contrast-agent 3.13.1 → 4.0.0

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -1,22 +1,22 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/extension/module'
+require 'contrast/agent/assess/policy/trigger_method'
+require 'contrast/components/interface'
+require 'contrast/extension/module'
 
 module Contrast
   module Agent
     module Assess
       module Rule
         module Provider
-          # Hardcoded rules detect if any secret value has been written directly into the
-          # sourcecode of the application. To use this base class, a provider must
-          # implement four methods
+          # Hardcoded rules detect if any secret value has been written
+          # directly into the sourcecode of the application. To use this base
+          # class, a provider must implement three methods:
           # 1) name_passes? : does the constant name match a given value set
-          # 2) value_type_passes? : does the type of the value of the constant match the
-          #    type given
-          # 3) value_passes? : does the value of the constant match a given value set
-          # 4) redacted_marker : the value to plug in for the obfuscated value
+          # 2) value_node_passes? : does the value of the constant match a
+          #    given value set
+          # 3) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
             include Contrast::Components::Interface
             access_component :analysis, :app_context, :logging
@@ -25,6 +25,7 @@ module Contrast
               !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
             end
 
+            # TODO: RUBY-1014 - remove `#analyze`
             COMMON_CONSTANTS = %i[
               CONTRAST_ASSESS_POLICY_STATUS
               VERSION
@@ -69,10 +70,31 @@ module Contrast
                 # if it looks like a placeholder / pointer to a config, skip it
                 next unless value_passes?(value)
 
-                report_finding(clazz, constant_string)
+                build_finding(clazz, constant_string)
               end
             end
 
+            # Parse the file pertaining to the given TracePoint to walk its AST
+            # to determine if a Constant is hardcoded. For our purposes, this
+            # hard coding means directly set rather than as an interpolated
+            # String or through a method call.
+            #
+            # Note: This is a top layer check, we make no assertions about what
+            # the methods or interpolations do. Their presence, even if only
+            # calling a hardcoded thing, causes this check to not report.
+            #
+            # @param trace_point [TracePoint] the TracePoint event created on
+            #   the :end of a Module being loaded
+            # @param ast [RubyVM::AbstractSyntaxTree::Node] the abstract syntax
+            #   tree of the Module defined in the TracePoint end event
+            def parse trace_point, ast
+              return if disabled?
+
+              parse_ast(trace_point.self, ast)
+            rescue StandardError => e
+              logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)
+            end
+
             # Constants can be variable or classes defined in the given
             # class. We ONLY want the variables, which should be defined in
             # the MACRO_CASE (upper case & underscore format)
@@ -90,7 +112,57 @@ module Contrast
 
             private
 
-            def report_finding clazz, constant_string
+            # @param mod [Module] the module to which this AST pertains
+            # @param ast [RubyVM::AbstractSyntaxTree::Node, Object] a node
+            #   within the AST, which may be a leaf, so any Object
+            def parse_ast mod, ast
+              return unless ast.cs__is_a?(RubyVM::AbstractSyntaxTree::Node)
+              return unless ast.cs__respond_to?(:children)
+
+              children = ast.children
+              return unless children.any?
+
+              ast.children.each do |child|
+                parse_ast(mod, child)
+              end
+
+              # https://www.rubydoc.info/gems/ruby-internal/Node/CDECL
+              return unless ast.type == :CDECL
+
+              # The CDECL Node has two children, the first being the Constant
+              # name as a symbol, the second as the value to assign to that
+              # constant
+              children = ast.children
+              name = children[0].to_s
+              # If that constant name doesn't pass our checks, move on.
+              return unless name_passes?(name)
+
+              value = children[1]
+              # The assignment node could be a direct value or a call of some
+              # sort. We leave it to each rule to properly handle these nodes.
+              return unless value_node_passes?(value)
+
+              build_finding(mod, name)
+            end
+
+            # Constants can be set as frozen directly. We need to account for
+            # this change as it means the Node given to the :CDECL call will be
+            # a :CALL, not a constant.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a freeze call or not
+            def freeze_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              children[1] == :freeze
+            end
+
+            def build_finding clazz, constant_string
               class_name = clazz.cs__name
 
