contrast-agent 3.14.0 → 3.15.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -46,8 +46,7 @@ module Contrast
 
                 begin
                   source = preshift.object
-                  self_tracked = Contrast::Utils::DuckUtils.quacks_to?(source, :cs__tracked?) &&
-                      source.cs__tracked?
+                  self_tracked = Contrast::Agent::Assess::Tracker.tracked?(source)
                   args = preshift.args[1]
                   incoming_tracked = args && determine_tracked(args)
                   return ret unless self_tracked || incoming_tracked
@@ -75,10 +74,10 @@ module Contrast
                 # if it's a string, just ask if it's tracked
                 case args
                 when String
-                  Contrast::Utils::DuckUtils.quacks_to?(args, :cs__tracked?) && args.cs__tracked?
+                  Contrast::Agent::Assess::Tracker.tracked?(args)
                   # if it's a hash, ask if it has a tracked string
                 when Hash
-                  args.values.any? { |value| value.is_a?(String) && Contrast::Utils::DuckUtils.quacks_to?(value, :cs__tracked?) && value.cs__tracked? }
+                  args.values.any? { |value| value.is_a?(String) && Contrast::Agent::Assess::Tracker.tracked?(value) }
                   # this should never happen
                 else
                   false
@@ -86,6 +85,9 @@ module Contrast
               end
 
               def string_sub self_tracked, preshift, ret, incoming, incoming_tracked, global
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                return unless properties
+
                 pattern = preshift.args[0]
                 source = preshift.object
 
@@ -93,13 +95,13 @@ module Contrast
                 # copied from regexp / captures. Trading accuracy for
                 # performance
                 if incoming.match?(CAPTURE_GROUP_REGEXP) || incoming.match?(CAPTURE_NAME_REGEXP)
-                  source.cs__splat_tags(ret) if self_tracked
+                  properties.splat_from(source, ret) if self_tracked
                   return
                 end
 
                 # if it's just a straight insert, that we can do
                 # Copy the tags from us to the return
-                ret.cs__copy_from(source)
+                properties.copy_from(source, ret)
                 # Figure out where inserts occurred
                 last_idx = 0
                 ranges = []
@@ -114,48 +116,55 @@ module Contrast
                   ranges << (start_index...end_index)
                   break unless global
                 end
-                ret.cs__properties.delete_tags_at_ranges(ranges)
-                ret.cs__properties.shift_tags(ranges)
+                properties.delete_tags_at_ranges(ranges)
+                properties.shift_tags(ranges)
                 return unless incoming_tracked
 
-                tags = incoming.cs__properties.tag_keys
+                incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
+                tags = incoming_properties.tag_keys
                 ranges.each do |range|
                   tags.each do |tag|
-                    ret.cs__properties.add_tag(tag, range)
+                    properties.add_tag(tag, range)
                   end
                 end
               end
 
               def block_sub self_tracked, source, ret
-                source.cs__splat_tags(ret) if self_tracked
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                properties&.splat_from(source, ret) if self_tracked
               end
 
               def hash_sub self_tracked, source, ret
-                source.cs__splat_tags(ret) if self_tracked
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                properties&.splat_from(source, ret) if self_tracked
               end
 
               def pattern_gsub preshift, ret
-                return unless Contrast::Utils::DuckUtils.trackable?(ret)
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                return unless properties
 
                 source = preshift.object
-                source.cs__properties.tag_keys.each do |key|
-                  ret.cs__properties.add_tag(key, 0...1)
+                source_properties = Contrast::Agent::Assess::Tracker.properties(source)
+                return unless source_properties
+
+                source_properties.tag_keys.each do |key|
+                  properties.add_tag(key, 0...1)
                 end
               end
 
               def string_build_event patcher, preshift, ret
-                return unless Contrast::Utils::DuckUtils.quacks_to?(ret, :cs__tracked?) && ret.cs__tracked?
+                return unless Contrast::Agent::Assess::Tracker.tracked?(ret)
 
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 args = preshift.args
                 if args.length > 1
                   arg = args[1]
-                  if Contrast::Utils::DuckUtils.quacks_to?(arg, :cs__properties)
-                    arg.cs__properties.events.each do |event|
-                      ret.cs__properties.events << event
-                    end
+                  arg_properties = Contrast::Agent::Assess::Tracker.properties(arg)
+                  arg_properties&.events&.each do |event|
+                    properties.events << event
                   end
                 end
-                ret.cs__properties.build_event(
+                properties.build_event(
                     patcher,
                     ret,
                     preshift.object,

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -16,9 +16,12 @@ module Contrast
               def tr_tagger patcher, preshift, ret, _block
                 return ret unless ret && !ret.empty?
 
