contrast-agent 3.12.1 → 3.14.0

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -56,7 +56,7 @@ module Contrast
             # characters are probably more likely to appear together in a
             # default placeholder than in a password. Note this is opposite of
             # the behavior in Java
-            PROPERTY_NAME_PATTERN = /^[a-z]+[\.\_][\.\_a-z]*[a-z]+$/.cs__freeze
+            PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
             def probably_property_name? value
               value.match?(PROPERTY_NAME_PATTERN)
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/extension/module'
+require 'contrast/components/interface'
+require 'contrast/extension/module'
 
 module Contrast
   module Agent
@@ -19,7 +19,7 @@ module Contrast
           # 4) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
             include Contrast::Components::Interface
-            access_component :analysis, :app_context, :logging, :settings
+            access_component :analysis, :app_context, :logging
 
             def disabled?
               !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
@@ -95,8 +95,6 @@ module Contrast
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
-              finding.session_id = SETTINGS.session_id
-
               finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
 
               finding.properties[SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(class_name)
@@ -110,26 +108,10 @@ module Contrast
               activity = Contrast::Api::Dtm::Activity.new
               activity.findings << finding
 
-              # If assess is enabled, we can just send the activity
-              if APP_CONTEXT.ready?
-                build_tags(activity)
-                Contrast::Utils::ServiceSenderUtil.push_to_ready_queue activity
-                # Otherwise, if the Agent isn't ready, we have to queue the messages
-                # until we know the starting state.
-              else
-                Contrast::Utils::ServiceSenderUtil.add_to_assess_messages activity
-              end
+              Contrast::Agent.messaging_queue.send_event_eventually(activity)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
             end
-
-            # This seems silly to pull out, but we can ONLY call this in the case
-            # where we have a configuration. Doing otherwise results in a bad error
-            # case where we try to do other things, like logging, which behave
-            # strangely without a config
-            def build_tags activity
-              activity.finding_tags = Contrast::Utils::StringUtils.force_utf8(ASSESS.tags)
-            end
           end
         end
       end

data/lib/contrast/agent/assess/tag.rb

@@ -7,28 +7,42 @@ module Contrast
       # A Tag represents a range in a given piece of data. It is used by the
       # Agent to determine if a vulnerable dataflow has occurred.
       class Tag
-        attr_reader :length,    # length of tagged text within string
+        attr_reader :label,     # the label of this tag
+                    :length,    # length of tagged text within string
                     :start_idx, # start of range
-                    :end_idx    # end of range (calculated from start + length)
+                    :end_idx    # end of range (calculated from start + length), exclusive
 
         # Initialize a new tag
-        # length : the length of the string described with this tag
-        # start_idx : (default: 0) the starting position in the string for this tag
-        def initialize length, start_idx = 0
+        #
+        # @param label [String] the lable of the tag
+        # @param length [Integer] the length of the string described with this
+        #   tag
+        # @param start_idx [Integer] (0) the starting position in the string for
+        #   this tag
+        def initialize label, length, start_idx = 0
+          @label = label
           update_range(start_idx, start_idx + length)
         end
 
         # Return true if the tag covers the given position in the string
+        #
+        # @param idx [Integer] the index to check
+        # @return [Boolean]
         def covers? idx
           idx >= start_idx && idx < end_idx
         end
 
         # Return true if the tag is above the given position in the string
+        # @param idx [Integer] the index to check
+        # @return [Boolean]
         def above? idx
           idx < start_idx
         end
 
-        # Return the range that this tag covers
+        # Return the range that this tag covers, from start (inclusive) to
+        # end (exclusive).
+        #
+        # @return [Range]
         def range
           start_idx...end_idx
         end
@@ -38,10 +52,11 @@ module Contrast
         end
 
         # Return if a given tag overlaps this one
-        def overlaps? other
-          return true if @start_idx <  other.start_idx && @end_idx >= other.start_idx  # we start below other & end in it
-          return true if @start_idx >= other.start_idx && @end_idx <= other.end_idx    # we start and end in other
-          return true if @start_idx <= other.end_idx   && @end_idx >  other.end_idx    # we start in other & end above it
+        def overlaps? start_idx, end_idx
+          return true if @start_idx <  start_idx && @end_idx >= start_idx  # we start below range & end in it
+          return true if @start_idx >= start_idx && @end_idx <= end_idx    # we start and end in range
+
+          @start_idx <= end_idx && @end_idx > end_idx                      # we start in range & end above it
         end
 
         def shift idx
@@ -71,7 +86,7 @@ module Contrast
         # Returns true if the other tag was merged into
         # this tag
         def merge other
-          return unless overlaps?(other)
+          return unless overlaps?(other.start_idx, other.end_idx)
 
