contrast-agent 3.13.2 → 4.1.0

data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/policy/source_method'
+require 'contrast/agent/assess/policy/source_method'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/policy/source_validation/cross_site_validator'
+require 'contrast/agent/assess/policy/source_validation/cross_site_validator'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -25,24 +25,26 @@ module Contrast
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
               def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
-                scope = args[0]
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                return unless properties
 
+                scope = args[0]
                 erb_template_prerender = object.instance_variable_get(:@data)
                 interpolated_inputs = []
                 handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
-
                 handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
-
+                properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 unless interpolated_inputs.empty?
+                  current_event = properties.event
                   interpolated_inputs.each do |input|
-                    input.cs__properties.events.each do |event|
-                      ret.cs__properties.events << event
-                    end
+                    input_properties = Contrast::Agent::Assess::Tracker.properties(input)
+                    next unless input_properties&.event
+
+                    current_event.parent_events << input_properties.event
                   end
-                  ret.cs__properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
-                if ret.cs__tracked?
+                if Contrast::Agent::Assess::Tracker.tracked?(ret)
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
@@ -52,32 +54,34 @@ module Contrast
               private
 
               def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 binding_variables = scope.instance_variables
 
                 binding_variables.each do |bound_variable_sym|
                   bound_variable_value = scope.instance_variable_get(bound_variable_sym)
 
-                  next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(bound_variable_value)
                   next unless erb_template_prerender.include?(bound_variable_sym.to_s)
 
                   start_index = ret.index(bound_variable_value)
                   next if start_index.nil?
 
-                  ret.cs__copy_from(bound_variable_value, start_index)
+                  properties.copy_from(bound_variable_value, ret, start_index)
                   interpolated_inputs << bound_variable_sym
                 end
               end
 
               def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 locals = args[1]
                 locals.each do |local_name, local_value|
-                  next unless local_value.cs__respond_to?(:cs__tracked?) && local_value.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(local_value)
                   next unless erb_template_prerender.include?(local_name.to_s)
 
                   start_index = ret.index(local_value)
                   next if start_index.nil?
 
-                  ret.cs__copy_from(local_value, start_index)
+                  properties.copy_from(local_value, ret, start_index)
                   interpolated_inputs << local_name
                 end
               end

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -39,7 +39,7 @@ module Contrast
               def process context, trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
-                  next unless arg.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -1,11 +1,11 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/sha256_builder'
-cs__scoped_require 'contrast/agent/assess/events/event_factory'
-cs__scoped_require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/agent/assess/events/event_factory'
+require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
+require 'contrast/components/interface'
+require 'contrast/utils/object_share'
+require 'contrast/utils/sha256_builder'
 
 module Contrast
   module Agent
@@ -20,10 +20,31 @@ module Contrast
           include Contrast::Components::Interface
           access_component :analysis, :logging
 
+          # The level of TeamServer compliance our traces meet when in the
+          # abnormal condition of being dataflow rules without routes
+          MINIMUM_FINDING_VERSION = 3
           # The level of TeamServer compliance our traces meet
-          CURRENT_FINDING_VERSION = 2
+          CURRENT_FINDING_VERSION = 4
 
           class << self
+            # Append the given finding to the given context to be reported when
+            # the Context's activity is sent to the Service or, in the absence
+            # of that Context, generate an Activity and queue it manually
+            # @param finding [Contrast::Api::Dtm::Finding]
+            def report_finding finding
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+              else
+                activity = Contrast::Api::Dtm::Activity.new
+                activity.findings << finding
+
+                Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              end
+              logger.debug('Finding reported',
+                           rule: finding.rule_id)
+            end
+
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -66,8 +87,8 @@ module Contrast
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -89,18 +110,17 @@ module Contrast
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              finding.version = CURRENT_FINDING_VERSION
-
               build_from_source(finding, source)
               trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
               finding.events << trigger_event
               build_hash(finding, source)
               finding.routes << context.route if context.route
-              context.activity.findings << finding
+              finding.version = determine_compliance_version(finding)
               logger.trace('Finding created',
                            node_id: trigger_node.id,
                            source_id: source.__id__,
                            rule: trigger_node.rule_id)
+              report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
@@ -110,8 +130,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -179,8 +199,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -199,8 +219,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -211,8 +231,8 @@ module Contrast
             def apply_dataflow_rule context, trigger_node, source, object, ret, *args
               return unless source
 
-              if Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties)
-                return unless source.cs__tracked?
+              if Contrast::Agent::Assess::Tracker.trackable?(source)
+                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
 
                 build_finding(context, trigger_node, source, object, ret, *args)
@@ -226,30 +246,27 @@ module Contrast
                   apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
                 end
               else
-                logger.warn('Trigger source is of unknown type. Unable to inspect.',
-                            node_id: trigger_node.id,
-                            source_id: source.__id__,
-                            source_type: source.cs__class.to_s)
+                logger.debug('Trigger source is untrackable. Unable to inspect.',
+                             node_id: trigger_node.id,
+                             source_id: source.__id__,
+                             source_type: source.cs__class.to_s,
+                             frozen: source.cs__frozen?)
                 logger.trace(source.to_s[0..99])
               end
             end
 
             def build_from_source finding, source
               return unless source
-              return unless Contrast::Utils::DuckUtils.quacks_to?(
-                  source,
-                  :cs__properties)
-              return unless source.cs__properties
+              return unless Contrast::Agent::Assess::Tracker.trackable?(source)
 