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                return unless properties
+
                 source = preshift.object
                 args = preshift.args
-                ret.cs__copy_from(source)
+                properties.copy_from(source, ret)
                 replace_string = args[1]
                 source_chars = source.chars
                 # if the replace string is empty, then there's a bunch of deletes. this
@@ -41,10 +44,10 @@ module Contrast
                   end
                   # account for the last char being different
                   remove_ranges << (start...source_chars.length) if start
-                  ret.cs__properties.delete_tags_at_ranges(remove_ranges, false)
+                  properties.delete_tags_at_ranges(remove_ranges, false)
                 end
 
-                ret.cs__properties.build_event(
+                properties.build_event(
                     patcher,
                     ret,
                     source,
@@ -57,10 +60,13 @@ module Contrast
               def tr_s_tagger patcher, preshift, ret, _block
                 return unless ret && !ret.empty?
 
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                return unless properties
+
                 source = preshift.object
                 args = preshift.args
-                source.cs__splat_tags(ret)
-                ret.cs__properties.build_event(
+                properties.splat_from(source, ret)
+                properties.build_event(
                     patcher,
                     ret,
                     source,

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -17,7 +17,7 @@ module Contrast
         # dataflows used in Assess vulnerability detection.
         module SourceMethod
           include Contrast::Components::Interface
-          access_component :logging, :analysis
+          access_component :analysis, :logging
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -44,38 +44,26 @@ module Contrast
               current_context = Contrast::Agent::REQUEST_TRACKER.current
               return unless current_context&.analyze_request? && ASSESS.enabled?
 
-              replaced_return = nil
               source_node = method_policy.source_node
-
               target = determine_target(source_node, object, ret, args)
+              restore_frozen_state = false
+              if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
+                return unless ASSESS.track_frozen_sources?
+                return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
 
-              # We don't propagate to frozen things that haven't been tracked
-              # before. By definition, something that is a source has not
-              # previously been tracked; therefore, we can break out early.
-              if target.cs__frozen?
-                # That being said, we don't have enough context to know if we
-                # can make this assumption and still function, so we'll allow for
-                # source tracking of frozen things by a common config setting.
-                #
-                # Rails' StrongParameters make a case for this to be default
-                # behavior
-                return replaced_return unless ASSESS.track_frozen_sources?
-
-                # If we're tracking the frozen target, we need to unfreeze
-                # (dup) it to track and then freeze that result. For
-                # simplicities sake, we ONLY do this if the return is the
-                # target (I don't want to have to deal with unfreezing self)
-                return replaced_return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+                dup = safe_dup(ret)
+                return unless dup
 
                 restore_frozen_state = true
-                ret = Contrast::Utils::FreezeUtil.unfreeze_dup(ret)
+                ret = dup
                 target = ret
+                Contrast::Agent::Assess::Tracker.pre_freeze(ret)
+                ret.cs__freeze
+                # double check that we were able to finalize the replaced return
+                return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-
               apply_source(current_context, source_node, target, object, ret, source_node.type, nil, *args)
-
-              ret.cs__freeze if restore_frozen_state
-              ret
+              restore_frozen_state ? ret : nil
             end
 
             private
@@ -103,34 +91,10 @@ module Contrast
               source_name ||= determine_source_name(source_node, object, ret, *args)
               # We know we only work on certain things.
               # Skip if this isn't one of them
-              if Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
+              if Contrast::Agent::Assess::Tracker.trackable?(target)
                 apply_tags(source_node, target, object, ret, source_type, source_name, *args)
-                # While we don't taint hashes themselves, we may taint the things
-                # they hold. Let's pass their keys and values back to ourselves and
-                # try again
               elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
-                to_replace = []
-                target.each_pair do |key, value|
-                  # We only do this for Strings b/c of the way Hash lookup works.
-                  # To replace another object would break hash lookup and,
-                  # therefore, the application
-                  if can_track_hash_key?(key, target)
-                    key = Contrast::Utils::FreezeUtil.unfreeze_dup(key)
-                    to_replace << key
-                  end
-                  apply_source(context, source_node, key, object, ret, key_type(source_type), key, *args)
-                  apply_source(context, source_node, value, object, ret, source_type, key, *args)
-                end
-
-                # Hash is designed to keep one instance of the string key in it.
-                # We need to remove the existing one and replace it with our new
-                # tracked one.
-                to_replace.each do |key|
-                  key.cs__freeze
-                  value = target[key]
-                  target.delete(key)
-                  target[key] = value
-                end
+                apply_hash_tags(context, source_node, target, object, ret, source_type, *args)
                 # While we don't taint arrays themselves, we may taint the things
                 # they hold. Let's pass their keys and values back to ourselves and
                 # try again
@@ -141,17 +105,81 @@ module Contrast
               logger.warn('Unable to apply source', e, node_id: source_node.id)
             end
 
