contrast-agent 3.11.0 → 3.12.0

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/extension/module'
 cs__scoped_require 'contrast/utils/class_util'
 
 module Contrast
@@ -9,13 +11,16 @@ module Contrast
       module Policy
         # Used to handle tracking patches that need to apply special instrumentation when a module is loaded
         class AfterLoadPatch
-          attr_reader :applied, :module_name, :instrumentation_file_path, :method_to_instrument
+          include Contrast::Components::Interface
+          access_component :scope
+          attr_reader :applied, :module_name, :instrumentation_file_path, :method_to_instrument, :instrumenting_module
 
-          def initialize module_name, instrumentation_file_path, method_to_instrument: nil
+          def initialize module_name, instrumentation_file_path, method_to_instrument: nil, instrumenting_module:
             @applied = false
             @module_name = module_name
             @method_to_instrument = method_to_instrument
             @instrumentation_file_path = instrumentation_file_path
+            @instrumenting_module = instrumenting_module
           end
 
           def applied?
@@ -55,6 +60,10 @@ module Contrast
 
           def instrument!
             cs__scoped_require instrumentation_file_path
+            if instrumenting_module
+              mod = Module.cs__const_get(instrumenting_module)
+              with_contrast_scope { mod.instrument } if mod
+            end
             @applied = true
           end
 

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -3,6 +3,7 @@
 
 cs__scoped_require 'contrast/components/interface'
 cs__scoped_require 'contrast/agent/patching/policy/after_load_patch'
+cs__scoped_require 'contrast/framework/manager'
 
 module Contrast
   module Agent
@@ -14,84 +15,78 @@ module Contrast
           include Contrast::Components::Interface
           access_component :agent, :logging
 
-          AFTER_LOAD_PATCHES = Set.new([
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                                             'contrast/extensions/framework/rails/active_record_time_zone_inherited',
-                                             method_to_instrument: :inherited),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'ActionController::Railties::Helper::ClassMethods',
-                                             'contrast/extensions/framework/rails/action_controller_railties_helper_inherited',
-                                             method_to_instrument: :inherited),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'ActiveRecord::Scoping::Named::ClassMethods',
-                                             'contrast/extensions/framework/rails/active_record_named'),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                                             'contrast/extensions/framework/rails/active_record'),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'Sinatra::Base',
-                                             'contrast/extensions/framework/sinatra/base'),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'Rails::Application::Configuration',
-                                             'contrast/extensions/framework/rails/configuration',
-                                             method_to_instrument: :session_store),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'Rack::Request',
-                                             'contrast/extensions/framework/rack/request'),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'Rack::Response',
-                                             'contrast/extensions/framework/rack/response'),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'ActionController::Live::Buffer',
-                                             'contrast/extensions/framework/rails/buffer'),
-                                         Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                             'Rack::Session::Cookie',
-                                             'contrast/extensions/framework/rack/cookie')
-                                       ])
-
           # After initialization run a catchup check to instrument any already loaded modules we care about
           def catchup_after_load_patches
+            apply_require_patches!
             apply_direct_patches!
-            applied = []
-            AFTER_LOAD_PATCHES.each do |after_load_patch|
-              next unless after_load_patch.target_defined?
-              next if AGENT.skip_instrumentation?(after_load_patch.module_name)
-
-              logger.trace(
-                  'Catching up on already loaded afterload patch - applying instrumentation',
-                  module: after_load_patch.module_name)
-              after_load_patch.instrument!
-              applied << after_load_patch
-            end
-            AFTER_LOAD_PATCHES.subtract(applied)
+            apply_load_patches!
           end
 
