contrast-agent 3.11.0 → 3.13.1

data/lib/contrast/agent/patching/policy/patch.rb

@@ -5,7 +5,7 @@ cs__scoped_require 'monitor'
 cs__scoped_require 'contrast/components/interface'
 
 cs__scoped_require 'contrast/agent'
-cs__scoped_require 'contrast/agent/logger'
+cs__scoped_require 'contrast/logger/log'
 cs__scoped_require 'contrast/agent/patching/policy/method_policy'
 cs__scoped_require 'contrast/agent/patching/policy/patch_status'
 cs__scoped_require 'contrast/agent/patching/policy/trigger_node'
@@ -127,6 +127,7 @@ module Contrast
             # @param args [Array<Object>] The arguments passed to the method
             #   being invoked.
             def apply_protect method_policy, method, exception, object, args
+              return unless AGENT.enabled?
               return unless PROTECT.enabled?
 
               apply_trigger_only(method_policy&.protect_node,
@@ -352,7 +353,7 @@ module Contrast
                            elsif target_module.public_instance_methods(false).include?(method_name)
                              :public
                            else
-                             raise NotImplementedError,
+                             raise NoMethodError,
                                    <<~ERR
                                      Tried to register a C-defined #{ impl } patch for \
                                      #{ target_module_name }##{ method_name }, but can't find :#{ method_name }.

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -51,11 +51,9 @@ module Contrast
             # instrumentation of the application - this only occurs once, during
             # startup to catchup on everything we didn't see get loaded
             def patch
-              logger.debug_with_time('Patching') do
-                catchup_after_load_patches
-                patch_methods
-                Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
-              end
+              catchup_after_load_patches
+              patch_methods
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -222,13 +220,13 @@ module Contrast
             end
 
             # Includes the given module with the
-            # Contrast::CoreExtensions::Assess::AssessExtension
+            # Contrast::Extension::Assess::AssessExtension
             # @param module_data [Contrast::Agent::ModuleData] the module, and
             #   its name, that's being patched into
             def include_module module_data
               return false unless Contrast::Agent::Assess::Policy::Policy.instance.tracked_classes.include?(module_data.name)
 
-              module_data.mod.send(:include, Contrast::CoreExtensions::Assess::AssessExtension)
+              module_data.mod.send(:include, Contrast::Extension::Assess::AssessExtension)
               true
             end
 
@@ -300,10 +298,10 @@ module Contrast
 end
 
 # core extensions
-cs__scoped_require 'contrast/extensions/ruby_core/module'
-cs__scoped_require 'contrast/extensions/ruby_core/assess'
-cs__scoped_require 'contrast/extensions/ruby_core/inventory'
-cs__scoped_require 'contrast/extensions/ruby_core/protect'
-cs__scoped_require 'contrast/extensions/ruby_core/protect/kernel'
+cs__scoped_require 'contrast/extension/module'
+cs__scoped_require 'contrast/extension/assess'
+cs__scoped_require 'contrast/extension/inventory'
+cs__scoped_require 'contrast/extension/protect'
+cs__scoped_require 'contrast/extension/protect/kernel'
 
 cs__scoped_require 'cs__contrast_patch/cs__contrast_patch'

data/lib/contrast/agent/patching/policy/policy.rb

@@ -22,17 +22,17 @@ module Contrast
 
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
-            raise(NotImplementedError, 'specify policy_folder for patching')
+            raise(NoMethodError, 'specify policy_folder for patching')
           end
 
           # Indicates is this feature has been disabled by the configuration,
           # read at startup, and therefore can never be enabled.
           def disabled_globally?
-            raise(NotImplementedError, 'specify disabled_globally? conditions for patching')
+            raise(NoMethodError, 'specify disabled_globally? conditions for patching')
           end
 
           def node_type
-            raise(NotImplementedError, 'specify the concrete node type for this poilcy')
+            raise(NoMethodError, 'specify the concrete node type for this poilcy')
           end
 
           access_component :analysis, :logging

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -13,17 +13,17 @@ module Contrast
         # @abstract
         class PolicyNode
           include Contrast::Components::Interface
-          access_component :scope
+          access_component :analysis, :scope
 
           attr_accessor :class_name, :instance_method, :method_name, :method_visibility
           attr_reader :properties, :method_scope
 
           def node_class
-            raise NotImplementedError, 'specify the type of the feature for which this node patches'
+            raise NoMethodError, 'specify the type of the feature for which this node patches'
           end
 
           def feature
-            raise NotImplementedError, 'specify the name of the feature for which this node patches'
+            raise NoMethodError, 'specify the name of the feature for which this node patches'
           end
 
           def initialize policy_hash = {}

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 cs__scoped_require 'contrast/agent/patching/policy/policy_node'
 
