RubyGems - contrast-agent - Versions diffs - 3.10.0 → 3.12.1 - Mend

contrast-agent 3.10.0 → 3.12.1

Files changed (318) hide show

checksums.yaml +4 -4
data/.flayignore +1 -0
data/.simplecov +5 -2
data/ext/build_funchook.rb +12 -7
data/ext/cs__assess_active_record_named/cs__active_record_named.c +12 -14
data/ext/cs__assess_active_record_named/cs__active_record_named.h +1 -0
data/ext/cs__assess_active_record_named/extconf.rb +3 -0
data/ext/cs__assess_array/cs__assess_array.c +5 -6
data/ext/cs__assess_array/cs__assess_array.h +1 -0
data/ext/cs__assess_array/extconf.rb +3 -0
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +13 -11
data/ext/cs__assess_basic_object/cs__assess_basic_object.h +2 -1
data/ext/cs__assess_basic_object/extconf.rb +3 -0
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
data/ext/cs__assess_fiber_track/extconf.rb +3 -0
data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
data/ext/cs__assess_hash/extconf.rb +3 -0
data/ext/cs__assess_kernel/cs__assess_kernel.c +11 -9
data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
data/ext/cs__assess_kernel/extconf.rb +3 -0
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
data/ext/cs__assess_marshal_module/extconf.rb +3 -0
data/ext/cs__assess_module/cs__assess_module.c +16 -14
data/ext/cs__assess_module/cs__assess_module.h +3 -0
data/ext/cs__assess_module/extconf.rb +3 -0
data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
data/ext/cs__assess_regexp/extconf.rb +3 -0
data/ext/cs__assess_string/cs__assess_string.c +5 -8
data/ext/cs__assess_string/cs__assess_string.h +2 -1
data/ext/cs__assess_string/extconf.rb +3 -0
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
data/ext/cs__assess_yield_track/extconf.rb +3 -0
data/ext/cs__common/cs__common.c +80 -1
data/ext/cs__common/cs__common.h +34 -0
data/ext/cs__common/extconf.rb +9 -8
data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
data/ext/cs__contrast_patch/extconf.rb +3 -0
data/ext/cs__protect_kernel/cs__protect_kernel.c +23 -12
data/ext/cs__protect_kernel/cs__protect_kernel.h +1 -0
data/ext/cs__protect_kernel/extconf.rb +3 -0
data/ext/extconf_common.rb +10 -8
data/funchook/autom4te.cache/requests +45 -45
data/funchook/config.log +4 -4
data/lib/contrast.rb +1 -1
data/lib/contrast/agent.rb +32 -29
data/lib/contrast/agent/assess.rb +1 -11
data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
data/lib/contrast/agent/assess/contrast_event.rb +16 -62
data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
data/lib/contrast/agent/assess/events/source_event.rb +83 -0
data/lib/contrast/agent/assess/insulator.rb +0 -4
data/lib/contrast/agent/assess/policy/patcher.rb +6 -2
data/lib/contrast/agent/assess/policy/policy_node.rb +1 -8
data/lib/contrast/agent/assess/policy/policy_scanner.rb +2 -2
data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
data/lib/contrast/agent/assess/policy/propagation_method.rb +68 -33
data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +1 -3
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +90 -0
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +57 -0
data/lib/contrast/agent/assess/policy/trigger_method.rb +30 -45
data/lib/contrast/agent/assess/policy/trigger_node.rb +7 -7
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
data/lib/contrast/agent/assess/properties.rb +5 -3
data/lib/contrast/agent/assess/rule/base.rb +1 -20
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +23 -6
data/lib/contrast/agent/assess/rule/redos.rb +4 -5
data/lib/contrast/agent/assess/tag.rb +24 -14
data/lib/contrast/agent/at_exit_hook.rb +16 -13
data/lib/contrast/agent/class_reopener.rb +23 -8
data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
data/lib/contrast/agent/disable_reaction.rb +3 -4
data/lib/contrast/agent/exclusion_matcher.rb +7 -48
data/lib/contrast/agent/inventory/policy/datastores.rb +54 -0
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/middleware.rb +101 -260
data/lib/contrast/agent/module_data.rb +2 -1
