contrast-agent 3.11.0 → 3.12.0

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -0,0 +1,90 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Trigger
+          # This acts a trigger to handle the special cases of the Tilt
+          # library gem. Reflected XSS data may come into the trigger methods
+          # from these classes.
+          class ReflectedXss
+            class << self
+              NODE_HASH = {
+                  'class_name' => 'Tilt::Template',
+                  'instance_method' => true,
+                  'method_name' => 'render',
+                  'method_visibility' => 'public',
+                  'action' => 'CUSTOM',
+                  'source' => 'O,P0',
+                  'target' => 'R',
+                  'patch_class' => 'Contrast::Agent::Assess::Policy::Trigger::ReflectedXss',
+                  'patch_method' => 'xss_tilt_trigger'
+              }.cs__freeze
+              TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
+
+              def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
+                scope = args[0]
+
+                erb_template_prerender = object.instance_variable_get(:@data)
+                interpolated_inputs = []
+                handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
+
+                handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
+
+                unless interpolated_inputs.empty?
+                  interpolated_inputs.each do |input|
+                    input.cs__properties.events.each do |event|
+                      ret.cs__properties.events << event
+                    end
+                  end
+                  ret.cs__properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
+                end
+
+                if ret.cs__tracked?
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                end
+
+                ret
+              end
+
+              private
+
+              def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
+                binding_variables = scope.instance_variables
+
+                binding_variables.each do |bound_variable_sym|
+                  bound_variable_value = scope.instance_variable_get(bound_variable_sym)
+
+                  next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
+                  next unless erb_template_prerender.include?(bound_variable_sym.to_s)
+
+                  start_index = ret.index(bound_variable_value)
+                  next if start_index.nil?
+
+                  ret.cs__copy_from(bound_variable_value, start_index)
+                  interpolated_inputs << bound_variable_sym
+                end
+              end
+
+              def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
+                locals = args[1]
+                locals.each do |local_name, local_value|
+                  next unless local_value.cs__respond_to?(:cs__tracked?) && local_value.cs__tracked?
+                  next unless erb_template_prerender.include?(local_name.to_s)
+
+                  start_index = ret.index(local_value)
+                  next if start_index.nil?
+
+                  ret.cs__copy_from(local_value, start_index)
+                  interpolated_inputs << local_name
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -0,0 +1,57 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Trigger
+          # This acts a trigger to handle the special cases of the XPath
+          # library gem and the Oga gem. Untrusted data may come into the
+          # trigger methods from these classes as an array or hash,
+          # respectively. Since untrusted user input comes into these triggers
+          # as a splat argument or an options hash, we need to iterate through
+          # these objects to see if we were tracking on any of them and report
+          # a finding if so.
+          class Xpath
+            include Contrast::Components::Interface
+
+            class << self
+              def xpath_expression_trigger context, trigger_node, _source, object, ret, *args
+                return ret unless args
+
+                process(context, trigger_node, object, ret, *args)
+              end
+
+              def xpath_oga_trigger context, trigger_node, _source, object, ret, *args
+                return ret unless args
+
+                # convert the options arg in Oga::XML::CharacterNode#initialize into an
+                # array of its values so we can check if any are unsafe
+                args = args.first.values if args.first.cs__is_a?(Hash)
+                process(context, trigger_node, object, ret, *args)
+              end
+
+              private
+
+              def process context, trigger_node, object, ret, *args
+                args.each do |arg|
+                  next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
+                  next unless arg.cs__tracked?
+                  next unless trigger_node.violated?(arg)
+
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
+                      context, trigger_node, arg, object, ret, args)
+                end
+
+                ret
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -18,7 +18,7 @@ module Contrast
         # it was not, a Finding report is issued to the Service
         module TriggerMethod
           include Contrast::Components::Interface
-          access_component :analysis, :logging
+          access_component :analysis, :logging, :settings
 
