contrast-agent 3.8.4

data/lib/contrast/utils/operating_environment.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # A utility class to detect the environment the agent is operating within
+    class OperatingEnvironment
+      include Contrast::Components::Interface
+      access_component :logging
+
+      def self.unsupported?
+        sidekiq? || rake?
+      end
+
+      def self.sidekiq?
+        return unless defined?(Sidekiq) && Sidekiq.cs__respond_to?(:server?) && Sidekiq.server?
+
+        logger.debug(nil, "Detected the spawn of a Sidekiq process. Disabling Contrast for process #{ Process.pid }")
+        true
+      end
+
+      def self.rake?
+        return unless defined?(Rake) &&
+            Rake.cs__respond_to?(:application) &&
+            Rake.application.cs__respond_to?(:top_level_tasks)
+
+        disabled_rake_tasks = Contrast::Agent::FeatureState.instance.disabled_agent_rake_tasks
+        disabled_task = Rake.application.top_level_tasks.any? { |task| disabled_rake_tasks.include?(task) }
+        return false unless disabled_task
+
+        logger.debug(nil, "Detected startup within the rake task #{ disabled_task }. Disabling Contrast for process #{ Process.pid }")
+        true
+      end
+    end
+  end
+end

data/lib/contrast/utils/os.rb

@@ -0,0 +1,49 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Simple utility used to make OS calls and determine state. For that state
+    # which will not change at runtime, such as the operating system, the
+    # Utility memozies to avoid multiple lookups.
+    module OS
+      class << self
+        def windows?
+          @_windows = !(/cygwin|mswin|mingw|bccwin|wince|emx/ =~ RUBY_PLATFORM).nil? if @_windows.nil?
+          @_windows
+        end
+
+        def mac?
+          @_mac ||= !(/darwin/ =~ RUBY_PLATFORM).nil? if @_mac.nil?
+          @_mac
+        end
+
+        def unix?
+          @unix ||= !windows? if @_unix.nil?
+          @unix
+        end
+
+        def linux?
+          @_linux ||= unix? && !OS.mac? if @_linux.nil?
+          @_linux
+        end
+
+        def running?
+          process = if Contrast::Utils::OS.windows?
+                      `tasklist /fi "imagename eq contrast-service.exe"`
+                    else
+                      `ps aux | grep contrast-servic[e]`
+                    end
+          process != ''
+        end
+
+        # check if service was killed and is a zombie process
+        # returns an array of zombie process PIDs as strings; empty array if there are none
+        def zombie_pids
+          zombie_pid_list = `ps aux | grep contrast-servic[e] | grep Z | awk '{print $2}'` # retrieve pid of service processes
+          zombie_pid_list.split("\n")
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/path_util.rb

