contrast-agent 3.11.0 → 3.12.0

data/funchook/config.status

@@ -1,4 +1,4 @@
-#! /bin/sh
+#! /bin/bash
 # Generated by configure.
 # Run this file to recreate the current configuration.
 # Compiler output produced by configure, useful for debugging
@@ -8,7 +8,7 @@ debug=false
 ac_cs_recheck=false
 ac_cs_silent=false
 
-SHELL=${CONFIG_SHELL-/bin/sh}
+SHELL=${CONFIG_SHELL-/bin/bash}
 export SHELL
 ## -------------------- ##
 ## M4sh Initialization. ##
@@ -433,7 +433,7 @@ Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
-ac_pwd='/Users/donaldpropst/Projects/ruby-agent/funchook'
+ac_pwd='/opt/atlassian/pipelines/agent/build/funchook'
 srcdir='.'
 test -n "$AWK" || AWK=awk
 # The default lists apply if the user does not specify any file.
@@ -512,10 +512,10 @@ if $ac_cs_silent; then
 fi
 
 if $ac_cs_recheck; then
-  set X /bin/sh './configure'  $ac_configure_extra_args --no-create --no-recursion
+  set X /bin/bash './configure'  $ac_configure_extra_args --no-create --no-recursion
   shift
-  $as_echo "running CONFIG_SHELL=/bin/sh $*" >&6
-  CONFIG_SHELL='/bin/sh'
+  $as_echo "running CONFIG_SHELL=/bin/bash $*" >&6
+  CONFIG_SHELL='/bin/bash'
   export CONFIG_SHELL
   exec "$@"
 fi
@@ -604,24 +604,24 @@ echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
 cat >>"$ac_tmp/subs1.awk" <<\_ACAWK &&
 S["LTLIBOBJS"]=""
 S["LIBOBJS"]=""
-S["IF_OSX"]=""
-S["IF_LINUX"]="#"
+S["IF_OSX"]="#"
+S["IF_LINUX"]=""
 S["IF_WIN32"]="#"
 S["PIC_CFLAGS"]="-fPIC"
 S["LINK_SHARED"]="$(CC) -shared"
-S["LIBFUNCHOOK_SO"]="libfunchook.dylib"
+S["LIBFUNCHOOK_SO"]="libfunchook.so"
 S["FUNCHOOK_OS"]="unix"
 S["FUNCHOOK_CPU"]="x86_64"
-S["host_os"]="darwin18.6.0"
-S["host_vendor"]="apple"
+S["host_os"]="linux-gnu"
+S["host_vendor"]="unknown"
 S["host_cpu"]="x86_64"
-S["host"]="x86_64-apple-darwin18.6.0"
-S["build_os"]="darwin18.6.0"
-S["build_vendor"]="apple"
+S["host"]="x86_64-unknown-linux-gnu"
+S["build_os"]="linux-gnu"
+S["build_vendor"]="unknown"
 S["build_cpu"]="x86_64"
-S["build"]="x86_64-apple-darwin18.6.0"
-S["EGREP"]="/usr/bin/grep -E"
-S["GREP"]="/usr/bin/grep"
+S["build"]="x86_64-unknown-linux-gnu"
+S["EGREP"]="/bin/grep -E"
+S["GREP"]="/bin/grep"
 S["CPP"]="gcc -E"
 S["OBJEXT"]="o"
 S["EXEEXT"]=""
@@ -633,10 +633,10 @@ S["CC"]="gcc"
 S["target_alias"]=""
 S["host_alias"]=""
 S["build_alias"]=""
-S["LIBS"]=""
+S["LIBS"]="-ldl"
 S["ECHO_T"]=""
-S["ECHO_N"]=""
-S["ECHO_C"]="\\c"
+S["ECHO_N"]="-n"
+S["ECHO_C"]=""
 S["DEFS"]="-DHAVE_CONFIG_H"
 S["mandir"]="${datarootdir}/man"
 S["localedir"]="${datarootdir}/locale"
@@ -649,6 +649,7 @@ S["infodir"]="${datarootdir}/info"
 S["docdir"]="${datarootdir}/doc/${PACKAGE_TARNAME}"
 S["oldincludedir"]="/usr/include"
 S["includedir"]="${prefix}/include"
+S["runstatedir"]="${localstatedir}/run"
 S["localstatedir"]="${prefix}/var"
 S["sharedstatedir"]="${prefix}/com"
 S["sysconfdir"]="${prefix}/etc"
@@ -667,7 +668,7 @@ S["PACKAGE_VERSION"]="0.1"
 S["PACKAGE_TARNAME"]="funchook"
 S["PACKAGE_NAME"]="funchook"
 S["PATH_SEPARATOR"]=":"
-S["SHELL"]="/bin/sh"
+S["SHELL"]="/bin/bash"
 _ACAWK
 cat >>"$ac_tmp/subs1.awk" <<_ACAWK &&
   for (key in S) S_is_set[key] = 1
@@ -731,8 +732,8 @@ D["_GNU_SOURCE"]=" 1"
 D["_POSIX_PTHREAD_SEMANTICS"]=" 1"
 D["_TANDEM_SOURCE"]=" 1"
 D["SIZEOF_VOIDP"]=" 8"
-D["HAVE_DECL__SYS_NERR"]=" 0"
-D["HAVE_DECL__SYS_ERRLIST"]=" 0"
+D["HAVE_DECL__SYS_NERR"]=" 1"
+D["HAVE_DECL__SYS_ERRLIST"]=" 1"
 D["HAVE_DECL_SYS_NERR"]=" 1"
 D["HAVE_DECL_SYS_ERRLIST"]=" 1"
   for (key in D) D_is_set[key] = 1

