contrast-agent 3.8.4

data/lib/contrast/utils/service_sender_util.rb

@@ -0,0 +1,98 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Utils
+    # This module keeps a background thread, initialized at startup, running. This thread is
+    # responsible for pulling a message off the queue, sending that message to SpeedRacer, and
+    # processing the response returned back from SpeedRacer. When we didn't know our config
+    # values, we may have queued assess messages to send later. This thread is also
+    # responsible for checking to see if we are now ready to send any of these assess messages
+    # to SpeedRacer.
+    module ServiceSenderUtil
+      include Contrast::Components::Interface
+      access_component :contrast_service, :logging, :analysis, :agent
+
+      class << self
+        attr_reader :assess_messages, :ready_messages_queue
+
+        def push_to_ready_queue msg
+          # Since a message may try to be pushed before sending_thread starts up, we need to initialize
+          # the queue on first message sent
+          @ready_messages_queue ||= Queue.new
+          ready_messages_queue.push msg
+        end
+
+        def sending_thread
+          # in case we got here before a message attempted to be sent, let's make sure these are initialized
+          @ready_messages_queue ||= Queue.new
+          @assess_messages ||= []
+
+          @_sender_thread ||= Contrast::Agent::Thread.new do
+            loop do
+              check_assess_queue if assess_messages # don't bother checking if assess queue is already cleared
+              # if ready messages queue is empty, calling thread is suspended until a message is pushed onto queue
+              msg = ready_messages_queue.pop
+              begin
+                response = Contrast::Agent::FeatureState.instance.client.send_to_speedracer msg
+                Contrast::Utils::ServiceResponseUtil.process_response(response) if response
+              rescue StandardError => e
+                logger.error(e, 'Could not send message to service from service sender thread.')
+              end
+            end
+          end
+          logger.debug(nil, 'Started background sending thread.')
+        end
+        alias_method :start, :sending_thread
+
+        def stop
+          Thread.kill(@_sender_thread) if @_sender_thread&.alive?
+        end
+
+        def add_to_assess_messages msg
+          # This list holds messages containing assess findings. We currently
+          # do not know if the agent is running in assess, so until we do then
+          # we must keep the messages stored here.
+          @assess_messages ||= []
+          assess_messages << msg
+        end
+
+        private
+
+        def check_assess_queue
+          return unless AGENT.ready?
+
+          if ASSESS.enabled?
+            assess_messages.each do |msg|
+              update_queued_finding msg
+              ready_messages_queue.push msg # this message is ready to be sent to SR
+            end
+          end
+          @assess_messages = nil # clear out queue, we no longer need it
+        end
+
+        # When we queued up findings, we didn't have access to a configuration
+        # object. As such, we have to make decisions now for those findings.
+        def update_queued_finding msg
+          # Findings only exist in activity messages
+          return unless msg.is_a?(Contrast::Api::Dtm::Activity)
+
+          # So set their tags
+          msg.finding_tags = Contrast::Utils::StringUtils.force_utf8(ASSESS.tags)
+
+          # and see if they're even enabled
+          check = msg.findings.dup
+          check.each do |finding|
+            msg.findings.delete(finding) if ASSESS.rule_disabled?(finding.rule_id)
+          end
+
+          msg.findings.each do |finding|
+            finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/sha256_builder.rb

