contrast-agent 3.13.2 → 4.1.0

data/lib/contrast/config/protect_rule_configuration.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'set'
+require 'set'
 
 module Contrast
   module Config

data/lib/contrast/config/service_configuration.rb

@@ -1,11 +1,19 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/config/default_value'
+require 'contrast/config/logger_configuration'
+
 module Contrast
   module Config
     # Common Configuration settings. Those in this section pertain to the
     # communication between the Agent & the Service.
     class ServiceConfiguration < BaseConfiguration
+      # We don't set these b/c we've been asked to handle the default values of
+      # these settings differently, logging when we have to use them.
+      DEFAULT_HOST       = '127.0.0.1'
+      DEFAULT_PORT       = '30555'
+
       KEYS = {
           enable: EMPTY_VALUE,
           host: EMPTY_VALUE,

data/lib/contrast/configuration.rb

@@ -1,12 +1,12 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'yaml'
-cs__scoped_require 'fileutils'
+require 'yaml'
+require 'fileutils'
 
-cs__scoped_require 'contrast/config'
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/config'
+require 'contrast/utils/object_share'
+require 'contrast/components/interface'
 
 module Contrast
   # This is how we read in the local settings for the Agent, both ENV/ CMD line
@@ -24,8 +24,6 @@ module Contrast
     attr_reader :default_name, :root
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
-    DEFAULT_HOST       = '127.0.0.1'
-    DEFAULT_PORT       = '30555'
     MILLISECOND_MARKER = '_ms'
     CONVERSION = {
         'agent.service.enable' => 'agent.start_bundled_service'
@@ -37,9 +35,6 @@ module Contrast
       '/etc/contrast/',
       '/etc/'
     ].cs__freeze
-    REMOVE_FIELDS = [
-      'contrast'
-    ].cs__freeze
 
     def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
       @default_name = default_name
@@ -53,7 +48,6 @@ module Contrast
 
       # Some in-flight rewrites to maintain backwards compatibility
       config_kv = update_prop_keys(config_kv)
-      config_kv = deprecate_fields(config_kv)
 
       @root = Contrast::Config::RootConfiguration.new(config_kv)
     end
@@ -73,6 +67,13 @@ module Contrast
       root&.cs__respond_to?(method_name) || super
     end
 
+    # Get a loggable YAML format of this configuration
+    # @return [String] the current active configuration of the Agent,
+    #   represented as a YAML string
+    def loggable
+      convert_to_hash.to_yaml
+    end
+
     protected
 
     # TODO: RUBY-546 move utility methods to auxiliary classes
@@ -80,26 +81,16 @@ module Contrast
     def load_config
       config = {}
       configuration_paths.find do |path|
-        found = File.exist?(path)
-        next unless found
+        next unless File.exist?(path)
 
-        readable = File.readable?(path)
-        unless readable
-          puts "!!! Contrast - Configuration file at #{ path } is not readable by current user"
+        unless File.readable?(path)
+          log_file_read_error(path)
           next
         end
         config = yaml_to_hash(path) || {}
         break
       end
 
-      if config.empty?
-        puts "!!! Contrast - working directory: #{ Dir.pwd }"
-        puts '!!! Contrast - valid configuration file could not be found at any of the search paths'
-        puts 'Valid configuration paths are: '
-        configuration_paths.each do |path|
-          puts(path)
-        end
-      end
       config
     end
 
@@ -109,9 +100,10 @@ module Contrast
           yaml = IO.read(path)
           yaml = ERB.new(yaml).result if defined?(ERB)
           return YAML.safe_load(yaml)
+        rescue Psych::Exception => e
+          log_yaml_parse_error(path, e)
         rescue RuntimeError => e
-          puts "ERROR: unable to load configuration from path due to #{ e }"
-          puts "ERROR: path=#{ path } pwd=#{ Dir.pwd }"
+          puts "WARN: Unable to load configuration. #{ e }; path: #{ path }, pwd: #{ Dir.pwd }"
         end
       end
 