           # The level of TeamServer compliance our traces meet
           CURRENT_FINDING_VERSION = 2
@@ -89,7 +89,7 @@ module Contrast
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
+              finding.session_id = SETTINGS.session_id
               finding.version = CURRENT_FINDING_VERSION
 
               build_from_source(finding, source)
@@ -109,10 +109,6 @@ module Contrast
 
             private
 
-            def settings
-              Contrast::Agent::FeatureState.instance
-            end
-
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
@@ -140,7 +136,7 @@ module Contrast
                 build_finding(context, trigger_node, source, object, ret, *args)
               end
             rescue StandardError => e
-              logger.warn('Unable to apply trigger', e, node_id: trigger_ndoe.id)
+              logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
             end
 
             # Given the marker from the trigger_node (the pointer indicating

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -1,6 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/assess/policy/trigger/reflected_xss'
+cs__scoped_require 'contrast/agent/assess/policy/trigger/xpath'
+
 module Contrast
   module Agent
     module Assess
@@ -64,7 +67,7 @@ module Contrast
           end
 
           def rule_disabled?
-            Contrast::Agent::FeatureState.instance.assess_disabled_rules.include?(rule_id)
+            ASSESS.rule_disabled?(rule_id)
           end
 
           # Indicate if this is a dataflow based trigger, meaning it has a proper

data/lib/contrast/agent/assess/rule/base.rb

@@ -46,21 +46,6 @@ module Contrast
               ex.assess_rule?(name)
             end
           end
-
-          def send_report finding
-            finding.rule_id = name
-            finding.hash_code = generate_hash(finding)
-            finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-            finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
-            finding.tags = ASSESS.tags.to_s
-
-            current_context = Contrast::Agent::REQUEST_TRACKER.current
-            current_context.activity.findings << finding
-          end
-
-          def generate_hash finding
-            Contrast::Utils::HashDigest.generate_trigger_hash(finding)
-          end
         end
       end
     end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 
 module Contrast
   module Agent
@@ -19,7 +19,7 @@ module Contrast
           # 4) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
             include Contrast::Components::Interface
-            access_component :analysis, :contrast_service, :logging
+            access_component :analysis, :app_context, :logging, :settings
 
             def disabled?
               !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
@@ -88,12 +88,14 @@ module Contrast
             # The constant name
             SOURCE_KEY = 'source'
 
+            private
+
             def report_finding clazz, constant_string
               class_name = clazz.cs__name
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
-              finding.session_id = Contrast::Agent::FeatureState.instance.current_session_id
+              finding.session_id = SETTINGS.session_id
 
               finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
 
@@ -106,13 +108,28 @@ module Contrast
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
 
               activity = Contrast::Api::Dtm::Activity.new
-              activity.finding_tags = Contrast::Utils::StringUtils.protobuf_safe_string(ASSESS.tags)
               activity.findings << finding
 
-              CONTRAST_SERVICE.queue_message activity
+              # If assess is enabled, we can just send the activity
+              if APP_CONTEXT.ready?
+                build_tags(activity)
+                Contrast::Utils::ServiceSenderUtil.push_to_ready_queue activity
+                # Otherwise, if the Agent isn't ready, we have to queue the messages
+                # until we know the starting state.
+              else
+                Contrast::Utils::ServiceSenderUtil.add_to_assess_messages activity
+              end
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
             end
+
+            # This seems silly to pull out, but we can ONLY call this in the case
+            # where we have a configuration. Doing otherwise results in a bad error
+            # case where we try to do other things, like logging, which behave
+            # strangely without a config
+            def build_tags activity
+              activity.finding_tags = Contrast::Utils::StringUtils.force_utf8(ASSESS.tags)
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/redos.rb

@@ -54,7 +54,6 @@ module Contrast
               # will have the same functional characteristics as the original.
               # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
               # Regexp#source will give you the original source.
-              # TODO RUBY-683, would we ever get a hit on one but not the other?
 