data/funchook/configure

@@ -665,6 +665,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -735,6 +736,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -987,6 +989,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1124,7 +1135,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1277,6 +1288,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]

data/funchook/src/Makefile

@@ -7,11 +7,11 @@ VPATH = $(DISTORM3_DIR)/src:$(top_srcdir)/include
 
 CC = gcc
 CFLAGS = -g -O2 -Wall -fvisibility=hidden -fPIC -g -I. -I$(top_srcdir)/include -I$(DISTORM3_DIR)/include
-LIBS = 
+LIBS = -ldl
 LINK_SHARED = $(CC) -shared
 
 #LIBS += -lpsapi
-LDFLAGS += -install_name @rpath/libfunchook.dylib
+#LDFLAGS += -install_name @rpath/libfunchook.dylib
 
 FUNCHOOK_OBJS = \
 	os_func.o \
@@ -22,8 +22,8 @@ FUNCHOOK_OBJS = \
 	funchook_x86.o \
 	funchook_unix.o
 
-#FUNCHOOK_OBJS += funchook_syscall.o
 FUNCHOOK_OBJS += funchook_syscall.o
+#FUNCHOOK_OBJS += funchook_syscall.o
 
 DISTORM3_OBJS = \
 	mnemonics.o \
@@ -43,13 +43,13 @@ HEADERS = \
 
 OBJS = $(FUNCHOOK_OBJS) $(DISTORM3_OBJS)
 
-all: libfunchook.dylib
+all: libfunchook.so
 
 check:
 	cd ../test && $(MAKE) check
 
-libfunchook.dylib: $(OBJS)
-	$(LINK_SHARED) $(LDFLAGS) -o libfunchook.dylib $(OBJS) $(LIBS)
+libfunchook.so: $(OBJS)
+	$(LINK_SHARED) $(LDFLAGS) -o libfunchook.so $(OBJS) $(LIBS)
 
 funchook.o: funchook.c $(HEADERS)
 funchook_linux.o: funchook_linux.c $(HEADERS)
@@ -64,7 +64,7 @@ insts.o: insts.c
 	$(CC) $(CFLAGS) -c -o $@ $< -Wno-missing-braces
 
 clean:
-	$(RM) libfunchook.dylib $(OBJS)
+	$(RM) libfunchook.so $(OBJS)
 
 Makefile config.h: $(srcdir)/Makefile.in $(srcdir)/config.h.in $(top_builddir)/config.status
 	cd $(top_builddir) && ./config.status

data/funchook/src/config.h

@@ -11,11 +11,11 @@
 
 /* Define to 1 if you have the declaration of `_sys_errlist', and to 0 if you
    don't. */
-#define HAVE_DECL__SYS_ERRLIST 0
+#define HAVE_DECL__SYS_ERRLIST 1
 
