contrast-agent 3.13.0 → 3.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64a4e6fe5f8f75e8ab4bb911e696330a10e1a3edb95c027a03dd0b8704e23f3e
-  data.tar.gz: f031d456741cb0d955030805efd73f8cb2495ca7c927a15121c5ef88a6d86ec7
+  metadata.gz: c2172066d6736b55c6754bb6913ec9fb9962ac1b818a85b4faa7ef822bb5df97
+  data.tar.gz: 209286f4ef6ce8b688e3849a502ece6cfc914f795fae25b5cb417b3fa3998b50
 SHA512:
-  metadata.gz: e2fac539c17b2cb20ab407f6ded931316f97529073907a3f03ee7ef8774a2e18a597d5c47406e44cb86111338e7d31170399543a1778bb7154eaf618b4e03635
-  data.tar.gz: 44e2552f7ee995f73514c62b10002096fcf8f462bdbc573cceb623f9a42786c2421d16490962a9575d777a792fd9ea459d41630e2de9cf60e55c61ecc0fb8403
+  metadata.gz: e6c19a309c1d7c7e2600d2f90d5da2664c315550be00475720165dde741d821d3ceb391282831aeb8ddcbe8e86b50b48d741d5c63d85c7a92c38ef0e54b7b0cd
+  data.tar.gz: f4c1a92e5272730285b467c63768e31b1d6d7cb4266cbd6133c6de312603fcabc9c3bc814bc7f20d48fa444651fb040713ed1438b70076e9be9be396dab6603b

data/exe/contrast_service

@@ -3,19 +3,13 @@
 # frozen_string_literal: true
 
 def mac?
-  RUBY_PLATFORM.match?(/darwin/)
-end
-
-def windows?
-  RUBY_PLATFORM.match?(/cygwin|mswin|mingw|bccwin|wince|emx/)
+  RUBY_PLATFORM.include?('darwin')
 end
 
 def path
   base_path = "#{ File.dirname(__FILE__) }/.."
   if mac?
     "#{ base_path }/service_executables/mac/contrast-service"
-  elsif windows?
-    "#{ base_path }/service_executables/windows/contrast-service.exe"
   else
     "#{ base_path }/service_executables/linux/contrast-service"
   end

data/ext/cs__assess_active_record_named/cs__active_record_named.c

@@ -2,8 +2,8 @@
  * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
 
 #include "cs__active_record_named.h"
-#include <ruby.h>
 #include "../cs__common/cs__common.h"
+#include <ruby.h>
 
 VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
                                           const VALUE self) {
@@ -19,7 +19,8 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
      */
     VALUE new_body, ret;
     VALUE new_args[3];
-    new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self, argv[0], argv[1]);
+    new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self,
+                          argv[0], argv[1]);
     new_args[0] = argv[0];
     if (NIL_P(new_body)) {
         new_args[1] = argv[1];
@@ -36,10 +37,10 @@ void Init_cs__assess_active_record_named(void) {
     framework = rb_define_module_under(contrast, "Framework");
     rails = rb_define_module_under(framework, "Rails");
     rewrite = rb_define_module_under(rails, "Rewrite");
-    active_record_named = rb_define_class_under(rewrite, "ActiveRecordNamed", rb_cObject);
+    active_record_named =
+        rb_define_class_under(rewrite, "ActiveRecordNamed", rb_cObject);
     rb_sym_assess_rewrite = rb_intern("rewrite");
-    rb_sym_assess_scope   = contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
-                                                    "scope",
-                                                    contrast_assess_active_record_scope);
+    rb_sym_assess_scope =
+        contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
+                                "scope", contrast_assess_active_record_scope);
 }
-

data/ext/cs__assess_array/cs__assess_array.c

@@ -23,15 +23,16 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
     /* Finally, default to empty String. Implicit since nil.to_s is ''*/
 
     result = rb_funcall2(ary, rb_sym_assess_array_join, argc, argv);
-    result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3, ary, sep, result);
+    result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3,
+                        ary, sep, result);
 
     return result;
 }
 
 void Init_cs__assess_array(void) {
-    array_propagator = rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
+    array_propagator =
+        rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
     rb_sym_assess_track_array_join = rb_intern("cs__track_join");
-    rb_sym_assess_array_join = contrast_register_patch("Array",
-                                                       "join",
-                                                       contrast_assess_array_join);
+    rb_sym_assess_array_join =
+        contrast_register_patch("Array", "join", contrast_assess_array_join);
 }

data/ext/cs__assess_basic_object/cs__assess_basic_object.c

@@ -7,7 +7,8 @@
 
 void contrast_assess_instance_eval_trigger_check(VALUE self, VALUE source,
                                                  VALUE ret) {
-    rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self, source, ret);
+    rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self,
+               source, ret);
 }
 