               # Use #match? because it doesn't fill out global variables
               # in the way match or =~ do.

data/lib/contrast/agent/at_exit_hook.rb

@@ -8,7 +8,7 @@ module Contrast
     # This module adds an at_exit hook for us to send messages that may be lost at process exit
     module AtExitHook
       include Contrast::Components::Interface
-      access_component :contrast_service, :logging
+      access_component :logging
       def self.exit_hook
         @_exit_hook ||= begin
                           at_exit do
@@ -29,7 +29,7 @@ module Contrast
                      process_pp_id: Process.ppid)
 
         context = Contrast::Agent::REQUEST_TRACKER.current
-        CONTRAST_SERVICE.send_message(context.activity) if context
+        Contrast::Utils::ServiceSenderUtil.send_event_immediately(context.activity) if context
       end
     end
   end

data/lib/contrast/agent/class_reopener.rb

@@ -2,25 +2,30 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'ripper'
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/logger/log'
 
 # This method is left purposefully at the top level namespace. Moving it
 # elsewhere will break functionality as it executes evaluations against the
 # namespace from which it is called -- ie putting it in Contrast would make all
 # changes it intends for Foo happen to Contrast::Foo instead
 #
-# @param class_name [String] the name of the class in which the eval will
+# @param _class_name [String] the name of the class in which the eval will
 #   redefine functionality
 # @param content [String] the String content that will function as the code in
 #   the given class
-def unbound_eval class_name, content
+def unbound_eval _class_name, content
   # Yuck, this is a top-level method that has to break encapsulation
   # in order to access scoping!
   Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.enter_contrast_scope!
   eval(content) # rubocop:disable Security/Eval
 rescue Exception # rubocop:disable Lint/RescueException
-  Contrast::Agent::SettingsState.log_error("Unable to perform unbound eval of new content for #{ class_name }.")
+  # We can't use components here, so we have to access the log directly. I hate
+  # it, but we'll have to deal with it until we remove 2.5 support.
+  Contrast::Logger::Log.instance.logger.error('Unable to perform unbound eval of new content', module: class_name)
+  # And we need to return nil here, not the value from the logger.
+  nil
 ensure
   Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.exit_contrast_scope!
 end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/api/decorators/exclusion.rb'
 
 module Contrast
   module Agent

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/inventory_util'
+
+module Contrast
+  module Agent
+    module Inventory
+      module Policy
+        # This Module is how we apply the Data Store detection required for the
+        # FlowMap feature. It is called from our patches of the targeted methods
+        # in which database operations occur. It is responsible for deciding if
+        # the given invocation is worth reporting or not.
+        module DataStores
+          class << self
+            include Contrast::Components::Interface
+
+            access_component :analysis, :logging
+            # The key used in policy.json to indicate the database type to
+            # report.
+            DATA_STORE_MARKER = 'data_store'
+
+            def report_data_store _method, _exception, properties, object, _args
+              return unless INVENTORY.enabled?
+
+              marker = properties[DATA_STORE_MARKER]
+              return unless marker
+
+              file_report(marker)
+            rescue StandardError => e
+              logger.error('Error reporting database call', e, object: object)
+            end
+
+            private
+
+            def file_report data_store
+              return unless data_store
+
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              return unless context&.activity
+
+              context.activity.technologies[data_store] = true
+              context.activity.query_count += 1
+              return unless context.activity.query_count == 1
+
+              Contrast::Utils::InventoryUtil.append_db_config(context.activity)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/inventory/policy/policy.rb

@@ -5,7 +5,7 @@ cs__scoped_require 'contrast/agent/inventory/policy/trigger_node'
 cs__scoped_require 'contrast/agent/patching/policy/policy'
 
 # classes required by patches in the policy
-cs__scoped_require 'contrast/extensions/ruby_core/inventory/datastores'
+cs__scoped_require 'contrast/agent/inventory/policy/datastores'
 
 module Contrast
   module Agent

data/lib/contrast/agent/middleware.rb

@@ -26,49 +26,45 @@ module Contrast
     # as it goes through the middleware stack inside of #call.
     class Middleware
       include Contrast::Components::Interface
-      access_component :agent, :logging, :scope
+      access_component :agent, :config, :logging, :scope, :settings
 
