contrast-agent 3.13.2 → 4.1.0

data/lib/contrast/agent/assess/events/event_factory.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/contrast_event'
-cs__scoped_require 'contrast/agent/assess/events/source_event'
+require 'contrast/agent/assess/contrast_event'
+require 'contrast/agent/assess/events/source_event'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/events/source_event.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/contrast_event'
-cs__scoped_require 'contrast/utils/string_utils'
+require 'contrast/agent/assess/contrast_event'
+require 'contrast/utils/string_utils'
 
 module Contrast
   module Agent
@@ -21,7 +21,7 @@ module Contrast
             @request = Contrast::Agent::REQUEST_TRACKER.current&.request
           end
 
-          def find_parent_ids _policy_node, _object, _ret, _args
+          def parent_events
             nil
           end
 

data/lib/contrast/agent/assess/finalizers/freeze.rb

@@ -0,0 +1,15 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/tracker'
+
+# Our patch of the Object#freeze method, allowing any Object we track to
+# function with our Contrast::Agent::Assess::Finalizers::Hash
+class Object
+  alias_method :cs__patched_object_freeze, :freeze
+
+  def freeze
+    Contrast::Agent::Assess::Tracker.pre_freeze(self)
+    cs__patched_object_freeze
+  end
+end

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -0,0 +1,97 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/duck_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Finalizers
+        # An extension of Hash that doesn't impact GC of the object being
+        # stored by storing its ID as a Key to lookup and registering a
+        # finalizer on the object to remove its entry from the Hash immediately
+        # after it's GC'd.
+        class Hash < Hash
+          FROZEN_FINALIZED_IDS = Set.new
+
+          def []= key, obj
+            # We can't finalize frozen things, so only act on those that went
+            # through .pre_freeze
+            if key.cs__frozen?
+              return unless FROZEN_FINALIZED_IDS.include?(key.__id__)
+            else
+              ObjectSpace.define_finalizer(key, finalize(key.__id__))
+            end
+            super key.__id__, obj
+          end
+
+          def [] key
+            super key.__id__
+          end
+
+          # Something is trackable if it is not a collection and either not
+          # frozen or it was frozen after we put a finalizer on it.
+          #
+          # @param key [Object] the thing to determine if trackable
+          # @return [Boolean]
+          def trackable? key
+            # Track things in these, not them themselves.
+            return false if Contrast::Utils::DuckUtils.iterable_hash?(key)
+            return false if Contrast::Utils::DuckUtils.iterable_enumerable?(key)
+            # If it's not frozen, we can finalize/ track it.
+            return true unless key.cs__frozen?
+
+            # Otherwise, we can only track it if we've finalized it in our
+            # freeze patch.
+            FROZEN_FINALIZED_IDS.include?(key.__id__)
+          end
+
+          # Determine if the given Object is tracked, meaning it has a known
+          # set of properties and those properties are tracked.
+          #
+          # @param key [Object] the Object whose properties, by id, we want to
+          #   check for tracked status
+          # @return [Boolean]
+          def tracked? key
+            key?(key.__id__) && fetch(key.__id__, nil)&.tracked?
+          end
+
+          # Remove the given key from our frozen and properties tracking during
+          # finalization of the Object to which the given key_id pertains.
+          # NOTE: by necessity, this is the only method which takes the __id__,
+          # not the Object itself. You CANNOT pass the Object to this as a
+          # finalizer cannot hold reference to the Object being finalized; that
+          # prevents GC, which introduces a memory leak and defeats the entire
+          # purpose of this.
+          #
+          # @param key_id [Integer] the Object Identifier to clean up during
+          #   finalization.
+          def finalize key_id
+            proc do
+              FROZEN_FINALIZED_IDS.delete(key_id)
+              delete(key_id)
+            end
+          end
+
+          # Frozen things cannot be finalized. To avoid any issue here, we
+          # intercept the #freeze call and set finalizers on the Object. To
+          # ensure later we know it's been pre-finalized, we add it's __id__ to
+          # our tracking.
+          #
+          # @param key [Object] the Object on which we need to pre-define
+          #   finalizers
+          def pre_freeze key
+            return if key.cs__frozen?
+            return if FROZEN_FINALIZED_IDS.include?(key.__id__)
+
+            ObjectSpace.define_finalizer(key, finalize(key.__id__))
+
+            FROZEN_FINALIZED_IDS << key.__id__
+          rescue StandardError => _e
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/method_policy'
+require 'contrast/agent/patching/policy/method_policy'
 