@@ -0,0 +1,69 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'singleton'
+cs__scoped_require 'contrast/utils/object_share'
+
+module Contrast
+  module Utils
+    # Utility methods for building and caching hashes from strings
+    class Sha256Builder
+      include Singleton
+
+      def initialize
+        @sha256_cache = {}
+        @gem_hash_cache = {}
+      end
+
+      # Return a list of "source" files. Ignore metadata files as well as files
+      # in the spec, test or exe directories. Could potentially miss important
+      # files but good enough for the time being.
+      PATHS = '{lib,bin,ext}/**/*.{rb,c,h,c++,cpp,java,rs}'
+      def files path
+        if Dir.exist?(path)
+          Dir.glob(File.join(path, PATHS))
+        else
+          []
+        end
+      end
+
+      # Generate a SHA256 hash of the combined source code of this Gem
+      def sha256 path
+        return nil unless path
+        return nil unless File.exist?(path) && !File.directory?(path)
+
+        @sha256_cache[path] ||= Digest::SHA256.file(path).to_s
+      end
+
+      def build_from_spec spec
+        name = spec.file_name.to_s
+        cached = @gem_hash_cache[name]
+        return cached if cached
+
+        gem_path = File.join(cache_dir(spec), name)
+        hash = sha256(gem_path)
+
+        @gem_hash_cache[name] = hash
+        hash
+      end
+
+      def cache_dir spec
+        gems_dir = spec.gems_dir
+        parent_dir = File.dirname(gems_dir)
+        File.join(parent_dir, Contrast::Utils::ObjectShare::CACHE)
+      end
+
+      def self.files path
+        instance.files(path)
+      end
+
+      def self.sha256 path
+        instance.sha256(path)
+      end
+
+      def self.build_from_spec spec
+        instance.build_from_spec(spec)
+      end
+    end
+  end
+end

data/lib/contrast/utils/sinatra_helper.rb

@@ -0,0 +1,49 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # This module is to help perform sometimes necessary tasks specific to Sinatra
+    module SinatraHelper
+      SINATRA_VIEWS = [
+        ['public/stylesheets', '*.scss', %w[SASS]],
+        ['views', '*.html', %w[HTML5]],
+        ['views', '*.html.erb', %w[HTML5 ERB]],
+        ['views', '*.html.haml', %w[HTML5 HAML]],
+        ['public', '*.html', %w[HTML5]]
+      ].cs__freeze
+
+      def self.app_class
+        @_app_class ||= begin
+          return nil unless defined?(Sinatra) && defined?(Sinatra::Base)
+
+          sinatra_layers = ObjectSpace.each_object(Sinatra::Base).to_a
+          result_layer = sinatra_layers.find { |layer| layer.app.nil? }
+          result_layer
+        end
+      end
+
+      def self.scannable_view_dirs
+        @_scannable_view_dirs ||= begin
+          views = SINATRA_VIEWS.dup
+          views << [view_directory, '*.erb', %w[HTML5 ERB]] if view_directory
+          views << [view_directory, '*.haml', %w[HTML5 HAML]] if view_directory
+          views << [public_directory, '*.html', %w[HTML5]] if public_directory
+          views
+        end
+      end
+
+      def self.view_directory
+        @_view_directory ||= begin
+          app_class&.settings&.views
+        end
+      end
+
+      def self.public_directory
+        @_public_directory ||= begin
+          app_class&.settings&.public_dir
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/stack_trace_utils.rb