+          private
+
           # These patches need to be applied directly, not from our policy, so
           # do so and do so only once. This should be the new standard so that
           # there are no require time side effects of loading our core
           # extensions.
           def apply_direct_patches!
             @_apply_direct_patches ||= begin
-                                    Contrast::CoreExtensions::Assess::FiberPropagator.instrument_fiber_track
-                                    Contrast::CoreExtensions::Assess::HashPropagator.instrument_hash_track
-                                    Contrast::CoreExtensions::Assess::RegexpPropagator.instrument_regexp_track
-                                    Contrast::CoreExtensions::Assess::StringPropagator.instrument_string
-                                    Contrast::CoreExtensions::Assess::StringPropagator.instrument_string_interpolation
+                                    Contrast::Extension::Assess::ArrayPropagator.instrument_array_track
+                                    Contrast::Extension::Assess::EvalTrigger.instrument_basic_object_track
+                                    Contrast::Extension::Assess::EvalTrigger.instrument_module_track
+                                    Contrast::Extension::Assess::FiberPropagator.instrument_fiber_track
+                                    Contrast::Extension::Assess::HashPropagator.instrument_hash_track
+                                    Contrast::Extension::Assess::KernelPropagator.instrument_kernel_track
+                                    Contrast::Extension::Assess::RegexpPropagator.instrument_regexp_track
+                                    Contrast::Extension::Assess::StringPropagator.instrument_string
+                                    Contrast::Extension::Assess::StringPropagator.instrument_string_interpolation
+
+                                    Contrast::Extension::Protect::Kernel.instrument
                                     true
                                   end
           end
 
+          def apply_load_patches!
+            after_load_patches.each do |after_load_patch|
+              next unless after_load_patch.target_defined?
+              next if AGENT.skip_instrumentation?(after_load_patch.module_name)
+
+              logger.trace(
+                  'Catching up on already loaded afterload patch - applying instrumentation',
+                  module: after_load_patch.module_name)
+              after_load_patch.instrument!
+            end
+            after_load_patches.delete_if(&:applied?)
+          end
+
+          # These patches need to be applied directly, not from our policy, and
+          # are applied as a result of requiring the file as they alias methods
+          # directly, allowing us to control things like scope and exception
+          # handling
+          def apply_require_patches!
+            @_apply_require_patches ||= begin
+                                          cs__scoped_require 'contrast/extension/thread'
+                                          cs__scoped_require 'contrast/extension/kernel'
+                                          true
+                                        rescue LoadError, StandardError => e
+                                          logger.error('failed instrumenting apply_require_patches!', e)
+                                          false
+                                        end
+          end
+
+          def after_load_patches
+            @_after_load_patches ||= Contrast::Agent.framework_manager.find_after_load_patches
+          end
+
           # Use for any checks after we've initialized
           def load_patches_for_module module_name
-            return if AFTER_LOAD_PATCHES.empty?
+            return if after_load_patches.empty?
 
-            patch = AFTER_LOAD_PATCHES.find { |after_load_patch| after_load_patch.applies?(module_name) }
+            patch = after_load_patches.find { |after_load_patch| after_load_patch.applies?(module_name) }
             return unless patch
 
             logger.trace('Detected loading of afterload patch - applying instrumentation', module: module_name)
             patch.instrument!
-            AFTER_LOAD_PATCHES.subtract([patch]) if patch.applied?
+            after_load_patches.delete_if(&:applied?)
           end
         end
       end

data/lib/contrast/agent/patching/policy/patch.rb

@@ -5,7 +5,7 @@ cs__scoped_require 'monitor'
 cs__scoped_require 'contrast/components/interface'
 
 cs__scoped_require 'contrast/agent'
-cs__scoped_require 'contrast/agent/logger'
+cs__scoped_require 'contrast/logger/log'
 cs__scoped_require 'contrast/agent/patching/policy/method_policy'
 cs__scoped_require 'contrast/agent/patching/policy/patch_status'
 cs__scoped_require 'contrast/agent/patching/policy/trigger_node'
@@ -127,6 +127,7 @@ module Contrast
             # @param args [Array<Object>] The arguments passed to the method
             #   being invoked.
             def apply_protect method_policy, method, exception, object, args
+              return unless AGENT.enabled?
               return unless PROTECT.enabled?
 
               apply_trigger_only(method_policy&.protect_node,

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -51,11 +51,9 @@ module Contrast
             # instrumentation of the application - this only occurs once, during
             # startup to catchup on everything we didn't see get loaded
             def patch
-              logger.debug_with_time('Patching') do
-                catchup_after_load_patches
-                patch_methods
-                Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
-              end
+              catchup_after_load_patches
+              patch_methods
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -222,13 +220,13 @@ module Contrast
             end
 
             # Includes the given module with the
-            # Contrast::CoreExtensions::Assess::AssessExtension
+            # Contrast::Extension::Assess::AssessExtension
             # @param module_data [Contrast::Agent::ModuleData] the module, and
             #   its name, that's being patched into
             def include_module module_data
               return false unless Contrast::Agent::Assess::Policy::Policy.instance.tracked_classes.include?(module_data.name)
 