-              # events could technically be nil, but we would have failed
-              # the rule check before getting here. not worth the nil check
-              source.cs__properties.events.each do |event|
-                finding.events << event.to_dtm_event
-              end
+              properties = Contrast::Agent::Assess::Tracker.properties(source)
+              return unless properties
+
+              build_events finding, properties.event if properties.event
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this
               # long form
-              source_props = source.cs__properties.properties
+              source_props = properties.properties
               return unless source_props
 
               source_props.each_pair do |key, value|
@@ -258,11 +275,42 @@ module Contrast
               end
             end
 
+            def build_events finding, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                build_events(finding, parent_event)
+              end
+              # events could technically be nil, but we would have failed
+              # the rule check before getting here. not worth the nil check
+              finding.events << event.to_dtm_event
+            end
+
             def build_hash finding, source
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end
+
+            # Because our APIs are not versioned, TeamServer relies on a field,
+            # version, to tell it what, if any, validation it can preform on
+            # the findings we send it. Examine the finding and determine the
+            # level to which it conforms.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding]
+            # @return [int] the version of compliance
+            def determine_compliance_version finding
+              return MINIMUM_FINDING_VERSION unless finding
+              # as routes are the only variable between findings, in the case
+              # where we couldn't determine one, any finding with a route is at
+              # maximum compliance
+              return CURRENT_FINDING_VERSION if finding.routes.any?
+              # any finding without events is not of a dataflow type and
+              # therefore at maximum compliance
+              return CURRENT_FINDING_VERSION unless finding.events.any?
+
+              MINIMUM_FINDING_VERSION
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -1,9 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/policy/trigger/reflected_xss'
-cs__scoped_require 'contrast/agent/assess/policy/trigger/xpath'
-cs__scoped_require 'contrast/api/decorators/trace_taint_range_tags'
+require 'contrast/agent/assess/policy/trigger/reflected_xss'
+require 'contrast/agent/assess/policy/trigger/xpath'
+require 'contrast/api/decorators/trace_taint_range_tags'
 
 module Contrast
   module Agent
@@ -100,16 +100,17 @@ module Contrast
             # if the source isn't tracked, there can't be a violation
             # this condition may not hold true forever, but for now it's
             # a nice optimization
-            return false unless source.cs__tracked?
+            return false unless Contrast::Agent::Assess::Tracker.tracked?(source)
 
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), source.cs__properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_any_tag(source.cs__properties, disallowed_tags)
+            secure_ranges = ranges_with_any_tag(properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
 
@@ -178,68 +179,62 @@ module Contrast
           # @param length [Integer] the length of the object which may have the
           #   given tags -- used as the maximum index to search for all of the
           #   tags.
-          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
-          # @param tags [Set<String>] the list of tags on which to match
+          # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_all_tags length, cs__properties, tags
-            # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
-
-            # :zap: faster to treat all as any if there's only one tag
-            return find_ranges_by_any_tag(cs__properties, tags) if tags.length == 1
+          def ranges_with_all_tags length, properties, required_tags
+            # if there are no tags, not required tags, or the tags don't have
+            # all the required tags, we can just return here.
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
 
             ranges = []
-            # TODO: RUBY-946 clean this up, perhaps with
-            #   tags.each { |tag| applicable << cs__properties.fetch_tag(tag) }
-            #   return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless applicable.length == tags.length
-            #   ...
+            chunking = false
             # find all the indicies on the source that have all the given tags
             (0..length).each do |idx|
-              tags_at = cs__properties.tags_at(idx)
-              ranges << idx if tags.all? do |tag|
-                found = false
-                tags_at.each do |tag_at|
-                  found = tag_at.label == tag
-                  break if found
-                end
-                found
+              tags_at = properties.tags_at(idx).to_a
+              # only those that have all the required tags in the tags_at
+              # satisfy the requirement
+              satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
+              # if this range matches all the required tags and we're already
+              # chunking, meaning the previous range matched, do nothing
+              next if satisfied && chunking
+
+              # if we are satisfied and we were not chunking, this represents
+              # the start of the next range, so create a new entry.
+              if satisfied
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                chunking = true
+              # if we are chunking and not satisfied, this represents the end
+              # of the range, meaning the last index is what satisfied the
+              # range. Because the range is exclusive end, we can just use this
+              # index.
+              elsif chunking
+                ranges[-1]&.update_end(idx)
+                chunking = false
               end
             end
-            # break early if no indicies satisfy all the tags
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if ranges.empty?
-
-            # chunk all the adjacent ranges
-            chunked = ranges.chunk_while { |i, j| i + 1 == j }
-            tag_ranges = []
-            # and convert them into Tags
-            chunked.each do |join|
-              start = join[0]
-              stop = join[-1]
-              # add the 1 to account for end index being exclusive
-              tag_length = stop - start + 1
-              tag_ranges = Contrast::Utils::TagUtil.ordered_merge(tag_ranges, Tag.new(tag_length, start))
-            end
-            tag_ranges
+            ranges
           end
 
           # Find the ranges that satisfy any of the given tags.
           #
-          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_any_tag cs__properties, tags
+          def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
 
             ranges = []
             tags.each do |desired|
-              found = cs__properties.fetch_tag(desired)
+              found = properties.fetch_tag(desired)
               next unless found
 
               # we need to dup here so that we don't change the tags if target is