.1'
+      VERSION_2_4_0 = '2.4.0'
+      VERSION_2_3_5 = '2.3.5'
+      VERSION_2_3_4 = '2.3.4'
+      VERSION_2_3_0 = '2.3.0'
+      VERSION_2_0_4 = '2.0.4'
+      VERSION_2_0_0 = '2.0.0'
+    end
+  end
+end
+# rubocop:enable  Object/Freeze