@@ -0,0 +1,151 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/utils/class_util'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # Utility methods for finding routes within frameworks
+    class PathUtil
+      include Contrast::Components::Interface
+      access_component :logging
+
+      COVERAGE_LIMIT = 500 # CONTRAST-25730: Arbitrary coverage limit imposed by TeamServer
+
+      class << self
+        # find the routes in the application. since each framework maintains the
+        # routes slightly differently, we'll only support those that we've explicitly
+        # implemented (Rails & Sinatra currently)
+        #
+        # this method always returns an array, even if it's empty
+        def find_routes
+          if defined?(Rails)
+            find_rails_routes
+          elsif defined?(Sinatra)
+            find_sinatra_routes
+          else
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
+          end
+        rescue StandardError
+          Contrast::Utils::ObjectShare::EMPTY_ARRAY
+        end
+
+        # Given the Contrast Request object, determine the current Coverage route,
+        # returning a RouteCoverage object
+        def get_route request
+          get_rails_route(request) if defined?(Rails)
+        rescue StandardError => e
+          logger.error(e, 'Unable to generate route from request')
+          nil
+        end
+
+        def find_rails_routes
+          routes = []
+          count = 0
+          Rails.application.routes.routes.each do |route|
+            routes << rails_route_to_coverage(route)
+            count += 1
+            return routes if count > COVERAGE_LIMIT
+          end
+          routes
+        end
+
+        def get_rails_route request
+          return unless Rails.cs__respond_to?(:application)
+
+          # returns array of arrays [[match_data, path_parameters, route]], sorted by
+          # precedence
+          # match_data: ActionDispatch::Journey::Path::Pattern::MatchData
+          # path_parameters: hash of various things
+          # route: ActionDispatch::Journey::Route
+          full_routes = Rails.application.routes.router.send(:find_routes, request.rack_request)
+          return if full_routes.empty?
+
+          full_route = full_routes[0] # [match_data, path_parameters, route]
+          return unless full_route
+
+          route = full_route[2]       # route w/ highest precedence
+          return unless route
+
+          rails_route_to_coverage(route)
+        end
+
+        # Convert ActionDispatch::Journey::Route to Contrast::Api::Dtm::RouteCoverage
+        def rails_route_to_coverage route
+          route_coverage = Contrast::Api::Dtm::RouteCoverage.new
+          route_coverage.route = "#{ route.defaults[:controller] }##{ route.defaults[:action] }"
+
+          verb = source_or_string(route.verb)
+          route_coverage.verb = Contrast::Utils::StringUtils.force_utf8(verb)
+
+          url = source_or_string(route.path.spec)
+          route_coverage.url = Contrast::Utils::StringUtils.force_utf8(url)
+          route_coverage
+        end
+
+        def source_or_string obj
+          if obj.cs__is_a?(Regexp)
+            obj.source
+          elsif obj.cs__respond_to?(:safe_string)
+            obj.safe_string
+          else
+            obj.to_s
+          end
+        end
+
+        # Iterate over every class that extends Sinatra::Base, pull out its routes
+        # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
+        # Contrast::Api::Dtm::RouteCoverage
+        def find_sinatra_routes
+          routes = []
+          controllers = sinatra_controllers
+          controllers.each do |clazz|
+            class_routes = sinatra_class_routes(clazz)
+            next unless class_routes
+
+            class_routes.each_pair do |method, list|
+              # item: [ Mustermann::Sinatra, [], Proc]
+              list.each do |item|
+                routes << sinatra_route_to_coverage(clazz, method, item[0])
+                return routes if routes.length > COVERAGE_LIMIT
+              end
+            end
+          end
+          routes
+        end
+
+        def sinatra_controllers
+          return [] unless defined?(Sinatra) && defined?(Sinatra::Base)
+
+          Contrast::Utils::ClassUtil.ancestors_of(Sinatra::Base)
+        end
+
+        def sinatra_class_routes controller
+          controller.instance_variable_get(:@routes)
+        rescue StandardError
+          logger.debug(nil, "#{ clazz } has no routes instance")
+          nil
+        end
+
+        # Invoked directly on Sinatra::Base#call!
+        def get_sinatra_route clazz, method, pattern
+          sinatra_route_to_coverage(clazz, method, pattern)
+        end
+
+        # given clazz, method, and Mustermann::Sinatra, build a
+        # Contrast::Api::Dtm::RouteCoverage
+        def sinatra_route_to_coverage clazz, method, pattern
+          safe_pattern = source_or_string(pattern)
+
+          route_coverage = Contrast::Api::Dtm::RouteCoverage.new
+          route_coverage.route = "#{ clazz }##{ method } #{ safe_pattern }"
+          route_coverage.verb = Contrast::Utils::StringUtils.force_utf8(method)
+          route_coverage.url = Contrast::Utils::StringUtils.force_utf8(safe_pattern)
+          route_coverage
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/performs_logging.rb