-            def can_track_hash_key? key, target
+            # While we don't taint hashes themselves, we may taint the things
+            # they hold. Let's pass their keys and values back to ourselves and
+            # try again
+            #
+            # @param context [Contrast::Utils::ThreadTracker] the current request
+            #   context
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
+            #   the node to direct applying this source event
+            # @param target [Object] the target of the Source Event
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param source_type [String] the type of this source, from the
+            #   source_node, or a KEY_TYPE if invoked for a map
+            # @param args [Array<Object>] the Arguments with which the method
+            #   was invoked
+            def apply_hash_tags context, source_node, target, object, ret, source_type, *args
+              to_replace = []
+              target.each_pair do |key, value|
+                # We only do this for Strings b/c of the way Hash lookup works.
+                # To replace another object would break hash lookup and,
+                # therefore, the application
+                if replace_hash_key?(key, target)
+                  key = key.dup
+                  to_replace << key
+                end
+                apply_source(context, source_node, key, object, ret, key_type(source_type), key, *args)
+                apply_source(context, source_node, value, object, ret, source_type, key, *args)
+              end
+              handle_hash_key(target, to_replace)
+            end
+
+            # Given an unfrozen hash, if the key is a String, we should replace
+            # it with one that we can finalize, allowing us to track that key.
+            # This method handles checking if that replace can and should
+            # occur.
+            #
+            # @param key [Object] the key in the hash that may need replacing.
+            # @param hash [Hash] the hash to which the key belongs.
+            # @return [Boolean] whether replace the key in the hash or not.
+            def replace_hash_key? key, hash
               ASSESS.track_frozen_sources? &&
+                  !hash.cs__frozen? &&
                   key.is_a?(String) &&
-                  Contrast::Utils::DuckUtils.quacks_to?(target, :delete)
+                  !Contrast::Agent::Assess::Tracker.trackable?(key)
+            end
+
+            # Safely duplicate the target, or return nil
+            #
+            # @param target [Object] the thing to check for duplication
+            def safe_dup target
+              target.dup
+            rescue StandardError => _e
+              nil
+            end
+
+            # Hash is designed to keep one instance of the string key in it.
+            # We need to remove the existing one and replace it with our new
+            # tracked one.
+            def handle_hash_key target, to_replace
+              to_replace.each do |key|
+                Contrast::Agent::Assess::Tracker.pre_freeze(key)
+                key.cs__freeze
+                value = target.delete(key)
+                target[key] = value
+              end
             end
 
             def apply_tags source_node, target, object, ret, source_type, source_name, *args
+              # don't apply tags if we can't track the thing
+              return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               # don't apply second source -- probably needs tuning later if we
               # use more than 'UNTRUSTED' in our sources
-              return if target.cs__tracked? || target.cs__frozen?
+              return if Contrast::Agent::Assess::Tracker.tracked?(target)
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
               # otherwise for each tag this source_node applies, create a tag range
               # on the target object
               # I realize this looping is counter-intuitive from the above
@@ -160,16 +188,15 @@ module Contrast
                 next unless Contrast::Agent::Assess::Policy::SourceValidation.valid?(tag, source_type, source_name)
 
                 length = Contrast::Utils::StringUtils.ret_length(target)
-                target.cs__properties.add_tag(tag, 0...length)
-                target.cs__properties.add_properties(source_node.properties)
+                properties.add_tag(tag, 0...length)
+                properties.add_properties(source_node.properties)
                 logger.trace('Source detected',
                              node_id: source_node.id,
                              target_id: target.__id__,
                              tag: tag)
               end
-
               # make a representation of this method that TeamServer can render
-              target.cs__properties.build_event(source_node, target, object, ret, args, source_type, source_name)
+              properties.build_event(source_node, target, object, ret, args, source_type, source_name)
             end
 
             # Find the name of the source

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -25,24 +25,27 @@ module Contrast
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
               def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
-                scope = args[0]
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+                return unless properties
 
+                scope = args[0]
                 erb_template_prerender = object.instance_variable_get(:@data)
                 interpolated_inputs = []
                 handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
-
                 handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
-
                 unless interpolated_inputs.empty?
                   interpolated_inputs.each do |input|
-                    input.cs__properties.events.each do |event|
-                      ret.cs__properties.events << event
+                    input_properties = Contrast::Agent::Assess::Tracker.properties(input)
+                    next unless input_properties
+
+                    input_properties.events.each do |event|
+                      properties.events << event
                     end
                   end
-                  ret.cs__properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
+                  properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
-                if ret.cs__tracked?
+                if Contrast::Agent::Assess::Tracker.tracked?(ret)
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
@@ -52,32 +55,34 @@ module Contrast
               private
 
               def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 binding_variables = scope.instance_variables
 
                 binding_variables.each do |bound_variable_sym|
                   bound_variable_value = scope.instance_variable_get(bound_variable_sym)
 
-                  next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(bound_variable_value)
                   next unless erb_template_prerender.include?(bound_variable_sym.to_s)
 
                   start_index = ret.index(bound_variable_value)
                   next if start_index.nil?
 