 module Contrast
   module Agent
@@ -110,16 +110,23 @@ module Contrast
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
-              properties.events.each do |event|
-                dynamic_source.events << event.to_dtm_event
-              end
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
               url = current_context.request.normalized_uri
               dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
+              append_events(dynamic_source, properties.event)
               dynamic_source
             end
+
+            def append_events dynamic_source, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                append_events(dynamic_source, parent_event)
+              end
+              dynamic_source.events << event.to_dtm_event
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -1,11 +1,11 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/policy/policy'
-cs__scoped_require 'contrast/agent/patching/policy/patcher'
-cs__scoped_require 'contrast/agent/patching/policy/method_policy'
-cs__scoped_require 'contrast/agent/patching/policy/module_policy'
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/agent/assess/policy/policy'
+require 'contrast/agent/patching/policy/patcher'
+require 'contrast/agent/patching/policy/method_policy'
+require 'contrast/agent/patching/policy/module_policy'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -37,7 +37,7 @@ module Contrast
               return unless ASSESS.enabled?
               return if in_contrast_scope?
 
-              with_contrast_scope { patcher.patch_specific_module(mod) }
+              patcher.patch_specific_module(mod)
             rescue StandardError => e
               logger.warn(
                   'Unable to patch assess during eval',

data/lib/contrast/agent/assess/policy/policy.rb

@@ -1,15 +1,15 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'json'
-cs__scoped_require 'contrast/agent/assess/rule/provider/hardcoded_value_rule'
-cs__scoped_require 'contrast/agent/assess/rule/provider/hardcoded_key'
-cs__scoped_require 'contrast/agent/assess/rule/provider/hardcoded_password'
-cs__scoped_require 'contrast/agent/assess/policy/policy_node'
-cs__scoped_require 'contrast/agent/assess/policy/source_node'
-cs__scoped_require 'contrast/agent/assess/policy/propagation_node'
-cs__scoped_require 'contrast/agent/assess/policy/trigger_node'
-cs__scoped_require 'contrast/agent/patching/policy/policy'
+require 'json'
+require 'contrast/agent/assess/rule/provider/hardcoded_value_rule'
+require 'contrast/agent/assess/rule/provider/hardcoded_key'
+require 'contrast/agent/assess/rule/provider/hardcoded_password'
+require 'contrast/agent/assess/policy/policy_node'
+require 'contrast/agent/assess/policy/source_node'
+require 'contrast/agent/assess/policy/propagation_node'
+require 'contrast/agent/assess/policy/trigger_node'
+require 'contrast/agent/patching/policy/policy'
 
 module Contrast
   module Agent
@@ -72,8 +72,6 @@ module Contrast
                 add_node(trigger_node)
               end
             end
-
-            tracked_classes.concat(policy_data[TRACKED_CLASSES_KEY])
           end
 
           # Providers is a term that we're taking from Java until we come up with

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/patching/policy/policy_node'
-cs__scoped_require 'contrast/api/decorators/trace_taint_range_tags'
+require 'contrast/agent/patching/policy/policy_node'
+require 'contrast/api/decorators/trace_taint_range_tags'
 
 module Contrast
   module Agent
@@ -157,19 +157,24 @@ module Contrast
           # Everything else (propagation nodes) are Source2Target
           def build_action
             @event_action ||= begin
-              source = source_string
-              target = target_string
-              if source.nil?
+              case node_class
+              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
                 :CREATION
-              elsif target.nil?
+              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
                 :TRIGGER
               else
-                # TeamServer can't handle the multi-source or multi-target
-                # values. Give it some help by changing them to 'A'
-                source = ALL_TYPE if source.include?(Contrast::Utils::ObjectShare::COMMA)
-                target = ALL_TYPE if target.include?(Contrast::Utils::ObjectShare::COMMA)
-                str = source[0] + TO_MARKER + target[0]
-                str.to_sym
+                if source_string.nil?
+                  :CREATION
+                elsif target_string.nil?
+                  :TRIGGER
+                else
+                  # TeamServer can't handle the multi-source or multi-target
+                  # values. Give it some help by changing them to 'A'
+                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
+                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
+                  str = source[0] + TO_MARKER + target[0]
+                  str.to_sym
+                end
               end
             end
             @event_action

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -1,9 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/extension/assess/assess_extension'
+require 'contrast/components/interface'
+require 'contrast/utils/object_share'
 
 module Contrast
   module Agent
@@ -18,18 +17,35 @@ module Contrast
           access_component :analysis
 
           class << self
+            # Use the given trace_point, built from an :end event, to determine
+            # where the loaded code lives and scan that code for policy
+            # violations.
+            #
+            # @param trace_point [TracePoint] the TracePoint generated by an
+            #   :end event at the end of a Module definition.
             def scan trace_point
               return unless ASSESS.enabled?
               return unless ASSESS.require_scan?
 