data/lib/contrast/agent/patching/policy/after_load_patch.rb +13 -3
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +59 -47
data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
data/lib/contrast/agent/patching/policy/patch.rb +97 -23
data/lib/contrast/agent/patching/policy/patcher.rb +28 -30
data/lib/contrast/agent/patching/policy/policy.rb +7 -7
data/lib/contrast/agent/patching/policy/policy_node.rb +3 -11
data/lib/contrast/agent/patching/policy/trigger_node.rb +2 -5
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +63 -0
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +52 -0
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +68 -0
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +117 -0
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +54 -0
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +129 -0
data/lib/contrast/agent/protect/policy/policy.rb +6 -6
data/lib/contrast/agent/protect/policy/rule_applicator.rb +51 -0
data/lib/contrast/agent/protect/rule.rb +0 -5
data/lib/contrast/agent/protect/rule/base.rb +19 -37
data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
data/lib/contrast/agent/protect/rule/cmd_injection.rb +12 -15
data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -10
data/lib/contrast/agent/protect/rule/sqli.rb +5 -4
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
data/lib/contrast/agent/protect/rule/xss.rb +2 -0
data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
data/lib/contrast/agent/railtie.rb +3 -8
data/lib/contrast/agent/reaction_processor.rb +5 -5
data/lib/contrast/agent/request.rb +11 -18
data/lib/contrast/agent/request_context.rb +16 -19
data/lib/contrast/agent/request_handler.rb +35 -0
data/lib/contrast/agent/response.rb +39 -86
data/lib/contrast/agent/rewriter.rb +22 -10
data/lib/contrast/agent/rule_set.rb +49 -0
data/lib/contrast/agent/scope.rb +0 -6
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/socket_client.rb +25 -19
data/lib/contrast/agent/static_analysis.rb +41 -0
data/lib/contrast/agent/thread.rb +1 -1
data/lib/contrast/agent/tracepoint_hook.rb +1 -5
data/lib/contrast/agent/version.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/decorators.rb +14 -0
data/lib/contrast/api/decorators/application_settings.rb +37 -0
data/lib/contrast/api/decorators/application_update.rb +66 -0
data/lib/contrast/api/decorators/input_analysis.rb +17 -0
data/lib/contrast/api/decorators/server_features.rb +24 -0
data/lib/contrast/api/speedracer.rb +28 -24
data/lib/contrast/api/tcp_socket.rb +0 -2
data/lib/contrast/components/agent.rb +34 -24
data/lib/contrast/components/app_context.rb +45 -38
data/lib/contrast/components/assess.rb +25 -15
data/lib/contrast/components/config.rb +7 -5
data/lib/contrast/components/contrast_service.rb +23 -71
data/lib/contrast/components/heap_dump.rb +12 -8
data/lib/contrast/components/interface.rb +15 -22
data/lib/contrast/components/inventory.rb +5 -1
data/lib/contrast/components/logger.rb +3 -68
data/lib/contrast/components/protect.rb +40 -4
data/lib/contrast/components/sampling.rb +22 -11
data/lib/contrast/components/scope.rb +2 -52
data/lib/contrast/components/settings.rb +42 -23
data/lib/contrast/config/base_configuration.rb +1 -0
data/lib/contrast/config/default_value.rb +1 -0
data/lib/contrast/config/protect_rule_configuration.rb +0 -14
data/lib/contrast/config/protect_rules_configuration.rb +0 -1
data/lib/contrast/configuration.rb +2 -2
data/lib/contrast/{extensions/ruby_core → extension}/assess.rb +12 -15
data/lib/contrast/extension/assess/array.rb +77 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/assess_extension.rb +29 -24
data/lib/contrast/{extensions/ruby_core → extension}/assess/erb.rb +0 -8
data/lib/contrast/extension/assess/eval_trigger.rb +78 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/exec_trigger.rb +7 -9
data/lib/contrast/extension/assess/fiber.rb +113 -0
data/lib/contrast/extension/assess/hash.rb +39 -0
data/lib/contrast/extension/assess/kernel.rb +110 -0