 /* Define to 1 if you have the declaration of `_sys_nerr', and to 0 if you
    don't. */
-#define HAVE_DECL__SYS_NERR 0
+#define HAVE_DECL__SYS_NERR 1
 
 /* Define to 1 if you have the <inttypes.h> header file. */
 #define HAVE_INTTYPES_H 1

data/funchook/test/Makefile

@@ -14,7 +14,7 @@ DLLTOOL = $(firstword $(CC:gcc=dlltool))
 SO_OBJS = $(srcdir)/libfunchook_test.c $(srcdir)/libfunchook_test2.c
 #LDFLAGS += -Wl,--out-implib,funchook_test.lib
 #FUNCHOOK_TEST_LIB = funchook_test_exe.lib
-LDFLAGS += -Wl,-undefined,dynamic_lookup
+#LDFLAGS += -Wl,-undefined,dynamic_lookup
 
 VPATH = ../src
 
@@ -24,7 +24,7 @@ test: funchook_test$(EXEEXT)
 	# cmp -s $(top_builddir)/src/funchook.dll funchook.dll || cp $(top_builddir)/src/funchook.dll funchook.dll
 	./funchook_test$(EXEEXT)
 
-funchook_test$(EXEEXT): $(OBJS) libfunchook.dylib libfunchook_test.so
+funchook_test$(EXEEXT): $(OBJS) libfunchook.so libfunchook_test.so
 	$(CC) -o funchook_test$(EXEEXT) $(OBJS) $(LIBS)
 
 libfunchook_test.so: $(SO_OBJS) $(FUNCHOOK_TEST_LIB)

data/lib/contrast.rb

@@ -51,7 +51,6 @@ cs__scoped_require 'contrast/internal_exception'
 
 # shared utils
 cs__scoped_require 'contrast/utils/timer'
-cs__scoped_require 'contrast/utils/random_util'
 cs__scoped_require 'contrast/utils/preflight_util'
 
 cs__scoped_require 'contrast/utils/assess/sampling_util'

data/lib/contrast/agent.rb

@@ -3,12 +3,11 @@
 
 cs__scoped_require 'English'
 
-# Config interface, also cruft around logger interfaces etc.
-# this comes early bc legacy.
-cs__scoped_require 'contrast/agent/feature_state'
-
 # This must precede other Contrast C extensions
 cs__scoped_require 'cs__common/cs__common'
+# This must precede any patching we do as we log patches and we shouldn't cause
+# requires to happen during that process.
+cs__scoped_require 'contrast/components/logger'
 
 # defining instrumentation, this must precede core extensions
 # because they need to register their patches
@@ -16,12 +15,12 @@ cs__scoped_require 'contrast/agent/patching/policy/patcher'
 cs__scoped_require 'contrast/agent/patching/policy/patch'
 
 # core extensions
-cs__scoped_require 'contrast/extensions/ruby_core/assess'
-cs__scoped_require 'contrast/extensions/ruby_core/delegator'
-cs__scoped_require 'contrast/extensions/ruby_core/inventory'
-cs__scoped_require 'contrast/extensions/ruby_core/module'
-cs__scoped_require 'contrast/extensions/ruby_core/protect'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/kernel'
+cs__scoped_require 'contrast/extension/assess'
+cs__scoped_require 'contrast/extension/delegator'
+cs__scoped_require 'contrast/extension/inventory'
+cs__scoped_require 'contrast/extension/module'
+cs__scoped_require 'contrast/extension/protect'
+cs__scoped_require 'contrast/extension/protect/kernel'
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/boolean_util'
@@ -74,17 +73,6 @@ cs__scoped_require 'contrast/agent/request_context'
 
 cs__scoped_require 'contrast/agent/assess'
 
-# Unconditional early-framework patches.
-# These happen regardless of analysis mode, & should be lightweight.
-cs__scoped_require 'contrast/utils/rack_assess_session_cookie'
-cs__scoped_require 'contrast/utils/rails_assess_configuration'
-
-# In Rails, session configuration occurs extremely early & only once.
-# If we defer our patching of the rails session configuration too long
-# (i.e., where we normally patch) we will miss the configuration
-# and will never be able to report session misconfiguration rules.
-cs__scoped_require 'contrast/extensions/framework/rails/configuration' if defined?(Rails)
-
 # protect rules
 cs__scoped_require 'contrast/agent/protect/rule'
 