@@ -0,0 +1,152 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # This utility allows us wrap our calls to logging, allowing runtime
+    # determination as to whether or not an event should be logged, based upon
+    # the Logging Configuration as specified in Common Configuration.
+    module PerformsLogging
+      include Contrast::Components::Interface
+
+      COULDNT_INIT_CONFIG = '!!! Contrast could not initialize agent from config, flushing loq queue to TARGET !!!'
+      FLUSHING_LOG_QUEUE  = '!!! Contrast exited before logger could initialize, flushing log queue to TARGET !!!'
+
+      TARGET = STDOUT
+
+      # idiom for propagating class methods
+      def self.included base
+        base.send :include, InstanceMethods
+        base.extend ClassMethods
+      end
+
+      # Grouping to allow for these methods to be included into another Module
+      # on include of the PerformsLogging Module. They'll function as instance
+      # methods in that Module.
+      module InstanceMethods #:nodoc:
+        @_log_mutex = Mutex.new
+        @_log_queue = []
+
+        protected
+
+        def init_log_queueing
+          # Queue log messages & defer logging until logger gets initialized.
+          # (Logger depends on config, so logging config errors implies
+          # circular dependencies.)
+          at_exit do
+            # Ideally we flush the queue when we detect agent init is impossible,
+            # if worse comes to worse we do it here.
+            if @_log_queue
+              lq = @_log_queue
+              if lq&.any?
+                TARGET.puts '!!! Contrast exited before logger could initialize, flushing log queue to TARGET !!!'
+                while (message = lq.pop)
+                  TARGET.puts "[#{ message[2].upcase }]\t#{ message[1] }"
+                end
+              end
+            end
+          end
+        end
+
+        def abort_log_queues
+          TARGET.puts COULDNT_INIT_CONFIG
+          if @_log_queue
+            TARGET.puts FLUSHING_LOG_QUEUE
+            while (message = @_log_queue.pop)
+              TARGET.puts "[#{ message[2].upcase }]\t#{ message[1] }"
+            end
+          end
+          @_log_queue = nil
+          @_log_mutex = nil
+        end
+
+        def flush_log_queues
+          return unless @_log_queue
+
+          # Monkeypatch this class so that the next call to #instance flushes the log queue.
+          # (Flushing the log queue within #initialize
+          # causes a deadlock, as singleton classes' #initialize
+          # gets wrapped within a mutex, and our logger will
+          # try to reference the singleton instance.)
+          self.class.class_eval do
+            class << self
+              alias_method :__instance_original, :instance
+              def instance
+                @_log_mutex.synchronize do
+                  # Restore old #instance method.
+                  class_eval do
+                    class << self
+                      def instance
+                        __instance_original
+                      end
+                    end
+                  end
+                  # Flush log queue.
+                  if @_log_queue
+                    while (message = @_log_queue.pop)
+                      log_with_level(*message, skip_queue: true)
+                    end
+                  end
+                  @_log_queue = nil
+                end
+                @_log_mutex = nil
+                __instance_original
+              end
+            end
+          end
+        end
+      end
+
+      module ClassMethods #:nodoc:
+        def log_error msg, exception = nil
+          log_with_level exception, msg, :error
+        end
+
+        def log_warn msg, exception = nil
+          log_with_level exception, msg, :warn
+        end
+
+        def log_info msg, exception = nil
+          log_with_level exception, msg, :info
+        end
+
+        def log_debug msg, exception = nil
+          log_with_level exception, msg, :debug
+        end
+
+        def debug_with_time msg
+          a = Contrast::Utils::Timer.now_ms
+          ret = yield if block_given?
+          z = Contrast::Utils::Timer.now_ms
+          log_with_level(nil, "#{ msg }: pid=#{ Process.pid }, elapsed=#{ z - a }ms", :debug)
+          ret
+        end
+
+        def log_with_level exception, msg, level, skip_queue: false
+          # Log messages are queued until the logger is initialized.
+          # If agent init fails, flush the log to TARGET.
+          if (lq = @_log_queue) && !skip_queue
+            lq.push [exception, msg, level]
+            return nil
+          end
+
+          if exception&.respond_to?(:message)
+            tmp = msg.nil? ? exception.message.to_s : "#{ exception.class.name }: #{ msg }: #{ exception.message }"
+            logger.send(level, tmp)
+
+            exception.backtrace.first(10).each { |line| logger.debug(line) } if logger.debug? && exception.cs__respond_to?(:backtrace) && exception.backtrace
+          elsif msg.to_s != Contrast::Utils::ObjectShare::EMPTY_STRING
+            logger.send(level, msg.to_s)
+          end
+
+          nil # ensure no return value
+        rescue StandardError
+          nil # NOOP
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/preflight_util.rb

@@ -0,0 +1,13 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Utility for generating preflight message token
+    class PreflightUtil
+      def self.create_preflight finding
+        "#{ finding.rule_id },#{ finding.hash_code }"
+      end
+    end
+  end
+end

data/lib/contrast/utils/prevent_serialization.rb

@@ -0,0 +1,52 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # DO NOT REMOVE THIS!
+    #
+    # Marshal is pretty cool. It does a lot of things well. What it doesn't
+    # mess around with though is StringIO. And what we don't want to do is
+    # serialize ourselves out with Marshal#dump.
+    #
+    # Unfortunately, we have to mess around w/ that. To isolate our things from
+    # user dumped Strings (and so that we can marshal findings), we have
+    # decided to make this class not marshalled.
+    module PreventMarshalSerialization
+      def marshal_dump
+        nil
+      end
+
+      def marshal_load *_args
+        nil
+      end
+    end
+
+    # DO NOT REMOVE THIS!
+    #
+    # Psych/YAML is also pretty cool. But it doesn't mess with anonymous
+    # classes. In order to make things we extend serializable, we need to make
+    # sure we play nice.
+    module PreventPsychSerialization
+      def encode_with *_args
+        nil
+      end
+
+      def init_with *_args
+        nil
+      end
+    end
+
+    # DO NOT REMOVE THIS!
+    #
+    # This module is used to prevent deserialization of our classes, not b/c
+    # we're trying to be sneaky, but b/c there is a high probability that the
+    # events we're capturing have non-serializable data in them and b/c we
+    # can't be sure the serialized data will be used in an application running
+    # Contrast.
+    module PreventSerialization
+      include PreventMarshalSerialization
+      include PreventPsychSerialization
+    end
+  end
+end