           start = other.start_idx < @start_idx ? other.start_idx : @start_idx
           finish = other.end_idx > @end_idx ? other.end_idx : @end_idx
@@ -86,7 +101,7 @@ module Contrast
           new_start_idx = start >= 0 ? start : 0
           # If a tag were to go negative, cut off the negative portion from length
           new_length = start >= 0 ? length : (length + start)
-          Contrast::Agent::Assess::Tag.new(new_length, new_start_idx)
+          Contrast::Agent::Assess::Tag.new(label, new_length, new_start_idx)
         end
 
         def str_val

data/lib/contrast/agent/at_exit_hook.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -29,7 +29,9 @@ module Contrast
                      process_pp_id: Process.ppid)
 
         context = Contrast::Agent::REQUEST_TRACKER.current
-        Contrast::Utils::ServiceSenderUtil.send_event_immediately(context.activity) if context
+        return unless context
+
+        Contrast::Agent.messaging_queue.send_event_immediately(context.activity)
       end
     end
   end

data/lib/contrast/agent/class_reopener.rb

@@ -1,10 +1,10 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'ripper'
-cs__scoped_require 'contrast/extension/module'
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/logger/log'
+require 'ripper'
+require 'contrast/extension/module'
+require 'contrast/components/interface'
+require 'contrast/logger/log'
 
 # This method is left purposefully at the top level namespace. Moving it
 # elsewhere will break functionality as it executes evaluations against the
@@ -164,9 +164,10 @@ module Contrast
           next unless defined
 
           current = current ? current.cs__const_get(chunk) : Module.cs__const_get(chunk)
-          if current.is_a?(Class)
+          case current
+          when Class
             name_space << [chunk, Class]
-          elsif current.is_a?(Module)
+          when Module
             name_space << [chunk, Module]
           end
         end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/policy_node'
+require 'contrast/agent/patching/policy/policy_node'
 
 module Contrast
   module Agent

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/deadzone/policy/deadzone_node'
-cs__scoped_require 'contrast/agent/patching/policy/policy'
+require 'contrast/agent/deadzone/policy/deadzone_node'
+require 'contrast/agent/patching/policy/policy'
 
 module Contrast
   module Agent

data/lib/contrast/agent/disable_reaction.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent

data/lib/contrast/agent/exclusion_matcher.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -92,7 +92,7 @@ module Contrast
       end
 
       def code?
-        @exclusion.type == :CODE
+        @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
       end
 
       def name
@@ -100,7 +100,7 @@ module Contrast
       end
 
       def match_all?
-        @exclusion.match_strategy == :ALL
+        @exclusion.urls.nil? || @exclusion.urls.empty?
       end
 
       # Determine if the given rule is excluded by this exclusion.

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/utils/inventory_util'
+require 'contrast/components/interface'
+require 'contrast/utils/inventory_util'
 
 module Contrast
   module Agent
@@ -40,7 +40,6 @@ module Contrast
               context = Contrast::Agent::REQUEST_TRACKER.current
               return unless context&.activity
 
-              context.activity.technologies[data_store] = true
               context.activity.query_count += 1
               return unless context.activity.query_count == 1
 

data/lib/contrast/agent/inventory/policy/policy.rb

@@ -1,11 +1,11 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/inventory/policy/trigger_node'
-cs__scoped_require 'contrast/agent/patching/policy/policy'
+require 'contrast/agent/inventory/policy/trigger_node'
+require 'contrast/agent/patching/policy/policy'
 
 # classes required by patches in the policy
-cs__scoped_require 'contrast/agent/inventory/policy/datastores'
+require 'contrast/agent/inventory/policy/datastores'
 
 module Contrast
   module Agent

data/lib/contrast/agent/inventory/policy/trigger_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/trigger_node'
+require 'contrast/agent/patching/policy/trigger_node'
 
 module Contrast
   module Agent

data/lib/contrast/agent/middleware.rb

@@ -1,22 +1,19 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'ipaddr'
-cs__scoped_require 'json'
-cs__scoped_require 'rack'
-
-cs__scoped_require 'contrast/security_exception'
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/agent/service_heartbeat'
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/utils/heap_dump_util'
-cs__scoped_require 'contrast/agent/request_handler'
-cs__scoped_require 'contrast/agent/static_analysis'
-
-cs__scoped_require 'contrast/utils/timer'
-cs__scoped_require 'contrast/utils/freeze_util'
-cs__scoped_require 'contrast/utils/service_sender_util'
-cs__scoped_require 'contrast/utils/service_response_util'
+require 'ipaddr'
+require 'json'
+require 'rack'
+
+require 'contrast/security_exception'
+require 'contrast/utils/object_share'
+require 'contrast/components/interface'
+require 'contrast/utils/heap_dump_util'
+require 'contrast/agent/request_handler'
+require 'contrast/agent/static_analysis'
+
+require 'contrast/utils/timer'
+require 'contrast/utils/freeze_util'
 
 module Contrast
   module Agent
@@ -60,7 +57,7 @@ module Contrast
       #   instrumentation going forward
       def agent_startup_routine
         logger.debug_with_time('middleware: starting service') do
-          run_service_threads
+          Contrast::Agent.thread_watcher.ensure_running?
         end
 
         logger.debug_with_time('middleware: instrument shared libraries and patch') do
@@ -110,6 +107,7 @@ module Contrast
       # available globally so that it can be accessed from anywhere. A RequestHandler object is made
       # for each request, which handles prefilter and postfilter operations.
       def call_with_agent env
+        Contrast::Agent.thread_watcher.ensure_running?
         return unless AGENT.enabled?
 
         framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
@@ -118,32 +116,33 @@ module Contrast
 
         # make the context available for the lifecycle of this request
         Contrast::Agent::REQUEST_TRACKER.lifespan(context) do
+          logger.request_start
           request_handler = Contrast::Agent::RequestHandler.new(context)
 
-          logger.debug_with_time('HTTP request cycle') do
-            # prefilter sequence
-            with_contrast_scope do
-              context.service_extract_request
-              request_handler.ruleset.prefilter
-            end
+          # prefilter sequence
+          with_contrast_scope do
+            context.service_extract_request
+            request_handler.ruleset.prefilter
+          end
+
+          response = application_code(env) # pass request down the Rack chain with original env
 
-            response = application_code(env) # pass request down the Rack chain with original env
-
-            # postfilter sequence
-            with_contrast_scope do
-              context.extract_after(response) # update context with final response information
-
-              if Contrast::Agent.framework_manager.streaming?(env)
-                context.reset_activity
-                request_handler.stream_safe_postfilter
-              else
-                request_handler.ruleset.postfilter
-                # return response stored in the context in case any postfilter rules updated the response data
-                response = context.response&.rack_response || response
-                request_handler.send_activity_messages
-              end
+          # postfilter sequence
+          with_contrast_scope do
+            context.extract_after(response) # update context with final response information
+
+            if Contrast::Agent.framework_manager.streaming?(env)
+              context.reset_activity
+              request_handler.stream_safe_postfilter
+            else
+              request_handler.ruleset.postfilter
+              # return response stored in the context in case any postfilter rules updated the response data
+              response = context.response&.rack_response || response
+              request_handler.send_activity_messages
             end
           end
+        ensure
+          logger.request_end
         end
 
         response
@@ -176,16 +175,6 @@ module Contrast
           raise exception
         end
       end
-
-      # TODO: RUBY-920
-      # Move this somewhere that controls our threads, ensuring they're
-      # recreated on Fork
-      #
-      # Rspec stubs over these methods for simplicity's sake in testing
-      def run_service_threads
-        Contrast::Utils::ServiceSenderUtil.start
-        Contrast::Agent::ServiceHeartbeat.new.start
-      end
     end
   end
 end

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -1,9 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/extension/module'
-cs__scoped_require 'contrast/utils/class_util'
+require 'contrast/components/interface'
+require 'contrast/extension/module'
+require 'contrast/utils/class_util'
 
 module Contrast
   module Agent
@@ -59,7 +59,7 @@ module Contrast
           end
 
           def instrument!
-            cs__scoped_require instrumentation_file_path
+            require instrumentation_file_path
             if instrumenting_module
               mod = Module.cs__const_get(instrumenting_module)
               with_contrast_scope { mod.instrument } if mod

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -1,9 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/agent/patching/policy/after_load_patch'
-cs__scoped_require 'contrast/framework/manager'
+require 'contrast/agent/patching/policy/after_load_patch'
+require 'contrast/components/interface'
+require 'contrast/framework/manager'
 
 module Contrast
   module Agent
@@ -36,6 +36,7 @@ module Contrast
                                     Contrast::Extension::Assess::FiberPropagator.instrument_fiber_track
                                     Contrast::Extension::Assess::HashPropagator.instrument_hash_track
                                     Contrast::Extension::Assess::KernelPropagator.instrument_kernel_track
+                                    Contrast::Extension::Assess::MarshalPropagator.instrument_marshal_load
                                     Contrast::Extension::Assess::RegexpPropagator.instrument_regexp_track
                                     Contrast::Extension::Assess::StringPropagator.instrument_string
                                     Contrast::Extension::Assess::StringPropagator.instrument_string_interpolation
@@ -64,8 +65,8 @@ module Contrast
           # handling
           def apply_require_patches!
             @_apply_require_patches ||= begin
-                                          cs__scoped_require 'contrast/extension/thread'
-                                          cs__scoped_require 'contrast/extension/kernel'
+                                          require 'contrast/extension/thread'
+                                          require 'contrast/extension/kernel'
                                           true
                                         rescue LoadError, StandardError => e
                                           logger.error('failed instrumenting apply_require_patches!', e)