data/lib/contrast/extension/assess/regexp.rb +84 -0
data/lib/contrast/{extensions/ruby_core → extension}/assess/string.rb +18 -10
data/lib/contrast/{extensions/ruby_core → extension}/delegator.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/inventory.rb +2 -2
data/lib/contrast/extension/kernel.rb +54 -0
data/lib/contrast/{extensions/ruby_core → extension}/module.rb +0 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect.rb +2 -2
data/lib/contrast/extension/protect/kernel.rb +44 -0
data/lib/contrast/{extensions/ruby_core → extension}/protect/psych.rb +1 -1
data/lib/contrast/{extensions/ruby_core → extension}/thread.rb +0 -0
data/lib/contrast/framework/base_support.rb +32 -0
data/lib/contrast/framework/manager.rb +59 -8
data/lib/contrast/framework/platform_version.rb +1 -0
data/lib/contrast/framework/rack/patch/session_cookie.rb +126 -0
data/lib/contrast/framework/rack/patch/support.rb +24 -0
data/lib/contrast/framework/rack/support.rb +22 -0
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +43 -0
data/lib/contrast/framework/rails/patch/assess_configuration.rb +103 -0
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +31 -0
data/lib/contrast/framework/rails/patch/support.rb +67 -0
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +34 -0
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +39 -0
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +73 -0
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +33 -0
data/lib/contrast/framework/rails/support.rb +115 -0
data/lib/contrast/framework/sinatra/application_helper.rb +51 -0
data/lib/contrast/framework/sinatra/patch/base.rb +83 -0
data/lib/contrast/framework/sinatra/patch/support.rb +27 -0
data/lib/contrast/framework/sinatra/support.rb +109 -0
data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
data/lib/contrast/logger/application.rb +80 -0
data/lib/contrast/logger/log.rb +143 -0
data/lib/contrast/logger/time.rb +50 -0
data/lib/contrast/tasks/config.rb +54 -0
data/lib/contrast/tasks/service.rb +3 -13
data/lib/contrast/utils/assess/sampling_util.rb +4 -9
data/lib/contrast/utils/assess/tracking_util.rb +7 -1
data/lib/contrast/utils/boolean_util.rb +2 -2
data/lib/contrast/utils/cache.rb +0 -11
data/lib/contrast/utils/class_util.rb +21 -2
data/lib/contrast/utils/gemfile_reader.rb +7 -5
data/lib/contrast/utils/hash_digest.rb +2 -11
data/lib/contrast/utils/heap_dump_util.rb +12 -11
data/lib/contrast/utils/invalid_configuration_util.rb +4 -4
data/lib/contrast/utils/inventory_util.rb +2 -2
data/lib/contrast/utils/io_util.rb +1 -11
data/lib/contrast/utils/job_servers_running.rb +6 -4
data/lib/contrast/utils/object_share.rb +1 -28
data/lib/contrast/utils/os.rb +1 -25
data/lib/contrast/utils/service_response_util.rb +36 -60
data/lib/contrast/utils/service_sender_util.rb +84 -23
data/lib/contrast/utils/sinatra_helper.rb +0 -6
data/lib/contrast/utils/stack_trace_utils.rb +86 -182
data/lib/contrast/utils/string_utils.rb +18 -2
data/lib/contrast/utils/tag_util.rb +11 -1
data/lib/contrast/utils/thread_tracker.rb +2 -2
data/lib/contrast/utils/timer.rb +0 -40
data/resources/assess/policy.json +42 -71
data/resources/inventory/policy.json +2 -2
data/resources/protect/policy.json +15 -15
data/ruby-agent.gemspec +11 -4
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
metadata +122 -111
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
data/ext/cs__assess_regexp_track/extconf.rb +0 -2
data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
data/lib/contrast/agent/assess/rule/csrf.rb +0 -66
data/lib/contrast/agent/assess/rule/csrf/csrf_action.rb +0 -28
data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +0 -73
data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +0 -132
data/lib/contrast/agent/assess/rule/response_scanning_rule.rb +0 -47
data/lib/contrast/agent/assess/rule/response_watcher.rb +0 -36
data/lib/contrast/agent/assess/rule/watcher.rb +0 -36
data/lib/contrast/agent/feature_state.rb +0 -376
data/lib/contrast/agent/logger_manager.rb +0 -116