@@ -122,29 +114,20 @@ module Contrast
     # files to match the new agreed upon standard configuration
     # names, so that one file works for all agents
     def update_prop_keys config
-      converted = false
       CONVERSION.each_pair do |old_method, new_method|
         # See if the old value was set and needs to be translated
         deprecated_keys = old_method.split('.')
-
         old_value = config
         deprecated_keys.each do |key|
           old_value = old_value[key]
           break if old_value.nil?
         end
+        next if old_value.nil? # have to account for literal false
 
-        next if old_value.nil?
-
-        converted = true
-
-        puts "The deprecated property #{ old_method } is being set."
-        puts "Please update your config to use the property #{ new_method } instead."
-
+        log_deprecated_property(old_method, new_method)
         new_keys = new_method.split('.')
-
         # We changed the seconds values into ms values. Multiply them accordingly
         old_value = old_value.to_i * 1000 if new_method.end_with?(MILLISECOND_MARKER)
-
         new_value = config
         end_idx = new_keys.length - 1
         new_keys.each_with_index do |new_key, index|
@@ -161,21 +144,6 @@ module Contrast
       config
     end
 
-    def deprecate_fields hash
-      REMOVE_FIELDS.each do |field|
-        path = field.split('.')
-        active_path = hash
-        path.each_with_index do |delete_path, index|
-          if index == path.length - 1 && active_path
-            active_path.delete(delete_path)
-          elsif active_path
-            active_path = active_path[delete_path]
-          end
-        end
-      end
-      hash
-    end
-
     # Base paths to check for the contrast configuration file, sorted by
     # reverse order of precedence (first is most important).
     def configuration_paths
@@ -208,5 +176,78 @@ module Contrast
       end
       new_hash
     end
+
+    private
+
+    # We cannot use all access components at this point, unfortunately, as they
+    # may not have been initialized. Instead, we need to access the logger
+    # directly.
+    def logger
+      @_logger ||= (Contrast::Logger::Log.instance.logger if defined?(Contrast::Logger::Log))
+    end
+
+    # When we fail to parse a configuration because it is misformatted, log an
+    # appropriate message based on the Agent Onboarding specification
+    def log_yaml_parse_error path, exception
+      hash = {
+          path: path,
+          pwd: Dir.pwd
+      }
+      if exception.is_a?(Psych::SyntaxError)
+        hash[:context] = exception.context
+        hash[:column] = exception.column
+        hash[:line] = exception.line
+        hash[:offset] = exception.offset
+        hash[:problem] = exception.problem
+      end
+
+      if logger
+        logger.warn('YAML validator found an error', hash)
+      else
+        puts "CONTRAST - WARN: YAML validator found an error. #{ hash.inspect }"
+      end
+    end
+
+    def log_file_read_error path
+      if logger
+        logger.warn('Configuration file is not readable by current user', path: path)
+      else
+        puts "CONTRAST - WARN: Configuration file is not readable by current user; path: #{ path }"
+      end
+    end
+
+    def log_deprecated_property old_method, new_method
+      if logger
+        logger.warn('Deprecated property in use', old_method: old_method, new_method: new_method)
+      else
+        puts "CONTRAST - WARN: Deprecated property in use; old_method: #{ old_method }, new_method: #{ new_method }"
+      end
+    end
+
+    # Convert this entire configuration into a hash, walking down the entries
+    # in the thing to convert and setting them in the given hash. For now, this
+    # logs every possible key, whether set or not. If we want to change that
+    # behavior, we can skip adding keys to the hash if the value is nil, blank,
+    # or Contrast::Config::DefaultValue depending on desired behavior
+    #
+    # @param hash [Hash] the hash to populate
+    # @param convert [Contrast::Config::BaseConfiguration, Object] the level of
+    #   configuration from which to convert. Note that at least one top level
+    #   Contrast::Config::BaseConfiguration is required for anything to be set
+    #   in the hash
+    # @return [Hash, Object] the leaf of each
+    #   Contrast::Config::BaseConfiguration will be returned in the N > 0 steps
+    #   the Hash will be returned at the end of the 0 level
+    def convert_to_hash convert = root, hash = {}
+      case convert
+      when Contrast::Config::BaseConfiguration
+        convert.cs__class::KEYS.each_key do |key|
+          hash[key] = convert_to_hash(convert.send(key), {})
+        end
+        hash
+      else
+        convert
+      end
+    end
   end
 end