-                  ret.cs__copy_from(bound_variable_value, start_index)
+                  properties.copy_from(bound_variable_value, ret, start_index)
                   interpolated_inputs << bound_variable_sym
                 end
               end
 
               def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
+                properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 locals = args[1]
                 locals.each do |local_name, local_value|
-                  next unless local_value.cs__respond_to?(:cs__tracked?) && local_value.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(local_value)
                   next unless erb_template_prerender.include?(local_name.to_s)
 
                   start_index = ret.index(local_value)
                   next if start_index.nil?
 
-                  ret.cs__copy_from(local_value, start_index)
+                  properties.copy_from(local_value, ret, start_index)
                   interpolated_inputs << local_name
                 end
               end

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -39,7 +39,7 @@ module Contrast
               def process context, trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
-                  next unless arg.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -20,8 +20,11 @@ module Contrast
           include Contrast::Components::Interface
           access_component :analysis, :logging
 
+          # The level of TeamServer compliance our traces meet when in the
+          # abnormal condition of being dataflow rules without routes
+          MINIMUM_FINDING_VERSION = 3
           # The level of TeamServer compliance our traces meet
-          CURRENT_FINDING_VERSION = 2
+          CURRENT_FINDING_VERSION = 4
 
           class << self
             # This is called from within our woven proc. It will be called as if it
@@ -89,13 +92,12 @@ module Contrast
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              finding.version = CURRENT_FINDING_VERSION
-
               build_from_source(finding, source)
               trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
               finding.events << trigger_event
               build_hash(finding, source)
               finding.routes << context.route if context.route
+              finding.version = determine_compliance_version(finding)
               context.activity.findings << finding
               logger.trace('Finding created',
                            node_id: trigger_node.id,
@@ -211,8 +213,8 @@ module Contrast
             def apply_dataflow_rule context, trigger_node, source, object, ret, *args
               return unless source
 
-              if Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties)
-                return unless source.cs__tracked?
+              if Contrast::Agent::Assess::Tracker.trackable?(source)
+                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
 
                 build_finding(context, trigger_node, source, object, ret, *args)
@@ -226,30 +228,31 @@ module Contrast
                   apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
                 end
               else
-                logger.warn('Trigger source is of unknown type. Unable to inspect.',
-                            node_id: trigger_node.id,
-                            source_id: source.__id__,
-                            source_type: source.cs__class.to_s)
+                logger.debug('Trigger source is untrackable. Unable to inspect.',
+                             node_id: trigger_node.id,
+                             source_id: source.__id__,
+                             source_type: source.cs__class.to_s,
+                             frozen: source.cs__frozen?)
                 logger.trace(source.to_s[0..99])
               end
             end
 
             def build_from_source finding, source
               return unless source
-              return unless Contrast::Utils::DuckUtils.quacks_to?(
-                  source,
-                  :cs__properties)
-              return unless source.cs__properties
+              return unless Contrast::Agent::Assess::Tracker.trackable?(source)
+
+              properties = Contrast::Agent::Assess::Tracker.properties(source)
+              return unless properties
 
               # events could technically be nil, but we would have failed
               # the rule check before getting here. not worth the nil check
-              source.cs__properties.events.each do |event|
+              properties.events.each do |event|
                 finding.events << event.to_dtm_event
               end
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this
               # long form
-              source_props = source.cs__properties.properties
+              source_props = properties.properties
               return unless source_props
 
               source_props.each_pair do |key, value|
@@ -263,6 +266,26 @@ module Contrast
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end
+
+            # Because our APIs are not versioned, TeamServer relies on a field,
+            # version, to tell it what, if any, validation it can preform on
+            # the findings we send it. Examine the finding and determine the
+            # level to which it conforms.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding]
+            # @return [int] the version of compliance
+            def determine_compliance_version finding
+              return MINIMUM_FINDING_VERSION unless finding
+              # as routes are the only variable between findings, in the case
+              # where we couldn't determine one, any finding with a route is at
+              # maximum compliance
+              return CURRENT_FINDING_VERSION if finding.routes.any?
+              # any finding without events is not of a dataflow type and
+              # therefore at maximum compliance
+              return CURRENT_FINDING_VERSION unless finding.events.any?
+
+              MINIMUM_FINDING_VERSION
+            end
           end
         end
       end