       attr_reader :app
 
       # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here
-      # since we're only going to be initialized a single time. Our initializatoin order is:
-      # - log environment, configuration, and all libraries
-      # - start the service sending thread, responsible for sending and processing messages
-      # - start the heartbeat thread, which triggers service startup
-      # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
-      # - enable TracePoint, which handles all class loads and required instrumentation going forward
+      # since we're only going to be initialized a single time. Our initialization order is:
+      # - capture the application
+      # - setup the Agent
+      # - startup the Agent
       #
       # @param app [Rack::Application] the application to be instrumented
       # @param _legacy_param [nil] was a flag we no longer need, but Sinatra may call it
-
       def initialize app, _legacy_param = nil
-        @app = app # THIS MUST BE FIRST AND ALWAYS SET!
-        # TODO: RUBY-545 nomenclature here needs to be updated.
-        #   enabled/initialized are really only reflective of whether we were able to parse the config,
-        #   which is the bare minimum for the agent to do anything.
+        @app = app  # THIS MUST BE FIRST AND ALWAYS SET!
+        setup_agent # THIS MUST BE SECOND AND ALWAYS CALLED!
         unless AGENT.enabled?
           logger.error(
-              'Contrast middleware initializer detected an early-stage setup failure (likely config parse). Disabling.')
+              'The Agent was unable to initialize before the application middleware was initialized. Disabling permanently.')
           AGENT.disable! # ensure the agent is disabled (probably redundant)
           return
         end
         agent_startup_routine
       end
 
+      # Startup the Agent as part of the initialization process:
+      # - start the service sending thread, responsible for sending and
+      #   processing messages
+      # - start the heartbeat thread, which triggers service startup
+      # - start instrumenting libraries and do a 'catchup' patch for everything
+      #   we didn't see get loaded
+      # - enable TracePoint, which handles all class loads and required
+      #   instrumentation going forward
       def agent_startup_routine
-        logger.debug_with_time('middleware: log environment') do
-          settings.log_environment
-          settings.log_configuration
-          settings.log_specific_libraries
-          settings.log_all_libraries
-        end
-
         logger.debug_with_time('middleware: starting service') do
           run_service_threads
         end
 
         logger.debug_with_time('middleware: instrument shared libraries and patch') do
-          instrument_and_patch
+          Contrast::Agent::Patching::Policy::Patcher.patch
         end
 
         AGENT.enable_tracepoint
@@ -96,10 +92,26 @@ module Contrast
 
       private
 
+      def setup_agent
+        SETTINGS.reset_state
+
+        if CONFIG.invalid?
+          AGENT.disable!
+          logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
+        elsif CONFIG.disabled?
+          AGENT.disable!
+          logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        else
+          AGENT.enable!
+        end
+      end
+
       # This is where we process each request we intercept as a middleware. We make the request context
       # available globally so that it can be accessed from anywhere. A RequestHandler object is made
       # for each request, which handles prefilter and postfilter operations.
       def call_with_agent env
+        return unless AGENT.enabled?
+
         framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
         context = Contrast::Agent::RequestContext.new(framework_request)
         response = nil
@@ -155,7 +167,7 @@ module Contrast
         if exception.is_a?(Contrast::SecurityException) ||
               exception.message&.include?(SECURITY_EXCEPTION_MARKER)
 
-          exception_control = settings.exception_control
+          exception_control = AGENT.exception_control
           raise exception unless exception_control[:enable]
 
           [exception_control[:status], {}, [exception_control[:message]]]
@@ -165,23 +177,15 @@ module Contrast
         end
       end
 
-      def settings
-        Contrast::Agent::FeatureState.instance
-      end
-
+      # TODO: RUBY-920
+      # Move this somewhere that controls our threads, ensuring they're
+      # recreated on Fork
+      #
       # Rspec stubs over these methods for simplicity's sake in testing
       def run_service_threads
         Contrast::Utils::ServiceSenderUtil.start
         Contrast::Agent::ServiceHeartbeat.new.start
       end
-
-      # All this method chain does anymore is load the Thread patch that
-      # propagates request contexts.  That can go away RUBY-700.
-      SHARED_LIBRARIES = %w[contrast/extensions/ruby_core/thread].cs__freeze
-      def instrument_and_patch
-        SHARED_LIBRARIES.each { |lib| settings.instrument(lib) }
-        Contrast::Agent::Patching::Policy::Patcher.patch
-      end
     end
   end
 end