data/lib/contrast/agent/protect/rule/csrf.rb +0 -118
data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +0 -103
data/lib/contrast/agent/protect/rule/csrf/csrf_token_injector.rb +0 -85
data/lib/contrast/agent/settings_state.rb +0 -152
data/lib/contrast/delegators.rb +0 -9
data/lib/contrast/delegators/application_update.rb +0 -32
data/lib/contrast/extensions/framework/rack/cookie.rb +0 -24
data/lib/contrast/extensions/framework/rack/request.rb +0 -24
data/lib/contrast/extensions/framework/rack/response.rb +0 -23
data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb +0 -20
data/lib/contrast/extensions/framework/rails/active_record.rb +0 -26
data/lib/contrast/extensions/framework/rails/active_record_named.rb +0 -53
data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb +0 -21
data/lib/contrast/extensions/framework/rails/buffer.rb +0 -28
data/lib/contrast/extensions/framework/rails/configuration.rb +0 -27
data/lib/contrast/extensions/framework/sinatra/base.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/array.rb +0 -59
data/lib/contrast/extensions/ruby_core/assess/basic_object.rb +0 -15
data/lib/contrast/extensions/ruby_core/assess/fiber.rb +0 -124
data/lib/contrast/extensions/ruby_core/assess/hash.rb +0 -22
data/lib/contrast/extensions/ruby_core/assess/kernel.rb +0 -95
data/lib/contrast/extensions/ruby_core/assess/module.rb +0 -14
data/lib/contrast/extensions/ruby_core/assess/regexp.rb +0 -206
data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +0 -73
data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +0 -40
data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -52
data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +0 -37
data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +0 -72
data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +0 -60
data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +0 -83
data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +0 -123
data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +0 -65
data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +0 -143
data/lib/contrast/extensions/ruby_core/protect/kernel.rb +0 -30
data/lib/contrast/framework/rails_support.rb +0 -88
data/lib/contrast/framework/sinatra_application_helper.rb +0 -49
data/lib/contrast/framework/sinatra_support.rb +0 -94
data/lib/contrast/utils/comment_range.rb +0 -19
data/lib/contrast/utils/data_store_util.rb +0 -23
data/lib/contrast/utils/environment_util.rb +0 -81
data/lib/contrast/utils/performs_logging.rb +0 -152
data/lib/contrast/utils/rack_assess_session_cookie.rb +0 -104
data/lib/contrast/utils/rails_assess_configuration.rb +0 -95
data/lib/contrast/utils/random_util.rb +0 -22
data/resources/csrf/inject.js +0 -44
data/resources/factory-bot-spec/spec_helper.rb +0 -30
data/resources/rubocops/kernel/catch_cop.rb +0 -37
data/resources/rubocops/kernel/require_cop.rb +0 -37
data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
data/resources/rubocops/module/autoload_cop.rb +0 -37
data/resources/rubocops/module/const_defined_cop.rb +0 -37
data/resources/rubocops/module/const_get_cop.rb +0 -37
data/resources/rubocops/module/const_set_cop.rb +0 -37
data/resources/rubocops/module/constants_cop.rb +0 -37
data/resources/rubocops/module/name_cop.rb +0 -37
data/resources/rubocops/object/class_cop.rb +0 -37
data/resources/rubocops/object/freeze_cop.rb +0 -37
data/resources/rubocops/object/frozen_cop.rb +0 -37
data/resources/rubocops/object/is_a_cop.rb +0 -37
data/resources/rubocops/object/method_cop.rb +0 -37
data/resources/rubocops/object/respond_to_cop.rb +0 -37
data/resources/rubocops/object/singleton_class_cop.rb +0 -37
data/resources/rubocops/regexp/spelling_cop.rb +0 -44
data/resources/rubocops/thread/new_cop.rb +0 -39
data/resources/ruby-spec/ancestors_spec.rb +0 -70
data/resources/ruby-spec/modulo_spec.rb +0 -831
data/resources/ruby-spec/parameters_spec.rb +0 -261
data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35