 VALUE
@@ -36,7 +37,8 @@ contrast_assess_basic_object_instance_eval(const int argc, const VALUE *argv,
 }
 
 void Init_cs__assess_basic_object(void) {
-    basic_eval_trigger = rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
+    basic_eval_trigger =
+        rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
     instance_trigger_check_method = rb_intern("instance_eval_trigger_check");
 
     /* We don't keep a reference to the underlying method.
@@ -45,8 +47,6 @@ void Init_cs__assess_basic_object(void) {
      * but if someone else patched BasicObject#instance_eval,
      * IDK if this is intentional... noting it.  -ajm
      */
-    contrast_register_patch("BasicObject",
-                            "instance_eval",
+    contrast_register_patch("BasicObject", "instance_eval",
                             contrast_assess_basic_object_instance_eval);
-
 }

data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c

@@ -73,7 +73,8 @@ int install_fiber_hooks() {
 }
 
 void Init_cs__assess_fiber_track(void) {
-    fiber_propagator = rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
+    fiber_propagator =
+        rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
     track_rb_fiber_new = rb_intern("track_rb_fiber_new");
     track_rb_fiber_yield = rb_intern("track_rb_fiber_yield");
     rb_sym_next = rb_intern("next");

data/ext/cs__assess_hash/cs__assess_hash.c

@@ -12,23 +12,24 @@
  * This method instruments that unique bracket-construction style
  * of initializing a hash.
  */
-static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
-                                              const VALUE hash) {
+static VALUE contrast_assess_hash_bracket_constructor(const int argc,
+                                                      VALUE *argv,
+                                                      const VALUE hash) {
     VALUE result;
 
     /* Array of Arrays: Hash[ [ [key, value], ... ] ]   -> new_hash */
     if (RB_TYPE_P(argv[0], T_ARRAY)) {
         int i;
         for (i = 0; i < argc; i++) {
-            argv[i] =
-                rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
+            argv[i] = rb_funcall(hash_propagator,
+                                 rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
         }
         /* Hash[ key, value, ... ]         -> new_hash */
     } else if (argc > 1) {
         int i;
         for (i = 0; i < argc; i += 2) {
-            argv[i] =
-                rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
+            argv[i] = rb_funcall(hash_propagator,
+                                 rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
         }
     }
 
@@ -36,7 +37,8 @@ static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *arg
      * String keys
      * # Hash[ object ]                  -> new_hash
      */
-    result = rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
+    result =
+        rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
 
     return result;
 }
@@ -61,8 +63,9 @@ static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
      * We haven't revisited this approach since we started more extensively
      * hooking public C functions.)
      */
-    if(argc > 0) {
-        argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[0]);
+    if (argc > 0) {
+        argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze,
+                             1, argv[0]);
     }
     /* This is the underlying assignment, w/ our instrumented key. */
     result = rb_funcall2(hash, rb_sym_assess_hash_bracket_equals, argc, argv);
@@ -71,17 +74,15 @@ static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
 }
 
 void Init_cs__assess_hash(void) {
-    hash_propagator = rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
+    hash_propagator =
+        rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
     rb_sym_assess_hash_dup_and_freeze = rb_intern("cs__duplicate_and_freeze");
 
     VALUE hash_class = rb_define_class("Hash", rb_cObject);
 
-    rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch("Hash",
-                                                                               "[]",
-                                                                               contrast_assess_hash_bracket_constructor);
-
-    rb_sym_assess_hash_bracket_equals = contrast_register_patch("Hash",
-                                                                "[]=",
-                                                                contrast_assess_hash_bracket_set);
+    rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch(
+        "Hash", "[]", contrast_assess_hash_bracket_constructor);
 
+    rb_sym_assess_hash_bracket_equals = contrast_register_patch(
+        "Hash", "[]=", contrast_assess_hash_bracket_set);
 }

data/ext/cs__assess_hash/cs__assess_hash.h

@@ -13,7 +13,8 @@ static VALUE hash_propagator;
  * ahead of time should avoid this, similar to the behavior of the -@ Strings
  * -HM
  */
-static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
+static VALUE contrast_assess_hash_bracket_constructor(const int argc,
+                                                      VALUE *argv,
                                                       const VALUE hash);
 
 static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,

data/ext/cs__assess_kernel/cs__assess_kernel.c

@@ -18,8 +18,9 @@ contrast_patched_kernel_exec(const int argc, const VALUE *argv,
         rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
     }
 