 module Contrast

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -0,0 +1,63 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/cmd_injection'
+cs__scoped_require 'contrast/agent/protect/policy/applies_deserialization_rule'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Command Injection rule. It is called
+        # from our patches of the targeted methods in which command execution
+        # occurs. It is responsible for deciding if the infilter methods of the
+        # rule should be invoked.
+        # In addition, b/c of the nature of Deserialization's sand boxing
+        # function, this Module's apply methods call through to the
+        # {#apply_deserialization_command_check} method of the
+        # Deserialization applicator.
+        module AppliesCommandInjectionRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          CS__SEMICOLON = '; '
+
+          class << self
+            def invoke method, _exception, _properties, object, args
+              return unless valid_command?(args)
+
+              command = build_command(args)
+              Contrast::Agent::Protect::Policy::AppliesDeserializationRule.apply_deserialization_command_check(command)
+              return if skip_analysis?
+
+              begin
+                clazz = object.is_a?(Module) ? object : object.cs__class
+                class_name = clazz.cs__name
+                rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              end
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::CmdInjection::NAME
+            end
+
+            private
+
+            def valid_command? command
+              command && (command.is_a?(String) || command.is_a?(Array))
+            end
+
+            def build_command command
+              return command if command.is_a?(String)
+
+              command = command.drop(1) if command.length > 1
+              command.join(CS__SEMICOLON)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -0,0 +1,52 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/deserialization'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Deserialization rule. It is called from
+        # our patches of the targeted methods in which deserialization occurs.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesDeserializationRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def invoke _method, _exception, _properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
+            end
+
+            def apply_deserialization_command_check command
+              return unless command
+              return if skip_analysis?
+
+              rule.check_command_scope(command)
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::Deserialization::NAME
+            end
+
+            private
+
+            def valid_input? args
+              return false unless args&.any?
+
+              input = args[0]
+              input.is_a?(String)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -0,0 +1,68 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/no_sqli'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the NoSQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based NoSQL queries occur. It is responsible for deciding if the
+        # infilter methods of the rule should be invoked.
+        module AppliesNoSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def invoke method, _exception, properties, _object, args
+              return unless valid_input?(args)
+              return if skip_analysis?
+
+              database = properties['database']
+              operations = args[0]
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if operations.is_a?(Array)
+                operations.each do |m|
+                  handle_operation(context, database, method, m)
+                end
+              else
+                handle_operation(context, database, method, operations)
+              end
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            end
+
+            private
+
+            def valid_input? args
+              return false unless args&.any?
+
+              args[0]
+            end
+
+            def handle_operation context, database, _action, operation
+              data = extract_mongo_data(operation)
+              return unless data && !data.empty?
+
+              rule.infilter(context, database, data)
+            end
+
+            def extract_mongo_data operation
+              if operation.cs__respond_to? :selector
+                operation.selector
+              elsif operation.cs__respond_to? :documents
+                operation.documents
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -0,0 +1,117 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/path_traversal'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+cs__scoped_require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the Path Traversal rule. It is called from
+        # our patches of the targeted methods in which File or IO access occur.
+        # It is responsible for deciding if the infilter methods of the rule
+        # should be invoked.
+        module AppliesPathTraversalRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          class << self
+            def invoke method, _exception, properties, object, args
+              return unless args&.any?
+
+              path = args[0]
+              return unless path.is_a?(String)
+              return if skip_analysis?
+
+              action = properties['action']
+              write_marker = write?(action, *args)
+              possible_write = write_marker && possible_write(write_marker)
+              path_traversal_rule(path, possible_write, object, method)
+
+              # If the action was copy, we need to handle the write half of it.
+              # We handled read in line above.
+              return unless action == COPY
+              return unless args.length > 1
+
+              dst = args[1]
+              return unless dst.is_a?(String)
+
+              path_traversal_rule(dst, true, object, method)
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::PathTraversal::NAME
+            end
+
+            private
+
+            def possible_write input
+              input.cs__respond_to?(:to_s) &&
+                  input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
+            end
+
+            READ = 'read'
+            WRITE = 'write'
+            COPY = 'copy'
+            def write? action, *args
+              return false if action == READ
+              return false if action == COPY
+              return true if action == WRITE
+
+              write_marker = args.length > 1 ? args[1] : nil
+              write_marker && possible_write(write_marker)
+            end
+
+            def path_traversal_rule path, possible_write, object, method
+              return unless applies_to?(path, possible_write)
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
+            rescue Contrast::SecurityException => e
+              raise e
+            rescue StandardError => e
+              logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
+            end
+
+            CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
+            def safer_abs_paths
+              @_safer_abs_paths ||= begin
+                pwd = ENV['PWD']
+                if pwd
+                  tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
+                  gems = ENV['GEM_PATH']
+                  tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
+                  tmp
+                else
+                  []
+                end
+              end
+            end
+
+            def applies_to? path, possible_write = false
+              # any possible write is a potential risk
+              return true if possible_write
+
+              # any path that moves 'up' is a potential risk
+              return true if path.index(Contrast::Utils::ObjectShare::PARENT_PATH)
+
+              path = path.downcase
+              if path.start_with?(Contrast::Utils::ObjectShare::SLASH)
+                safer_abs_paths.each do |prefix|
+                  return false if path.start_with?(prefix)
+                end
+              else
+                CS__SAFER_REL_PATHS.each do |prefix|
+                  return false if path.start_with?(prefix)
+                end
+              end
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/agent/protect/rule/sqli'
+cs__scoped_require 'contrast/agent/protect/policy/rule_applicator'
+
+module Contrast
+  module Agent
+    module Protect
+      module Policy
+        # This Module is how we apply the SQL Injection rule. It is called from
+        # our patches of the targeted methods in which the execution of String
+        # based SQL queries occur. It is responsible for deciding if the infilter
+        # methods of the rule should be invoked.
+        class AppliesSqliRule
+          extend Contrast::Agent::Protect::Policy::RuleApplicator
+
+          DATABASE_MYSQL =    'MySQL'
+          DATABASE_SQLITE =   'SQLite3'
+          DATABASE_PG =       'PostgreSQL'
+
+          class << self
+            def invoke _method, _exception, properties, _object, args
+              database = properties['database']
+              return unless database
+
+              index = properties[Contrast::Utils::ObjectShare::INDEX]
+              return unless valid_input?(index, args)
+              return if skip_analysis?
+
+              sql = args[index]
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
+            end
+
+            protected
+
+            def name
+              Contrast::Agent::Protect::Rule::Sqli::NAME
+            end
+
+            private
+
+            def valid_input? index, args
+              return false unless args && args.length > index
+
+              sql = args[index]
+              sql && !sql.empty?
+            end
+          end
+        end
+      end
+    end
+  end
+end