data/lib/contrast/agent/patching/policy/patcher.rb CHANGED

@@ -44,18 +44,16 @@ module Contrast
           extend Contrast::Agent::Patching::Policy::AfterLoadPatcher
           include Contrast::Components::Interface
-          access_component :logging, :analysis, :agent, :scope
+          access_component :agent, :analysis, :logging, :scope
           class << self
             # Hook to install the Contrast changes needed to allow for the
             # instrumentation of the application - this only occurs once, during
             # startup to catchup on everything we didn't see get loaded
             def patch
-              logger.debug_with_time("\tPatching") do
-                catchup_after_load_patches
-                patch_methods
-                Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
-              end
+              catchup_after_load_patches
+              patch_methods
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
             end
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -91,7 +89,7 @@ module Contrast
               patch_into_module(module_data)
               all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
             rescue StandardError => e
-              logger.error("Unable to patch into #{ mod_name }", e)
+              logger.error('Unable to patch module', e, module: mod_name)
             end
             # We did it, team. We found a patcher(s) that applies to the given
@@ -150,20 +148,20 @@ module Contrast
             # only be invoked by the patch_methods method above in order to
             # ensure it is wrapped in a synchronize call
             def synchronized_patch_methods
-              # logger.trace_with_time("\t\tRunning patching") do # TODO: RUBY-547
-              patched = []
-              all_module_names.each do |patchable_name|
-                next if AGENT.skip_instrumentation?(patchable_name)
+              logger.trace_with_time('Running patching') do
+                patched = []
+                all_module_names.each do |patchable_name|
+                  next if AGENT.skip_instrumentation?(patchable_name)
-                patchable_mod = patchable(patchable_name)
-                next unless patchable_mod
+                  patchable_mod = patchable(patchable_name)
+                  next unless patchable_mod
-                module_data = Contrast::Agent::ModuleData.new(patchable_mod, patchable_name)
-                patch_into_module(module_data)
-                patched << patchable_name if status_type.get_status(patchable_mod).patched?
+                  module_data = Contrast::Agent::ModuleData.new(patchable_mod, patchable_name)
+                  patch_into_module(module_data)
+                  patched << patchable_name if status_type.get_status(patchable_mod).patched?
+                end
+                all_module_names.subtract(patched)
               end
-              all_module_names.subtract(patched)
-              # end
             end
             # Given the patchers that apply to this class that may apply, patch
@@ -187,9 +185,6 @@ module Contrast
               clazz = module_data.mod
-              status = status_type.get_status(clazz)
-              return if (status.patched? || status.patching?) && !redo_patch
               status.patching!
               patched = include_module(module_data)
@@ -216,19 +211,22 @@ module Contrast
             rescue StandardError => e
               status ||= status_type.get_status(module_data.mod)
               status.failed_patch!
-              logger.warn(e, "Unable to patch into #{ module_data.name }")
+              logger.warn('Patching failed', e, module: module_data.name)
             ensure
-              logger.debug(nil, "Patching #{ module_data.name } resulted in #{ status_type.get_status(module_data.mod).patch_status }")
+              logger.trace('Patching complete',
+                           module: module_data.name,
+                           result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(
+                               module_data.mod).patch_status)
             end
             # Includes the given module with the
-            # Contrast::CoreExtensions::Assess::AssessExtension
+            # Contrast::Extension::Assess::AssessExtension
             # @param module_data [Contrast::Agent::ModuleData] the module, and
             #   its name, that's being patched into
             def include_module module_data
               return false unless Contrast::Agent::Assess::Policy::Policy.instance.tracked_classes.include?(module_data.name)
-              module_data.mod.send(:include, Contrast::CoreExtensions::Assess::AssessExtension)
+              module_data.mod.send(:include, Contrast::Extension::Assess::AssessExtension)
               true
             end
@@ -300,10 +298,10 @@ module Contrast
 end
 # core extensions
-cs__scoped_require 'contrast/extensions/ruby_core/module'
-cs__scoped_require 'contrast/extensions/ruby_core/assess'
-cs__scoped_require 'contrast/extensions/ruby_core/inventory'
-cs__scoped_require 'contrast/extensions/ruby_core/protect'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/kernel'
+cs__scoped_require 'contrast/extension/module'
+cs__scoped_require 'contrast/extension/assess'
+cs__scoped_require 'contrast/extension/inventory'
+cs__scoped_require 'contrast/extension/protect'
+cs__scoped_require 'contrast/extension/protect/kernel'
 cs__scoped_require 'cs__contrast_patch/cs__contrast_patch'