               finding = Contrast::Api::Dtm::Finding.new
@@ -104,13 +176,10 @@ module Contrast
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-
-              activity = Contrast::Api::Dtm::Activity.new
-              activity.findings << finding
-
-              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
+              nil
             end
           end
         end

data/lib/contrast/agent/assess/tag.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Initialize a new tag
         #
-        # @param label [String] the lable of the tag
+        # @param label [String] the label of the tag
         # @param length [Integer] the length of the string described with this
         #   tag
         # @param start_idx [Integer] (0) the starting position in the string for

data/lib/contrast/agent/assess/tracker.rb

@@ -0,0 +1,66 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/finalizers/hash'
+
+module Contrast
+  module Agent
+    module Assess
+      # How we track the Assess properties attached to objects
+      #
+      # Finalized objects should run through this class as the Finalizers
+      # have tightly coupled dependencies on each other.
+      class Tracker
+        PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
+
+        class << self
+          def properties source
+            return unless trackable?(source)
+
+            PROPERTIES_HASH[source] ||= Contrast::Agent::Assess::Properties.new
+          end
+
+          def trackable? source
+            PROPERTIES_HASH.trackable?(source)
+          end
+
+          def tracked? source
+            PROPERTIES_HASH.tracked?(source)
+          end
+
+          def pre_freeze source
+            PROPERTIES_HASH.pre_freeze(source)
+          end
+
+          # Copy the properties from one object to the next, assuming the
+          # target does not already have its own properties.
+          #
+          # @param source [Object] the instance from which to copy properties
+          # @param target [Object] the instance to which to copy properties
+          def copy source, target
+            PROPERTIES_HASH[target] ||= properties(source).dup
+          end
+
+          # Duplicate the given object, returning the duplicate after copying
+          # the properties of the original and storing them as the properties
+          # of the duplicate.
+          #
+          # @param source [Object] the thing to duplicate
+          # @return [Object] the duplicate of the original, or the original if
+          #   it does not respond to duplication
+          def duplicate source
+            return source unless source
+
+            duplicate = source.dup
+            PROPERTIES_HASH[duplicate] ||= PROPERTIES_HASH[source].dup
+            duplicate
+          rescue StandardError
+            source
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'contrast/agent/assess/finalizers/freeze'

data/lib/contrast/agent/at_exit_hook.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -11,11 +11,11 @@ module Contrast
       access_component :logging
       def self.exit_hook
         @_exit_hook ||= begin
-                          at_exit do
-                            on_exit
-                          end
-                          true
-                        end
+          at_exit do
+            on_exit
+          end
+          true
+        end
       end
 
       # Actions to take when a process exits. Typically called from our

data/lib/contrast/agent/class_reopener.rb

@@ -1,10 +1,10 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'ripper'
-cs__scoped_require 'contrast/extension/module'
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/logger/log'
+require 'ripper'
+require 'contrast/extension/module'
+require 'contrast/components/interface'
+require 'contrast/logger/log'
 
 # This method is left purposefully at the top level namespace. Moving it
 # elsewhere will break functionality as it executes evaluations against the
@@ -37,7 +37,7 @@ module Contrast
     #   being phased out with support for those language versions.
     class ClassReopener
       include Contrast::Components::Interface
-      access_component :logging
+      access_component :logging, :scope
 
       END_NEW_LINE = "end\n"
       PROTECTED_WITH_NEW_LINE = "protected\n"
@@ -101,11 +101,13 @@ module Contrast
       # Evaluate the patches that have been staged for this class, replacing
       # the method definitions with those our rewrite.
       def commit_patches
-        return unless staged_changes?
+        with_contrast_scope do
+          return unless staged_changes?
 