@@ -93,4 +81,13 @@ cs__scoped_require 'contrast/utils/gemfile_reader'
 
 # rack event monitoring
 cs__scoped_require 'contrast/agent/middleware'
-cs__scoped_require 'contrast/agent/railtie' if defined?(Rails) && Rails::VERSION::MAJOR.to_i >= 3
+
+# TODO: RUBY-919
+# Refactor to use Contrast::Framework::Manager
+# Contrast::Framework::Manager.before_load_patches!
+if defined?(::Rails)
+  cs__scoped_require 'contrast/framework/rails/patch/support'
+  cs__scoped_require 'contrast/framework/rails/patch/rails_application_configuration'
+  Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
+  cs__scoped_require 'contrast/agent/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
+end

data/lib/contrast/agent/assess.rb

@@ -17,19 +17,10 @@ module Contrast
       # Rules - generic
       cs__scoped_require 'contrast/agent/assess/rule'
       cs__scoped_require 'contrast/agent/assess/rule/base'
-      cs__scoped_require 'contrast/agent/assess/rule/response_scanning_rule'
-      cs__scoped_require 'contrast/agent/assess/rule/watcher'
-      cs__scoped_require 'contrast/agent/assess/rule/response_watcher'
 
       # Dynamic Sources
       cs__scoped_require 'contrast/agent/assess/policy/dynamic_source_factory'
 
-      # Rule: CSRF
-      cs__scoped_require 'contrast/agent/assess/rule/csrf'
-      cs__scoped_require 'contrast/agent/assess/rule/csrf/csrf_applicator'
-      cs__scoped_require 'contrast/agent/assess/rule/csrf/csrf_action'
-      cs__scoped_require 'contrast/agent/assess/rule/csrf/csrf_watcher'
-
       # Rule: REDOS
       cs__scoped_require 'contrast/agent/assess/rule/redos'
 

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -35,6 +35,7 @@ module Contrast
             # pass us execution flow once a new method has been made available.
             def patch_assess_on_eval mod
               return unless ASSESS.enabled?
+              return if in_contrast_scope?
 
               with_contrast_scope { patcher.patch_specific_module(mod) }
             rescue StandardError => e

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -166,7 +166,7 @@ module Contrast
                 # values. Give it some help by changing them to 'A'
                 source = ALL_TYPE if source.include?(Contrast::Utils::ObjectShare::COMMA)
                 target = ALL_TYPE if target.include?(Contrast::Utils::ObjectShare::COMMA)
-                str = source[0] + TO_MARKER + target[0] # TODO: RUBY-139 PERF -- save in the patcher
+                str = source[0] + TO_MARKER + target[0]
                 str.to_sym
               end
             end

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -3,7 +3,7 @@
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/extensions/ruby_core/assess/assess_extension'
+cs__scoped_require 'contrast/extension/assess/assess_extension'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -28,6 +28,7 @@ module Contrast
           INSERT_ACTION = 'INSERT'
           KEEP_ACTION = 'KEEP'
           NEXT_ACTION = 'NEXT'
+          NOOP_ACTION = 'NOOP'
           PREPEND_ACTION = 'PREPEND'
           REPLACE_ACTION = 'REPLACE'
           REMOVE_ACTION = 'REMOVE'
@@ -84,6 +85,7 @@ module Contrast
                 INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
                 KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
                 NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+                NOOP_ACTION => nil,
                 PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
                 REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
                 REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
@@ -241,6 +243,7 @@ module Contrast
             end
 
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
+              return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
 
               # propagate all the tags from the sources to the target

data/lib/contrast/agent/assess/policy/propagator/custom.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -45,9 +45,7 @@ module Contrast
                 if known_tainted
                   known_tainted.concat(tainted_columns.keys)
                 else
-                  unless class_type < Contrast::CoreExtensions::Assess::AssessExtension
-                    class_type.send(:include, Contrast::CoreExtensions::Assess::AssessExtension)
-                  end
+                  class_type.send(:include, Contrast::Extension::Assess::AssessExtension) unless class_type < Contrast::Extension::Assess::AssessExtension
                   ASSESS.tainted_columns[class_name] = tainted_columns.keys
                 end