+              provider_values = policy.providers.values
+              return if provider_values.all?(&:disabled?)
+
               return unless trace_point.path
               return if trace_point.path.start_with?(Gem.dir)
 
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              policy.providers.each_value do |provider|
-                provider.analyze mod
+              # TODO: RUBY-1014 - remove non-AST approach
+              if RUBY_VERSION >= '2.6.0'
+                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+                provider_values.each do |provider|
+                  provider.parse(trace_point, ast)
+                end
+              else
+                provider_values.each do |provider|
+                  provider.analyze(mod)
+                end
               end
             end
 

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -69,23 +69,29 @@ module Contrast
           end
 
           def append_object_details preshift, initializing, object
-            preshift.object = can_dup?(initializing, object) ? object.dup : object
-            preshift.object.cs__copy_from(object) if object.cs__frozen? && Contrast::Utils::DuckUtils.quacks_to?(preshift.object, :cs__copy_from)
+            can = can_dup?(initializing, object)
+            preshift.object = can ? object.dup : object
             preshift.object_length = if Contrast::Utils::DuckUtils.quacks_to?(preshift.object, :length)
                                        object.length
                                      else
                                        0
                                      end
+            return unless can
+            return unless Contrast::Agent::Assess::Tracker.tracked?(object)
+
+            Contrast::Agent::Assess::Tracker.copy(object, preshift.object)
           end
 
           def append_arg_details preshift, args
             preshift.args = args.dup
-            preshift.args.each_with_index do |arg, index|
-              next unless args[index].cs__frozen? && Contrast::Utils::DuckUtils.quacks_to?(arg, :cs__copy_from)
+            preshift.args.each_with_index do |preshift_arg, index|
+              original_arg = args[index]
+              next if preshift_arg.__id__ == original_arg.__id__
+              next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
 
-              arg.cs__copy_from(args[index])
+              Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |arg| Contrast::Utils::DuckUtils.quacks_to?(arg, :length) ? arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -1,27 +1,24 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# This class is responsible for the continuation of traces. A Propagator is any
-# method that transforms an untrusted value. In general, these methods work on
-# the String class or a holder of Strings
-cs__scoped_require 'set'
+require 'set'
 
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/sha256_builder'
-
-cs__scoped_require 'contrast/agent/assess/policy/propagator'
-
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/agent/assess/policy/propagator'
+require 'contrast/components/interface'
+require 'contrast/utils/object_share'
+require 'contrast/utils/sha256_builder'
 
 module Contrast
   module Agent
     module Assess
       module Policy
-        # This module contains the logic for determining how to propagate tags
-        # and events from a source to a target
+        # This class is responsible for the continuation of traces. A
+        # Propagator is any method that transforms an untrusted value. In
+        # general, these methods work on the String class or a holder of
+        # Strings
         module PropagationMethod
           include Contrast::Components::Interface
-          access_component :logging
+          access_component :analysis, :logging
 
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
@@ -127,15 +124,16 @@ module Contrast
                 Contrast::Agent::Assess::Policy::Propagator::Custom.propagate(propagation_node, preshift, ret, block)
               elsif propagation_node.action == SPLIT_ACTION
                 Contrast::Agent::Assess::Policy::Propagator::Split.propagate(propagation_node, preshift, target)
-              elsif Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
-                handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, args, block)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
                 handle_hash_propagation(propagation_node, preshift, target, object, ret, args, block)
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
                 handle_enumerable_propagation(propagation_node, preshift, target, object, ret, args, block)
+              else
+                handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, args, block)
               end
             rescue StandardError => e
               logger.warn('Unable to apply propagation', e, node_id: propagation_node.id)
+              nil
             end
 
