contrast-agent 3.13.2 → 4.1.0

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -38,7 +38,8 @@ module Contrast
               finish = match.begin(:path)
               finish ||= url.length
 
-              args[0].cs__properties.any_tags_between?(start, finish)
+              properties = Contrast::Agent::Assess::Tracker.properties(args[0])
+              properties.any_tags_between?(start, finish)
             end
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
-cs__scoped_require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
+require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
+require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/properties.rb

@@ -1,11 +1,12 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'set'
-cs__scoped_require 'base64'
-cs__scoped_require 'contrast/utils/prevent_serialization'
-cs__scoped_require 'contrast/agent/assess/property/evented'
-cs__scoped_require 'contrast/agent/assess/property/tagged'
+require 'base64'
+require 'set'
+require 'contrast/agent/assess/property/evented'
+require 'contrast/agent/assess/property/tagged'
+require 'contrast/agent/assess/property/updated'
+require 'contrast/utils/prevent_serialization'
 
 module Contrast
   module Agent
@@ -20,6 +21,9 @@ module Contrast
         include Contrast::Utils::PreventSerialization
         include Contrast::Agent::Assess::Property::Evented
         include Contrast::Agent::Assess::Property::Tagged
+        include Contrast::Agent::Assess::Property::Updated
+
+        attr_accessor :dupped_from
 
         # CONTRAST-36937
         # Creating these on Properties is expensive. We want to delay this for
@@ -39,6 +43,12 @@ module Contrast
 
           properties[name] = value
         end
+
+        def dup
+          ret = super
+          ret.dupped_from = __id__
+          ret
+        end
       end
     end
   end

data/lib/contrast/agent/assess/property/evented.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/events/event_factory'
-cs__scoped_require 'contrast/agent/assess/events/source_event'
+require 'contrast/agent/assess/events/event_factory'
+require 'contrast/agent/assess/events/source_event'
 
 module Contrast
   module Agent
@@ -10,23 +10,11 @@ module Contrast
       module Property
         # This module serves to hold the functionality required for the
         # management of our dataflow events.
+        #
+        # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
+        #   latest event to track
         module Evented
-          # The events for this object.
-          #
-          # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
-          def events
-            @_events ||= []
-          end
-
-          # Add an event to these properties. It will be used to build
-          # a trace if this object ends up in a trigger.
-          #
-          # @param event [Contrast::Agent::Assess::ContrastEvent] the latest
-          #   event to track
-          def add_event event
-            events << event
-            self
-          end
+          attr_accessor :event
 
           # Create a new event and add it to the event set.
           #
@@ -43,8 +31,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
-            add_event(event)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
             report_sources(tagged, event)
           end
 

data/lib/contrast/agent/assess/property/tagged.rb

@@ -1,10 +1,10 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/agent/assess/tag'
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/string_utils'
-cs__scoped_require 'contrast/utils/tag_util'
+require 'contrast/agent/assess/tag'
+require 'contrast/utils/object_share'
+require 'contrast/utils/string_utils'
+require 'contrast/utils/tag_util'
 
 module Contrast
   module Agent
@@ -162,15 +162,21 @@ module Contrast
           end
 
           # We'll use this as a helper method to retrieve tags from the hash.
-          # Because the hash auto-populates an empty array when we try to access
-          # a tag in it, we cannot use the [] method without side effect. To get
-          # around this, we'll use a fetch work around.
+          # Because the hash auto-populates an empty array when we try to
+          # access a tag in it, we cannot use the [] method without side
+          # effect. To get around this, we'll use a fetch work around.
+          #
+          # @param label [Symbol] the label to look up
+          # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+          #   that label
           def fetch_tag label
             tags.fetch(label, nil) if tracked?
           end
 