@@ -0,0 +1,209 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/utils/object_share'
+cs__scoped_require 'contrast/api'
+
+module Contrast
+  module Utils
+    # Utilities for converting ruby stack trace into DTMs
+    class StackTraceUtils
+      CONTRAST_MARKER = 'contrast/core_extensions'
+      MONKEYPATCH_MARKER = 'cs__'
+
+      # TODO: RUBY-532
+      CLASSNAME_CACHE = Contrast::Utils::Cache.new
+
+      # need lib here to separate from specs
+      AGENT_CLASS_MARKERS = %w[
+        /lib/contrast/
+      ].cs__freeze
+
+      def self.custom_code_context?
+        stack = Kernel.caller(0, 15)
+        i = 0
+        while i < stack.length
+          stack_element = stack[i]
+          if stack_element.include?('contrast')
+            # Noop
+          elsif stack_element.include?('gems')
+            return false
+          else
+            return true
+          end
+          i += 1
+        end
+      end
+
+      def self.build(
+          skip: 0,
+          depth: 10,
+          ignore: false,
+          ignore_strings: AGENT_CLASS_MARKERS,
+          class_lookup: false,
+          rasp_element: true)
+
+        stack = caller(skip.to_i, depth.to_i)
+        return [] unless stack
+
+        stack = reject_caller_entries(stack, ignore_strings) if ignore
+        stack.map! do |entry|
+          element = rasp_or_assess(rasp_element)
+          element = fill_element(element, entry, class_lookup)
+          element
+        end
+        stack.compact!
+        stack
+      end
+
+      def self.reject_caller_entries stack, ignore_strings
+        return stack unless ignore_strings&.any?
+
+        stack.reject do |entry|
+          ignore_strings.any? { |marker| entry.include?(marker) } ||
+              entry.include?(MONKEYPATCH_MARKER)
+        end
+      end
+
+      def self.rasp_or_assess rasp_element
+        if rasp_element
+          Contrast::Api::Dtm::StackTraceElement.new
+        else
+          Contrast::Api::Dtm::TraceStack.new
+        end
+      end
+
+      def self.to_dtm_stack stack_locations: nil, rasp_element: true
+        return [] unless stack_locations
+
+        stack_locations = reject_locations(stack_locations)
+        stack_locations.map! do |caller_location|
+          element = rasp_or_assess(rasp_element)
+          element = fill_loc_element(element, caller_location)
+          element
+        end
+        stack_locations.compact!
+        stack_locations
+      end
+
+      def self.reject_locations stack_locations
+        stack_locations.reject do |entry|
+          class_path = entry.path
+          method = entry.label
+          AGENT_CLASS_MARKERS.any? { |marker| class_path.include?(marker) } ||
+              method.include?(MONKEYPATCH_MARKER)
+        end
+      end
+
+      # "/.rvm/rubies/ruby-1.9.3-p551/lib/ruby/1.9.1/irb/workspace.rb:80:in `eval'"
+      def self.fill_element element, str, class_lookup
+        return element if str.nil? || str.strip.empty?
+
+        path, line, method = str.split(':')
+        element.line_number = line.to_i
+        file_name = filename_from_path(path)
+        element.file_name = Contrast::Utils::StringUtils.force_utf8(file_name)
+        declaring_class = best_classname(path, element.file_name) if class_lookup
+        element.declaring_class = Contrast::Utils::StringUtils.force_utf8(declaring_class)
+        method_name = find_method_name(method)
+        element.method_name = Contrast::Utils::StringUtils.force_utf8(method_name)
+        element
+      rescue StandardError
+        # NOOP
+        nil
+      end
+
+      def self.best_classname path, file
+        name = first_class(path)
+        name || look_like_classname(file)
+      end
+
+      # "/.rvm/rubies/ruby-1.9.3-p551/lib/ruby/1.9.1/irb/workspace.rb:80:in `eval'"
+      def self.fill_loc_element element, caller_location
+        return element unless caller_location
+
+        lineno = caller_location.lineno
+        element.line_number = lineno.to_i
+        path = caller_location.path
+        path = Contrast::Utils::StringUtils.force_utf8(path)
+        file_name = filename_from_path(path)
+        element.file_name = Contrast::Utils::StringUtils.force_utf8(file_name)
+        element.declaring_class = path
+        label = caller_location.label
+        element.method_name = Contrast::Utils::StringUtils.force_utf8(label)
+        element
+      rescue StandardError
+        # NOOP
+        nil
+      end
+
+      def self.filename_from_path path
+        file_idx = path.rindex(Contrast::Utils::ObjectShare::SLASH)
+        if file_idx
+          txt_idx = file_idx + 1
+          path[txt_idx, path.length - txt_idx]
+        else
+          path
+        end
+      end
+
+      # Bit of a HACK: Given a path to a file, assume that the first line in the
+      # form `class Name` is the class that was loaded. True most of the time.
+      #
+      # Using regexp here is expensive b/c it creates a ton of new Strings. We're
+      # trying to avoid that, so our guess is a little more clumsy, but should
+      # still work.
+      #
+      # Note: Might need to tune end marker to include /n
+      # based on: /\s*class\s+([_[:alpha:]][_[:alnum:]]*)/m
+      CLASS_MARKER = ' class '
+      CLASS_END_MARKER = Contrast::Utils::ObjectShare::NEW_LINE
+      def self.first_class path
+        return nil if path.nil? || path.empty?
+
+        name = CLASSNAME_CACHE[path]
+        return name if name
+
+        text = File.read(path)
+        name = parse_string(text, CLASS_MARKER, CLASS_END_MARKER)
+        CLASSNAME_CACHE[path] = name if name
+        name
+      end
+
+      RB_MARKER = '.rb'
+      # Convert a file to look like a classname
+      # If the file ends w/ '.rb', trim that off
+      # If the file doesn't start with a capital letter,
+      # capitalize it
+      def self.look_like_classname file
+        file = file.to_s
+        file[0].capitalize + (file.end_with?(RB_MARKER) ? file.slice(1..-4) : file.slice(1..-1))
+      end
+
+      # Using regexp here is expensive b/c it creates a ton of new Strings. We're
+      # trying to avoid that, so our guess is a little more clumsy, but should
+      # still work.
+      #
+      # Note: Might need to tune end marker to include /n
+      # based on: /[`]([^']*)[']/
+      METHOD_MARKER = Contrast::Utils::ObjectShare::TICK
+      METHOD_END_MARKER = Contrast::Utils::ObjectShare::COMMA
+      def self.find_method_name method
+        parse_string(method, METHOD_MARKER, METHOD_END_MARKER)
+      end
+
+      def self.parse_string string, start_marker, end_marker
+        return nil unless string
+
+        start_idx = string.index(start_marker)
+        return nil unless start_idx
+
+        start_idx += start_marker.length # account for marker length
+        end_idx = string.index(end_marker, start_idx)
+        end_idx ||= string.length
+        len = end_idx - start_idx
+        string[start_idx, len]
+      end
+    end
+  end
+end