             # Custom actions tend to be the more complex of our propagations.
@@ -174,15 +172,7 @@ module Contrast
             # If the source of this patcher is not tracked, there's no need to do
             # anything. A copy of nothing is still nothing.
             def can_propagate? propagation_node, preshift, target
-              # We cannot propagate to things that do not have cs__properties.
-              return false unless Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
-
-              # We cannot propagate to frozen things that have not been
-              # previously tracked. We probably shouldn't propagate to frozen
-              # things at all, as they're supposed to be immutable, but third
-              # parties do jenky things, so allow it as long as it is safe to do.
-              return false if target.cs__properties == Contrast::Agent::Assess::Insulator.generate_frozen.properties &&
-                  propagation_node.targets[0] != Contrast::Utils::ObjectShare::RETURN_KEY
+              return false unless appropriate_target?(propagation_node, target)
               return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
               return false unless preshift
 
@@ -197,13 +187,32 @@ module Contrast
               false
             end
 
+            # We cannot propagate to frozen things that have not been updated
+            # to work with our property tracking, unless they're duplicable and
+            # the return.
+            # We probably shouldn't propagate to frozen things at all, as
+            # they're supposed to be immutable, but third parties do jenky
+            # things, so allow it as long as it is safe to do.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+            #   the node that governs this propagation event.
+            # @param target [Object] the Target to which to propagate.
+            # @return [Boolean] if the target can be propagated to
+            def appropriate_target? propagation_node, target
+              # special handle Returns b/c we can do unfreezing magic during propagation
+              return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+              Contrast::Agent::Assess::Tracker.trackable?(target)
+            end
+
             # If this patcher has tags, apply them to the entire target
             def apply_tags propagation_node, target
               return unless propagation_node.tags
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
               length = Contrast::Utils::StringUtils.ret_length(target)
               propagation_node.tags.each do |tag|
-                target.cs__properties.add_tag(tag, 0...length)
+                properties.add_tag(tag, 0...length)
               end
             end
 
@@ -211,8 +220,11 @@ module Contrast
             def apply_untags propagation_node, target
               return unless propagation_node.untags
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              return unless properties
+
               propagation_node.untags.each do |tag|
-                target.cs__properties.delete_tags(tag)
+                properties.delete_tags(tag)
               end
             end
 
@@ -226,6 +238,15 @@ module Contrast
               true
             end
 
+            # Safely duplicate the target, or return nil
+            #
+            # @param target [Object] the thing to check for duplication
+            def safe_dup target
+              target.dup
+            rescue StandardError => _e
+              nil
+            end
+
             def handle_hash_propagation propagation_node, preshift, target, object, ret, args, block
               target.each_pair do |key, value|
                 apply_propagator(propagation_node, preshift, key, object, ret, args, block)
@@ -245,31 +266,33 @@ module Contrast
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
 
-              # propagate all the tags from the sources to the target
               propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
               unless propagation_class
                 logger.warn(
-                    'Unknown propgation action receieved. Unable to propagate.',
+                    'Unknown propagation action received. Unable to propagate.',
                     node_id: propagation_node.id,
                     action: propagation_node.action)
-                return ret
+                return
               end
-
               restore_frozen_state = false
-              if target.cs__frozen?
-                return ret unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
+                return unless ASSESS.track_frozen_sources?
+                return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+                dup = safe_dup(ret)
+                return unless dup
 
                 restore_frozen_state = true
-                ret = Contrast::Utils::FreezeUtil.unfreeze_dup(target)
+                ret = dup
                 target = ret
+                Contrast::Agent::Assess::Tracker.pre_freeze(ret)
+                ret.cs__freeze
+                # double check that we were able to finalize the replaced return
+                return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-              return if target.cs__properties == Contrast::Agent::Assess::Insulator.generate_frozen.properties
-
               propagation_class.propagate(propagation_node, preshift, target)
-
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied
               apply_tags(propagation_node, target)
-
               # Even though we skipped propagating tags from the source if they
               # were included in untags, the target may have already had some on
               # it. Let's go ahead and remove them.
@@ -277,16 +300,13 @@ module Contrast
               # both and there should never be a propagator that has a tag in
               # its untag.
               apply_untags(propagation_node, target)
-
-              target.cs__properties.add_properties(propagation_node.properties)
-
-              target.cs__properties.build_event(propagation_node, target, object, ret, args)
-
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              properties.add_properties(propagation_node.properties)
+              properties.build_event(propagation_node, target, object, ret, args)
               logger.trace('Propagation detected',
                            node_id: propagation_node.id,
                            target_id: target.__id__)
-              ret.cs__freeze if restore_frozen_state
-              ret
+              restore_frozen_state ? ret : nil
             end
           end
         end