-    /* maybe this should be rb_funcall2.  this works right now because *argv == argv[0].
-     * exec shouldn't ever be called with != 1 argc, so not a huge problem */
+    /* maybe this should be rb_funcall2.  this works right now because *argv ==
+     * argv[0]. exec shouldn't ever be called with != 1 argc, so not a huge
+     * problem */
     return rb_funcall(self, rb_sym_assess_kernel_exec, argc, *argv);
 }
 
@@ -27,12 +28,10 @@ void Init_cs__assess_kernel(void) {
     kernel_propagator = rb_define_module_under(core_assess, "KernelPropagator");
     exec_apply_trigger = rb_intern("apply_trigger");
 
-    rb_sym_assess_kernel_exec = contrast_register_patch("Kernel",
-                                                        "exec",
-                                                        contrast_patched_kernel_exec);
+    rb_sym_assess_kernel_exec =
+        contrast_register_patch("Kernel", "exec", contrast_patched_kernel_exec);
 
     /* should return the same value as above */
-    rb_sym_assess_kernel_exec = contrast_register_singleton_patch("Kernel",
-                                                                  "exec",
-                                                                  contrast_patched_kernel_exec);
+    rb_sym_assess_kernel_exec = contrast_register_singleton_patch(
+        "Kernel", "exec", contrast_patched_kernel_exec);
 }

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c

@@ -9,26 +9,24 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
                                                  const VALUE *argv) {
     VALUE result;
     VALUE source_string;
-
     result = rb_call_super(argc, argv);
 
     if (argc >= 1) {
         source_string = argv[0];
 
-        if (rb_respond_to(source_string, rb_sym_cs_tracked)) {
-            VALUE tracked = rb_funcall(source_string, rb_sym_cs_tracked, 0);
+        VALUE tracked =
+            rb_funcall(properties_hash, rb_sym_hash_tracked, 1, source_string);
 
-            if (tracked == Qtrue) {
-                VALUE skip = rb_funcall(contrast_patcher(),
-                                        rb_sym_skip_assess_analysis, 0);
+        if (tracked == Qtrue) {
+            VALUE skip =
+                rb_funcall(contrast_patcher(), rb_sym_skip_assess_analysis, 0);
 
-                if (skip == Qfalse) {
-                    VALUE scope =
-                        rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
-                    rb_funcall(marshal_module, rb_sym_assess_load_trigger_check,
-                               2, source_string, result);
-                    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 1, scope);
-                }
+            if (skip == Qfalse) {
+                VALUE scope =
+                    rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
+                rb_funcall(marshal_module, rb_sym_assess_load_trigger_check, 2,
+                           source_string, result);
+                rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
             }
         }
     }
@@ -36,9 +34,13 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
 }
 
 void Init_cs__assess_marshal_module(void) {
+    // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+    VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
+    properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
+    marshal_module =
+        rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
     rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
 
-    contrast_register_singleton_prepend_patch("Marshal",
-                                              "load",
-                                              &contrast_assess_marshal_module_load);
+    contrast_register_singleton_prepend_patch(
+        "Marshal", "load", &contrast_assess_marshal_module_load);
 }

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h

@@ -3,6 +3,7 @@
 static VALUE marshal_module;
 
 static VALUE rb_sym_assess_load_trigger_check;
+static VALUE properties_hash;
 
 /*
  * Rails is a jerk. In Rails 5, they decided to do away with the alias chaining

data/ext/cs__assess_module/cs__assess_module.c

@@ -21,7 +21,8 @@ void contrast_assess_eval_trigger_check(VALUE module, VALUE source, VALUE ret) {
         /* If this method ever throws an exception, the scope-leave
          * needs to be moved within a rescue call.
          */
-        rb_funcall(module_eval_trigger, trigger_check_method, 4, module, source, ret, method);
+        rb_funcall(module_eval_trigger, trigger_check_method, 4, module, source,
+                   ret, method);
     }
 
     rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
@@ -57,7 +58,8 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
 }
 
 void Init_cs__assess_module(void) {
-    module_eval_trigger = rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
+    module_eval_trigger =
+        rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
     trigger_check_method = rb_intern("eval_trigger_check");
 
     rb_sym_assess_patch_eval = rb_intern("patch_assess_on_eval");
@@ -69,11 +71,9 @@ void Init_cs__assess_module(void) {
      * See similar comments in basic_object C ext patch.
      */
 
-    contrast_register_patch("Module",
-                            "class_eval",
+    contrast_register_patch("Module", "class_eval",
                             contrast_assess_module_class_eval);
 