data/lib/contrast/utils/string_utils.rb

@@ -0,0 +1,72 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Utilities for encoding and normalizing strings
+    class StringUtils
+      UTF8 = 'utf-8'
+      HTTP_PREFIX = 'HTTP-'
+
+      # Convenience method. We assume that we're working on Strings or tags
+      # String representations of things. To that end, we'll to_s anything
+      # that comes in before returning its length.
+      #
+      # But don't worry though, String.to_s just returns self. teehee
+      def self.ret_length string
+        string.nil? ? 0 : string.to_s.length
+      end
+
+      # Protobuf has a very strict typing. Nil is not a String and will throw
+      # an exception if you try to set it. Use this to be safe.
+      # Uses the object share to avoid creating several new strings per request
+      def self.protobuf_safe_string string
+        string.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : string.to_s
+      end
+
+      # Truncate a string to 255 characters max length
+      def self.truncate str, default = Contrast::Utils::ObjectShare::EMPTY_STRING
+        return default if str.nil?
+
+        str.to_s[0..255]
+      end
+
+      def self.force_utf8 str, logger = nil
+        return Contrast::Utils::ObjectShare::EMPTY_STRING unless str
+
+        str = str.to_s
+        if str.encoding == Encoding::UTF_8
+          str = str.encode(UTF8, invalid: :replace, undef: :replace) unless str.valid_encoding?
+        else
+          str = str.encode(UTF8, str.encoding, invalid: :replace, undef: :replace)
+        end
+        str.to_s
+      rescue StandardError => e
+        # We were unable to switch the String to a UTF-8 format.
+        # Return non-nil so as not to throw an exception later when trying
+        # to do regexp or other compares on the String
+        logger&.debug "Unable to change '#{ str }' to valid UTF-8: #{ e.message }"
+
+        Contrast::Utils::ObjectShare::EMPTY_STRING
+      end
+
+      # Given a string return a normalized version of that string.
+      # Keys are memoized so that the normalization process doesn't need
+      # to happen every time.
+      def self.normalized_key str
+        return nil unless str
+
+        str = str.to_s
+        @_normalized_keys ||= {}
+        if @_normalized_keys.key?(str)
+          @_normalized_keys[str]
+        else
+          up = str.upcase.strip
+          up = up.gsub(/[_-]/, '-')
+          up = up[5..-1] if up.start_with?(HTTP_PREFIX)
+          @_normalized_keys[str] = up
+        end
+      end
+    end
+  end
+end