data/lib/contrast/extension/assess.rb

@@ -12,37 +12,36 @@ module Contrast
     #   therein.
     #   Removing it requires a C refactor to handle the namespace.
     module Assess
-      cs__scoped_require 'contrast/agent/patching/policy/patcher'
+      require 'contrast/agent/patching/policy/patcher'
 
-      cs__scoped_require 'contrast/utils/tag_util'
+      require 'contrast/utils/tag_util'
 
       # provider rules - have to come before policy
-      cs__scoped_require 'contrast/agent/assess/rule/provider'
+      require 'contrast/agent/assess/rule/provider'
 
       # tagging / dataflow
-      cs__scoped_require 'contrast/agent/assess/policy/policy_node'
-      cs__scoped_require 'contrast/agent/assess/policy/source_node'
-      cs__scoped_require 'contrast/agent/assess/policy/source_method'
-      cs__scoped_require 'contrast/agent/assess/policy/propagation_node'
-      cs__scoped_require 'contrast/agent/assess/policy/propagation_method'
-      cs__scoped_require 'contrast/agent/assess/policy/trigger_node'
-      cs__scoped_require 'contrast/agent/assess/policy/trigger_method'
-      cs__scoped_require 'contrast/agent/assess/policy/policy'
-      cs__scoped_require 'contrast/agent/assess/policy/patcher'
+      require 'contrast/agent/assess/policy/policy_node'
+      require 'contrast/agent/assess/policy/source_node'
+      require 'contrast/agent/assess/policy/source_method'
+      require 'contrast/agent/assess/policy/propagation_node'
+      require 'contrast/agent/assess/policy/propagation_method'
+      require 'contrast/agent/assess/policy/trigger_node'
+      require 'contrast/agent/assess/policy/trigger_method'
+      require 'contrast/agent/assess/policy/policy'
+      require 'contrast/agent/assess/policy/patcher'
 
-      # classes that don't play nice w/ our standard propagation
-      cs__scoped_require 'contrast/extension/assess/assess_extension'
       # this needs to come first b/c array and others work on strings and
       # expect them to be trackable
-      cs__scoped_require 'contrast/extension/assess/string'
+      require 'contrast/extension/assess/string'
 
-      cs__scoped_require 'contrast/extension/assess/array'
-      cs__scoped_require 'contrast/extension/assess/erb'
-      cs__scoped_require 'contrast/extension/assess/eval_trigger'
-      cs__scoped_require 'contrast/extension/assess/fiber'
-      cs__scoped_require 'contrast/extension/assess/hash'
-      cs__scoped_require 'contrast/extension/assess/kernel'
-      cs__scoped_require 'contrast/extension/assess/regexp'
+      require 'contrast/extension/assess/array'
+      require 'contrast/extension/assess/erb'
+      require 'contrast/extension/assess/eval_trigger'
+      require 'contrast/extension/assess/fiber'
+      require 'contrast/extension/assess/hash'
+      require 'contrast/extension/assess/kernel'
+      require 'contrast/extension/assess/regexp'
+      require 'contrast/extension/assess/marshal'
     end
   end
 end

data/lib/contrast/extension/assess/array.rb

@@ -1,9 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/patch'
-cs__scoped_require 'contrast/agent/patching/policy/patcher'
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/agent/patching/policy/patch'
+require 'contrast/agent/patching/policy/patcher'
+require 'contrast/components/interface'
 
 module Contrast
   module Extension
@@ -35,37 +35,44 @@ module Contrast
           # operation happens in C, we have to do it here rather than rely on the
           # patch of our String append or concat methods.
           def cs__track_join ary, separator, ret
-            return unless ary
+            return ret unless ary
             return ret if Contrast::Agent::Patching::Policy::Patch.skip_assess_analysis?
 