-              module_data.mod.send(:include, Contrast::CoreExtensions::Assess::AssessExtension)
+              module_data.mod.send(:include, Contrast::Extension::Assess::AssessExtension)
               true
             end
 
@@ -300,10 +298,10 @@ module Contrast
 end
 
 # core extensions
-cs__scoped_require 'contrast/extensions/ruby_core/module'
-cs__scoped_require 'contrast/extensions/ruby_core/assess'
-cs__scoped_require 'contrast/extensions/ruby_core/inventory'
-cs__scoped_require 'contrast/extensions/ruby_core/protect'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/kernel'
+cs__scoped_require 'contrast/extension/module'
+cs__scoped_require 'contrast/extension/assess'
+cs__scoped_require 'contrast/extension/inventory'
+cs__scoped_require 'contrast/extension/protect'
+cs__scoped_require 'contrast/extension/protect/kernel'
 
 cs__scoped_require 'cs__contrast_patch/cs__contrast_patch'

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -13,7 +13,7 @@ module Contrast
         # @abstract
         class PolicyNode
           include Contrast::Components::Interface
-          access_component :scope
+          access_component :analysis, :scope
 
           attr_accessor :class_name, :instance_method, :method_name, :method_visibility
           attr_reader :properties, :method_scope

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 cs__scoped_require 'contrast/agent/patching/policy/policy_node'
 
 module Contrast

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/cmd_injection'
+cs__scoped_require 'contrast/agent/protect/policy/applies_deserialization_rule'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Command Injection rule. It is called
+        # from our patches of the targeted methods in which command execution
+        # occurs. It is responsible for deciding if the infilter methods of the
+        # rule should be invoked.
+        # In addition, b/c of the nature of Deserialization's sand boxing
+        # function, this Module's apply methods call through to the
+        # {#apply_deserialization_command_check} method of the
+        # Deserialization applicator.
+        module AppliesCommandInjectionRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          CS__SEMICOLON = '; '
+
+          class << self
+            def invoke method, _exception, _properties, object, args
+              return unless valid_command?(args)
+
+              command = build_command(args)
+              Contrast::Agent::Protect::Policy::AppliesDeserializationRule.apply_deserialization_command_check(command)
+              return if skip_analysis?
+
+              begin
+                clazz = object.is_a?(Module) ? object : object.cs__class
+                class_name = clazz.cs__name
+                rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              end
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::CmdInjection::NAME
+            end
+
+            private
+
+            def valid_command? command
+              command && (command.is_a?(String) || command.is_a?(Array))
+            end
+
+            def build_command command
+              return command if command.is_a?(String)
+
+              command = command.drop(1) if command.length > 1
+              command.join(CS__SEMICOLON)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -0,0 +1,52 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/deserialization'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Deserialization rule. It is called from
+        # our patches of the targeted methods in which deserialization occurs.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesDeserializationRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def invoke _method, _exception, _properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
+            end
+
+            def apply_deserialization_command_check command
+              return unless command
+              return if skip_analysis?
+
+              rule.check_command_scope(command)
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::Deserialization::NAME
+            end
+
+            private
+
+            def valid_input? args
+              return false unless args&.any?
+
+              input = args[0]
+              input.is_a?(String)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -0,0 +1,68 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/no_sqli'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the NoSQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based NoSQL queries occur. It is responsible for deciding if the
+        # infilter methods of the rule should be invoked.
+        module AppliesNoSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def invoke method, _exception, properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+
+              database = properties['database']
+              operations = args[0]
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if operations.is_a?(Array)
+                operations.each do |m|
+                  handle_operation(context, database, method, m)
+                end
+              else
+                handle_operation(context, database, method, operations)
+              end
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            end
+
+            private
+
+            def valid_input? args
+              return false unless args&.any?
+
+              args[0]
+            end
+
+            def handle_operation context, database, _action, operation
+              data = extract_mongo_data(operation)
+              return unless data && !data.empty?
+
+              rule.infilter(context, database, data)
+            end
+
+            def extract_mongo_data operation
+              if operation.cs__respond_to? :selector
+                operation.selector
+              elsif operation.cs__respond_to? :documents
+                operation.documents
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end