-    contrast_register_patch("Module",
-                            "module_eval",
+    contrast_register_patch("Module", "module_eval",
                             contrast_assess_module_module_eval);
 }

data/ext/cs__assess_regexp/cs__assess_regexp.c

@@ -29,7 +29,8 @@ static VALUE contrast_assess_regexp_equal_squiggle(const int argc,
 }
 
 void Init_cs__assess_regexp(void) {
-    regexp_propagator = rb_define_class_under(core_assess, "RegexpPropagator", rb_cObject);
+    regexp_propagator =
+        rb_define_class_under(core_assess, "RegexpPropagator", rb_cObject);
     rb_sym_assess_track_regexp = rb_intern("track_equal_squiggle");
 
     /* These are the keys we use to define our hash of
@@ -46,7 +47,6 @@ void Init_cs__assess_regexp(void) {
     rb_sym_back_ref = ID2SYM(rb_intern("back_ref"));
     rb_global_variable(&rb_sym_back_ref);
 
-    rb_sym_assess_regexp_equal_squiggle = contrast_register_patch("Regexp",
-                                                                  "=~",
-                                                                  contrast_assess_regexp_equal_squiggle);
+    rb_sym_assess_regexp_equal_squiggle = contrast_register_patch(
+        "Regexp", "=~", contrast_assess_regexp_equal_squiggle);
 }

data/ext/cs__assess_string/cs__assess_string.c

@@ -5,21 +5,31 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 
+static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
+                                           const VALUE obj) {
+    if (!OBJ_FROZEN(obj)) {
+        rb_funcall(properties_hash, rb_sym_pre_freeze, 1, obj);
+    }
+    return rb_funcall(obj, rb_sym_assess_string_freeze, 0);
+}
+
 static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
-                                              const VALUE obj) {
-    VALUE dup, tracked;
+                                           const VALUE obj) {
     if (!OBJ_FROZEN(obj)) {
-        tracked = rb_funcall(obj, rb_sym_cs_tracked, 0);
-        if (RTEST(tracked)) {
-            /*
-             * If the object is not frozen and the object is tracked, we cheat.
-             * We dup and then freeze to replicate the behavior of str_uminus in
-             * string.c, but we ignore any other monkey patches on String#-@
-             */
-            dup = rb_funcall(obj, rb_sym_dup, 0);
-            rb_funcall(dup, rb_sym_freeze, 0);
-            return dup;
-        }
+        /* We're doing something intentionally different here. Ruby, for -@,
+         * attempts to de-duplicate the String and use an "interned" copy of
+         * the String. We cannot allow that to happen for a couple reasons:
+         * - prior to Ruby 2.7, this would cause us to track ALL instances of
+         *   that interned copy.
+         * - 2.7 and later, this action is actually missed because of a change
+         *   to the str_uminus method in Ruby, which dups the String in a way
+         *   that we cannot see.
+         * B/c we cannot track this in 2.7, rather than having a version check
+         * and two approaches, we'll instead directly call the #freeze method,
+         * so the end result is that this String itself is frozen and never
+         * deduplicated.
+         */
+        return contrast_assess_string_freeze(argc, argv, obj);
     }
     /* in all other cases, preserve monkey patching and c call */
     return rb_funcall(obj, rb_sym_assess_string_uminus, 0);
@@ -28,8 +38,13 @@ static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
 void Init_cs__assess_string(void) {
     rb_sym_dup = rb_intern("dup");
     rb_sym_freeze = rb_intern("freeze");
+    rb_sym_pre_freeze = rb_intern("pre_freeze");
+    // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+    VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
+    properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
 
-    rb_sym_assess_string_uminus = contrast_register_patch("String",
-                                                          "-@",
-                                                          &contrast_assess_string_uminus);
+    rb_sym_assess_string_uminus =
+        contrast_register_patch("String", "-@", &contrast_assess_string_uminus);
+    rb_sym_assess_string_freeze = contrast_register_patch(
+        "String", "freeze", &contrast_assess_string_freeze);
 }

data/ext/cs__assess_string/cs__assess_string.h

@@ -1,8 +1,13 @@
 #include <ruby.h>
 
 static VALUE rb_sym_assess_string_uminus;
+static VALUE rb_sym_assess_string_freeze;
+// Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+static VALUE properties_hash;
 static VALUE rb_sym_dup;
 static VALUE rb_sym_freeze;
+static VALUE rb_sym_pre_freeze;
+static VALUE properties_hash;
 
 /*
  * The String#-@ method calls to the str_uminus method in String.C. This method
@@ -15,6 +20,6 @@ static VALUE rb_sym_freeze;
  * -HM
  */
 static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
-                                              const VALUE obj);
+                                           const VALUE obj);
 
 void Init_cs__assess_string(void);