data/lib/contrast/agent/patching/policy/policy.rb CHANGED

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 cs__scoped_require 'json'
+cs__scoped_require 'singleton'
 cs__scoped_require 'contrast'
 cs__scoped_require 'contrast/components/interface'
 cs__scoped_require 'contrast/agent/patching/policy/module_policy'
@@ -33,10 +35,9 @@ module Contrast
             raise(NotImplementedError, 'specify the concrete node type for this poilcy')
           end
-          access_component :logging, :analysis
+          access_component :analysis, :logging
-          attr_accessor :providers, :tracked_classes
-          attr_reader :sources, :propagators, :triggers, :patched_names
+          attr_reader :sources, :propagators, :triggers, :providers, :tracked_classes
           SOURCES_KEY =          'sources'
           PROPAGATION_KEY =      'propagators'
@@ -54,7 +55,6 @@ module Contrast
             @triggers = []
             @providers = {}
             @tracked_classes = []
-            @patched_names = Set.new
             json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
             from_hash_string(json)
@@ -85,14 +85,14 @@ module Contrast
           def add_node node, node_type = :trigger
             unless node
-              logger.error(nil, 'Node was nil when adding node to policy')
+              logger.error('Node was nil when adding node to policy')
               return
             end
             begin
               node.validate
             rescue ArgumentError => e
-              logger.error(e, e.message)
+              logger.error('Node failed validation', e)
               return
             end
@@ -107,7 +107,7 @@ module Contrast
               module_names << node.class_name
               @sources << node
             else
-              logger.error(nil, "Invalid node_type: #{ node_type } provided when adding node to policy")
+              logger.error('Invalid node_type provided when adding node to policy', node_type: node_type)
             end
           end

data/lib/contrast/agent/patching/policy/policy_node.rb CHANGED

@@ -13,10 +13,10 @@ module Contrast
         # @abstract
         class PolicyNode
           include Contrast::Components::Interface
-          access_component :scope
+          access_component :analysis, :scope
-          attr_accessor :class_name, :instance_method, :method_name, :method_scope, :method_visibility
-          attr_reader :properties
+          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
+          attr_reader :properties, :method_scope
           def node_class
             raise NotImplementedError, 'specify the type of the feature for which this node patches'
@@ -60,14 +60,6 @@ module Contrast
             instance_method
           end
-          def private?
-            @method_visibility == :private
-          end
-          def public?
-            @method_visibility == :public
-          end
           private
           # Convert strings to symbols here, once, to avoid doing so on every

data/lib/contrast/agent/patching/policy/trigger_node.rb CHANGED

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 cs__scoped_require 'contrast/agent/patching/policy/policy_node'
 module Contrast
@@ -15,16 +15,13 @@ module Contrast
         # input attempted to or did do damage).
         class TriggerNode < PolicyNode
           JSON_NAME = 'name'
-          JSON_NODES = 'nodes'
           JSON_APPLICATOR = 'applicator'
           JSON_APPLICATOR_METHOD = 'applicator_method'
           JSON_REQUIRED_PROPS = 'required_properties'
           JSON_OPTIONAL_PROPS = 'optional_properties'
-          JSON_SCOPE = 'scope'
           JSON_ON_EXCEPTION = 'on_exception'
-          attr_reader :rule_id
-          attr_accessor :applicator_method, :applicator, :on_exception, :required_properties, :optional_properties
+          attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties, :rule_id
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb ADDED

@@ -0,0 +1,63 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/protect/rule/cmd_injection'
+cs__scoped_require 'contrast/agent/protect/policy/applies_deserialization_rule'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Command Injection rule. It is called
+        # from our patches of the targeted methods in which command execution
+        # occurs. It is responsible for deciding if the infilter methods of the
+        # rule should be invoked.
+        # In addition, b/c of the nature of Deserialization's sand boxing
+        # function, this Module's apply methods call through to the
+        # {#apply_deserialization_command_check} method of the
+        # Deserialization applicator.
+        module AppliesCommandInjectionRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+          CS__SEMICOLON = '; '
+          class << self
+            def invoke method, _exception, _properties, object, args
+              return unless valid_command?(args)
+              command = build_command(args)
+              Contrast::Agent::Protect::Policy::AppliesDeserializationRule.apply_deserialization_command_check(command)
+              return if skip_analysis?
+              begin
+                clazz = object.is_a?(Module) ? object : object.cs__class
+                class_name = clazz.cs__name
+                rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              end
+            end
+            protected
+            def name
+              Contrast::Agent::Protect::Rule::CmdInjection::NAME
+            end
+            private
+            def valid_command? command
+              command && (command.is_a?(String) || command.is_a?(Array))
+            end
+            def build_command command
+              return command if command.is_a?(String)
+              command = command.drop(1) if command.length > 1
+              command.join(CS__SEMICOLON)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb ADDED