           # Convert the tags of this object into the TraceTaintRange required
           # to be sent to the service
+          #
+          # @return [Array<Contrast::Api::Dtm::TraceTaintRange>]
           def tags_to_dtm
             Contrast::Api::Dtm::TraceTaintRange.build_for_event(tags)
           end

data/lib/contrast/agent/assess/property/updated.rb

@@ -0,0 +1,131 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/duck_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Property
+        # This module serves to hold the functionality required for the
+        # update of properties as they go through dataflow.
+        module Updated
+          # copy tags and info from source's properties to self
+          # @param source [Object] the object from which existing properties
+          #   should be copied.
+          # @param owner [Object] the object to which these properties apply.
+          # @param shift [Integer] (0) how far to shift the tags during copy,
+          #   useful for insert and append operations.
+          # @param skip_tags [Set<String>] (nil) the tags to not copy over,
+          #   useful for propagation events that have 'untags'.
+          def copy_from source, owner, shift = 0, skip_tags = nil
+            return if owner.equal?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            original = Contrast::Agent::Assess::Tracker.properties(source)
+            return unless original
+
+            adjust_duplicate(original)
+            original.tag_keys.each do |key|
+              next if skip_tags&.include?(key)
+
+              existing = tags[key]
+              had_existing = existing.any?
+              value = original.fetch_tag(key)
+              value.each do |tag|
+                existing << tag.copy_modified(shift)
+              end
+              Contrast::Utils::TagUtil.size_aware_merge(owner, existing) if had_existing
+            end
+          end
+
+          # Some propagation occurred, but we're not sure what the
+          # exact transformation was. To be safe, we just explode
+          # all the tags from the source to the return.
+          #
+          # If the return already had that tag, the existing tag
+          # range is recycled to save us an object.
+          #
+          # @param source [Object] the object from which existing properties
+          #   should be copied.
+          # @param owner [Object] the object to which these properties apply.
+          def splat_from source, owner
+            splat_length = Contrast::Utils::StringUtils.ret_length(owner)
+            return if splat_length.zero?
+
+            splat_from_ret(splat_length)
+            splat_from_source(source, splat_length)
+            cleanup_tags
+          end
+
+          private
+
+          # Because of how our tracking works now, sometimes the Source and
+          # Target are the same, but their IDs in our map will be different due
+          # to PreShift duplication. To account for this, we have to ensure that
+          # the Object we're copying from does not have the same Properties
+          # that the Object we're copying to does. If they are the same, wipe the
+          # Target so that the copy method can update events and ranges as
+          # necessary.
+          # DO NOT TAKE THIS OUT!
+          def adjust_duplicate original
+            reset_properties if original == self
+            reset_properties if original.__id__ == dupped_from
+            reset_properties if original.dupped_from == __id__
+          end
+
+          # Wipe out the instance variables on this Properties instance,
+          # allowing them to be rebuilt.
+          def reset_properties
+            @_tags = nil
+            @_events = nil
+            @_properties = nil
+          end
+
+          # Splat all the tags from the source to this set of Properties
+          #
+          # @param source [Object] the object from which tags will be copied
+          #   and splatted.
+          # @param splat_length [Integer] the length to which to to set all
+          #   tags.
+          def splat_from_source source, splat_length
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
+            return unless properties
+
+            properties.tag_keys.each do |key|
+              existing = fetch_tag(key)
+              # if the tag already exists, drop all but the first range
+              # then change that range to cover the entire return
+              if existing
+                existing.drop(existing.length - 1)
+                range = existing[0]
+                range.repurpose(0, splat_length)
+              else
+                add_tag(key, 0...splat_length)
+              end
+            end
+          end
+
+          # Splat all the tags existing on this set of Properties
+          #
+          # @param splat_length [Integer] the length to which to to set all
+          #   tags.
+          def splat_from_ret splat_length
+            return unless tracked?
+
+            tag_keys.each do |key|
+              next unless key
+
+              existing = fetch_tag(key)
+              next unless existing
+
+              existing.each do |range|
+                range.repurpose(0, splat_length)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/rule.rb