             with_contrast_scope do
+              properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              return ret unless properties
+
               shift = 0
               separator_length = separator.nil? ? 0 : separator.to_s.length
+              parent_events = []
               ary.each do |obj|
                 if obj # skip nil here
-                  ret.cs__copy_from(obj, shift)
+                  properties.copy_from(obj, ret, shift)
                   shift += obj.to_s.length
+                  parent_event = Contrast::Agent::Assess::Tracker.properties(obj)&.event
+                  parent_events << parent_event if parent_event
                 end
                 shift += separator_length
               end
-              return ret unless ret.cs__tracked?
+              return ret unless Contrast::Agent::Assess::Tracker.tracked?(ret)
 
-              ret.cs__properties.cleanup_tags
-              ret.cs__properties.build_event(
+              properties.cleanup_tags
+              properties.build_event(
                   ARRAY_JOIN_NODE,
                   ret,
                   ary,
                   ret,
                   [separator])
+              properties.event.instance_variable_set(:@_parent_events, parent_events)
               ret
             end
           end
 
           def instrument_array_track
             @_instrument_array_track ||= begin
-                                           cs__scoped_require 'cs__assess_array/cs__assess_array'
-                                           true
-                                         end
+              require 'cs__assess_array/cs__assess_array'
+              true
+            end
           rescue StandardError, LoadError => e
             logger.error('Error loading assess track patch', e)
             false

data/lib/contrast/extension/assess/erb.rb

@@ -7,27 +7,35 @@ module ERBPropagator
     def result_tagger patcher, preshift, ret, _block
       return unless preshift.args.length >= 1
 
+      properties = Contrast::Agent::Assess::Tracker.properties(ret)
+      return unless properties
+
       used_binding = preshift.args[0]
       binding_variable_set = used_binding.local_variables
 
       erb_pre_result = preshift.object.src
+      parent_events = []
       binding_variable_set.each do |bound_var_symbol|
         bound_variable_value = used_binding.local_variable_get(bound_var_symbol)
-        next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
+        next unless Contrast::Agent::Assess::Tracker.tracked?(bound_variable_value)
         next unless erb_pre_result.include?(bound_var_symbol.to_s)
 
         start_index = ret.index(bound_variable_value)
         next if start_index.nil?
 
-        ret.cs__copy_from(bound_variable_value, start_index)
+        properties.copy_from(bound_variable_value, ret, start_index)
+        parent_event = Contrast::Agent::Assess::Tracker.properties(bound_variable_value)&.event
+        parent_events << parent_event if parent_event
       end
-      ret.cs__properties.build_event(
+      properties.build_event(
           patcher,
           ret,
           preshift.object,
           ret,
           preshift.args,
           1)
+      properties.event.instance_variable_set(:@_parent_events, parent_events)
+
       ret
     end
   end

data/lib/contrast/extension/assess/eval_trigger.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Extension
@@ -45,9 +45,9 @@ module Contrast
 
           def instrument_basic_object_track
             @_instrument_basic_object_track ||= begin
-                                               cs__scoped_require 'cs__assess_basic_object/cs__assess_basic_object'
-                                               true
-                                             end
+              require 'cs__assess_basic_object/cs__assess_basic_object'
+              true
+            end
           rescue StandardError, LoadError => e
             logger.error('Error loading basic object track patch', e)
             false
@@ -55,9 +55,9 @@ module Contrast
 
           def instrument_module_track
             @_instrument_module_track ||= begin
-                                               cs__scoped_require 'cs__assess_module/cs__assess_module'
-                                               true
-                                             end
+              require 'cs__assess_module/cs__assess_module'
+              true
+            end
           rescue StandardError, LoadError => e
             logger.error('Error loading module track patch', e)
             false