@@ -0,0 +1,52 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/protect/rule/deserialization'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Deserialization rule. It is called from
+        # our patches of the targeted methods in which deserialization occurs.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesDeserializationRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+          class << self
+            def invoke _method, _exception, _properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
+            end
+            def apply_deserialization_command_check command
+              return unless command
+              return if skip_analysis?
+              rule.check_command_scope(command)
+            end
+            protected
+            def name
+              Contrast::Agent::Protect::Rule::Deserialization::NAME
+            end
+            private
+            def valid_input? args
+              return false unless args&.any?
+              input = args[0]
+              input.is_a?(String)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb ADDED

@@ -0,0 +1,68 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/protect/rule/no_sqli'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the NoSQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based NoSQL queries occur. It is responsible for deciding if the
+        # infilter methods of the rule should be invoked.
+        module AppliesNoSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+          class << self
+            def invoke method, _exception, properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+              database = properties['database']
+              operations = args[0]
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if operations.is_a?(Array)
+                operations.each do |m|
+                  handle_operation(context, database, method, m)
+                end
+              else
+                handle_operation(context, database, method, operations)
+              end
+            end
+            protected
+            def name
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            end
+            private
+            def valid_input? args
+              return false unless args&.any?
+              args[0]
+            end
+            def handle_operation context, database, _action, operation
+              data = extract_mongo_data(operation)
+              return unless data && !data.empty?
+              rule.infilter(context, database, data)
+            end
+            def extract_mongo_data operation
+              if operation.cs__respond_to? :selector
+                operation.selector
+              elsif operation.cs__respond_to? :documents
+                operation.documents
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb ADDED

@@ -0,0 +1,117 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/agent/protect/rule/path_traversal'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+cs__scoped_require 'contrast/utils/object_share'
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Path Traversal rule. It is called from
+        # our patches of the targeted methods in which File or IO access occur.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesPathTraversalRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+          class << self
+            def invoke method, _exception, properties, object, args
+              return unless args&.any?
+              path = args[0]
+              return unless path.is_a?(String)
+              return if skip_analysis?
+              action = properties['action']
+              write_marker = write?(action, *args)
+              possible_write = write_marker && possible_write(write_marker)
+              path_traversal_rule(path, possible_write, object, method)
+              # If the action was copy, we need to handle the write half of it.
+              # We handled read in line above.
+              return unless action == COPY
+              return unless args.length > 1
+              dst = args[1]
+              return unless dst.is_a?(String)
+              path_traversal_rule(dst, true, object, method)
+            end
+            protected
+            def name
+              Contrast::Agent::Protect::Rule::PathTraversal::NAME
+            end
+            private
+            def possible_write input
+              input.cs__respond_to?(:to_s) &&
+                  input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
+            end
+            READ = 'read'
+            WRITE = 'write'
+            COPY = 'copy'
+            def write? action, *args
+              return false if action == READ
+              return false if action == COPY
+              return true if action == WRITE
+              write_marker = args.length > 1 ? args[1] : nil
+              write_marker && possible_write(write_marker)
+            end
+            def path_traversal_rule path, possible_write, object, method
+              return unless applies_to?(path, possible_write)
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+            rescue Contrast::SecurityException => e
+              raise e
+            rescue StandardError => e
+              logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
+            end
+            CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
+            def safer_abs_paths
+              @_safer_abs_paths ||= begin
+                pwd = ENV['PWD']
+                if pwd
+                  tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
+                  gems = ENV['GEM_PATH']
+                  tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
+                  tmp
+                else
+                  []
+                end
+              end
+            end
+            def applies_to? path, possible_write = false
+              # any possible write is a potential risk
+              return true if possible_write
+              # any path that moves 'up' is a potential risk
+              return true if path.index(Contrast::Utils::ObjectShare::PARENT_PATH)
+              path = path.downcase
+              if path.start_with?(Contrast::Utils::ObjectShare::SLASH)
+                safer_abs_paths.each do |prefix|
+                  return false if path.start_with?(prefix)
+                end
+              else
+                CS__SAFER_REL_PATHS.each do |prefix|
+                  return false if path.start_with?(prefix)
+                end
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end