@@ -14,5 +14,5 @@ module Contrast
   end
 end
 
-cs__scoped_require 'contrast/agent/assess/rule/base'
-cs__scoped_require 'contrast/agent/assess/rule/provider'
+require 'contrast/agent/assess/rule/base'
+require 'contrast/agent/assess/rule/provider'

data/lib/contrast/agent/assess/rule/base.rb

@@ -1,10 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
-
-cs__scoped_require 'zlib'
-cs__scoped_require 'digest'
+require 'digest'
+require 'zlib'
+require 'contrast/components/interface'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/rule/provider.rb

@@ -16,6 +16,6 @@ module Contrast
   end
 end
 
-cs__scoped_require 'contrast/agent/assess/rule/provider/hardcoded_value_rule'
-cs__scoped_require 'contrast/agent/assess/rule/provider/hardcoded_key'
-cs__scoped_require 'contrast/agent/assess/rule/provider/hardcoded_password'
+require 'contrast/agent/assess/rule/provider/hardcoded_value_rule'
+require 'contrast/agent/assess/rule/provider/hardcoded_key'
+require 'contrast/agent/assess/rule/provider/hardcoded_password'

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -33,6 +33,64 @@ module Contrast
                   NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
+            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              # If it's a String being turned into bytes, then it matches key
+              # expectations
+              return true if bytes_call?(value_node)
+
+              type = value_node.type
+              return false unless BYTE_HOLDERS.include?(type)
+              return false unless value_node.children.any?
+
+              # Unless this is an array of literal numerics, we don't match.
+              # That array seems to always end in a nil value, so we allow
+              # those as well.
+              value_node.children.each do |child|
+                next unless child
+
+                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    child.type == :LIT &&
+                    child.children[0]&.cs__is_a?(Integer)
+              end
+
+              true
+            end
+
+            REDACTED_MARKER = ' = [**REDACTED**]'
+            def redacted_marker
+              REDACTED_MARKER
+            end
+
+            # A node is a bytes_call if it's the Node for String#bytes. We care
+            # about this specifically as it's likely to be a common way to
+            # generate a key constant, rather than directly declaring an
+            # integer array.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a node for String#bytes or not
+            def bytes_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              potential_string_node = children[0]
+              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                  potential_string_node.type == :STR
+
+              children[1] == :bytes
+            end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
             # If the value is a byte array, or at least an array of numbers, it
             # passes for this rule
             def value_type_passes? value
@@ -49,11 +107,6 @@ module Contrast
             def value_passes? _value
               true
             end
-
-            REDACTED_MARKER = ' = [**REDACTED**]'
-            def redacted_marker
-              REDACTED_MARKER
-            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -38,15 +38,18 @@ module Contrast
                   NON_PASSWORD_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
-            # If the value is a string, it passes for this rule
-            def value_type_passes? value
-              value.is_a?(String)
-            end
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              return false unless value_node.type == :STR
 
-            # If the value probably isn't a property name, it passes for this
-            # rule
-            def value_passes? value
-              !probably_property_name?(value)
+              # https://www.rubydoc.info/gems/ruby-internal/Node/STR
+              string = value_node.children[0]
+              !probably_property_name?(string)
             end
 
             # If a field name matches an expected password field, we'll check it's
@@ -56,7 +59,7 @@ module Contrast
             # characters are probably more likely to appear together in a
             # default placeholder than in a password. Note this is opposite of
             # the behavior in Java
-            PROPERTY_NAME_PATTERN = /^[a-z]+[\.\_][\.\_a-z]*[a-z]+$/.cs__freeze
+            PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
             def probably_property_name? value
               value.match?(PROPERTY_NAME_PATTERN)
             end
@@ -65,6 +68,18 @@ module Contrast
             def redacted_marker
               REDACTED_MARKER
             end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
+            # If the value is a string, it passes for this rule
+            def value_type_passes? value
+              value.is_a?(String)
+            end
+
+            # If the value probably isn't a property name, it passes for this
+            # rule
+            def value_passes? value
+              !probably_property_name?(value)
+            end
           end
         end
       end