-        content = build_content
-        valid = Ripper.sexp(content)
-        unbound_eval(class_name, content) if !!valid && !class_name.empty?
+          content = build_content
+          valid = Ripper.sexp(content)
+          unbound_eval(class_name, content) if !!valid && !class_name.empty?
+        end
       end
 
       # Find the sourcecode of the method at the given location and return it
@@ -164,9 +166,10 @@ module Contrast
           next unless defined
 
           current = current ? current.cs__const_get(chunk) : Module.cs__const_get(chunk)
-          if current.is_a?(Class)
+          case current
+          when Class
             name_space << [chunk, Class]
-          elsif current.is_a?(Module)
+          when Module
             name_space << [chunk, Module]
           end
         end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/policy_node'
+require 'contrast/agent/patching/policy/policy_node'
 
 module Contrast
   module Agent

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/deadzone/policy/deadzone_node'
-cs__scoped_require 'contrast/agent/patching/policy/policy'
+require 'contrast/agent/deadzone/policy/deadzone_node'
+require 'contrast/agent/patching/policy/policy'
 
 module Contrast
   module Agent

data/lib/contrast/agent/disable_reaction.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent

data/lib/contrast/agent/exclusion_matcher.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent

data/lib/contrast/agent/inventory.rb

@@ -0,0 +1,15 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # Namespace used for inventory behavior
+    module Inventory
+    end
+  end
+end
+
+require 'contrast/agent/inventory/dependencies'
+require 'contrast/agent/inventory/gemfile_digest_cache'
+require 'contrast/agent/inventory/dependency_usage_analysis'
+require 'contrast/agent/inventory/dependency_analysis'

data/lib/contrast/agent/inventory/dependencies.rb

@@ -0,0 +1,50 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Inventory
+      # this module is included in classes that need access to the applications dependencies
+      module Dependencies
+        CONTRAST_AGENT = 'contrast-agent'
+
+        # the #clone is necessary here, as a require in another thread could
+        # potentially result in adding a key to the loaded_specs hash during
+        # iteration.  (as in RUBY-330)
+        # this takes care of filtering out contrast-only dependencies
+        def loaded_specs
+          specs = Gem.loaded_specs.clone
+          specs.delete_if { |name, _v| contrast?(name) }
+        end
+
+        private
+
+        def contrast_gems
+          @_contrast_gems ||= find_contrast_gems
+        end
+
+        def contrast? name
+          contrast_gems.include?(name)
+        end
+
+        # Go through all dependents, given as a pair from the DependencyList: `dependency`
+        # is the dependency itself, filled with all its specs. `dependents` is the array of reverse
+        # dependencies for the aforementioned dependency. If the dependency is also in contrast_dep_set,
+        # then contrast depends on it. If its array of dependents is 1, then contrast is the
+        # only dependency in that list. Since only contrast depends on it, we should ignore it.
+        def find_contrast_gems
+          ignore = Set.new([CONTRAST_AGENT])
+          contrast_specs = Gem::DependencyList.from_specs.specs.find do |dependency|
+            dependency.name == CONTRAST_AGENT
+          end
+          contrast_dep_set = contrast_specs.dependencies.map(&:name).to_set
+
+          Gem::DependencyList.from_specs.spec_predecessors.each_pair do |dependency, dependents|
+            ignore.add(dependency.name) if contrast_dep_set.include?(dependency.name) && dependents.length == 1
+          end
+          ignore
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/inventory/dependency_analysis.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/inventory/dependencies'
+require 'contrast/components/interface'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Inventory
+      # Used to collect dependencies of the application for reporting
+      class DependencyAnalysis
+        include Singleton
+        include Contrast::Agent::Inventory::Dependencies
+        include Contrast::Components::Interface
+
+        access_component :analysis
+
+        # Report the dependencies of this application
+        #
+        # @return [Array<Contrast::Api::Dtm::Library>] protobuf form of the
+        #   Gem::Specification that have been loaded for this application.
+        def library_pb_list
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless INVENTORY.enabled?
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless INVENTORY.analyze_libraries?
+
+          loaded_specs.each_with_object([]) do |(_name, spec), reported_lib_list|
+            next unless spec
+            next unless (digest = Contrast::Utils::Sha256Builder.instance.build_from_spec(spec))
+
+            reported_lib_list << Contrast::Api::Dtm::Library.build(digest, spec)
+          end
+        end
+      end
+    end
+  end
+end