contrast-agent 3.14.0 → 3.15.0

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -100,16 +100,17 @@ module Contrast
             # if the source isn't tracked, there can't be a violation
             # this condition may not hold true forever, but for now it's
             # a nice optimization
-            return false unless source.cs__tracked?
+            return false unless Contrast::Agent::Assess::Tracker.tracked?(source)
 
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), source.cs__properties, required_tags)
+            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_any_tag(source.cs__properties, disallowed_tags)
+            secure_ranges = find_ranges_by_any_tag(properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
 
@@ -178,27 +179,27 @@ module Contrast
           # @param length [Integer] the length of the object which may have the
           #   given tags -- used as the maximum index to search for all of the
           #   tags.
-          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_all_tags length, cs__properties, tags
+          def find_ranges_by_all_tags length, properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
 
             # :zap: faster to treat all as any if there's only one tag
-            return find_ranges_by_any_tag(cs__properties, tags) if tags.length == 1
+            return find_ranges_by_any_tag(properties, tags) if tags.length == 1
 
             ranges = []
             # TODO: RUBY-946 clean this up, perhaps with
-            #   tags.each { |tag| applicable << cs__properties.fetch_tag(tag) }
+            #   tags.each { |tag| applicable << properties.fetch_tag(tag) }
             #   return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless applicable.length == tags.length
             #   ...
             # find all the indicies on the source that have all the given tags
             (0..length).each do |idx|
-              tags_at = cs__properties.tags_at(idx)
+              tags_at = properties.tags_at(idx)
               ranges << idx if tags.all? do |tag|
                 found = false
                 tags_at.each do |tag_at|
@@ -227,19 +228,19 @@ module Contrast
 
           # Find the ranges that satisfy any of the given tags.
           #
-          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_any_tag cs__properties, tags
+          def find_ranges_by_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
 
             ranges = []
             tags.each do |desired|
-              found = cs__properties.fetch_tag(desired)
+              found = properties.fetch_tag(desired)
               next unless found
 
               # we need to dup here so that we don't change the tags if target is

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -38,7 +38,8 @@ module Contrast
               finish = match.begin(:path)
               finish ||= url.length
 
-              args[0].cs__properties.any_tags_between?(start, finish)
+              properties = Contrast::Agent::Assess::Tracker.properties(args[0])
+              properties.any_tags_between?(start, finish)
             end
           end
         end

data/lib/contrast/agent/assess/properties.rb

@@ -5,6 +5,7 @@ require 'base64'
 require 'set'
 require 'contrast/agent/assess/property/evented'
 require 'contrast/agent/assess/property/tagged'
+require 'contrast/agent/assess/property/updated'
 require 'contrast/utils/prevent_serialization'
 
 module Contrast
@@ -20,6 +21,7 @@ module Contrast
         include Contrast::Utils::PreventSerialization
         include Contrast::Agent::Assess::Property::Evented
         include Contrast::Agent::Assess::Property::Tagged
+        include Contrast::Agent::Assess::Property::Updated
 
         attr_accessor :dupped_from
 

data/lib/contrast/agent/assess/property/updated.rb

@@ -0,0 +1,136 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/duck_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Property
+        # This module serves to hold the functionality required for the
+        # update of properties as they go through dataflow.
+        module Updated
+          # copy tags and info from source's properties to self
+          # @param source [Object] the object from which existing properties
+          #   should be copied.
+          # @param owner [Object] the object to which these properties apply.
+          # @param shift [Integer] (0) how far to shift the tags during copy,
+          #   useful for insert and append operations.
+          # @param skip_tags [Set<String>] (nil) the tags to not copy over,
+          #   useful for propagation events that have 'untags'.
+          def copy_from source, owner, shift = 0, skip_tags = nil
+            return if owner.equal?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            original = Contrast::Agent::Assess::Tracker.properties(source)
+            return unless original
+
+            adjust_duplicate(original)
+
+            original.events.each do |event|
+              events << event
+            end
+
+            original.tag_keys.each do |key|
+              next if skip_tags&.include?(key)
+
+              existing = tags[key]
+              had_existing = existing.any?
+              value = original.fetch_tag(key)
+              value.each do |tag|
+                existing << tag.copy_modified(shift)
+              end
+              Contrast::Utils::TagUtil.size_aware_merge(owner, existing) if had_existing
+            end
+          end
+
+          # Some propagation occurred, but we're not sure what the
+          # exact transformation was. To be safe, we just explode
+          # all the tags from the source to the return.
+          #
+          # If the return already had that tag, the existing tag
+          # range is recycled to save us an object.
+          #
+          # @param source [Object] the object from which existing properties
+          #   should be copied.
+          # @param owner [Object] the object to which these properties apply.
+          def splat_from source, owner
+            splat_length = Contrast::Utils::StringUtils.ret_length(owner)
+            return if splat_length.zero?
+
+            splat_from_ret(splat_length)
+            splat_from_source(source, splat_length)
+            cleanup_tags
+          end
+
+          private
+
+          # Because of how our tracking works now, sometimes the Source and
+          # Target are the same, but their IDs in our map will be different due
+          # to PreShift duplication. To account for this, we have to ensure that
+          # the Object we're copying from does not have the same Properties
+          # that the Object we're copying to does. If they are the same, wipe the
+          # Target so that the copy method can update events and ranges as
+          # necessary.
+          # DO NOT TAKE THIS OUT!
+          def adjust_duplicate original
+            reset_properties if original == self
+            reset_properties if original.__id__ == dupped_from
+            reset_properties if original.dupped_from == __id__
+          end
+
+          # Wipe out the instance variables on this Properties instance,
+          # allowing them to be rebuilt.
+          def reset_properties
+            @_tags = nil
+            @_events = nil
+            @_properties = nil
+          end
+
+          # Splat all the tags from the source to this set of Properties
+          #
+          # @param source [Object] the object from which tags will be copied
+          #   and splatted.
+          # @param splat_length [Integer] the length to which to to set all
+          #   tags.
+          def splat_from_source source, splat_length
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
+            return unless properties
+
+            properties.tag_keys.each do |key|
+              existing = fetch_tag(key)
+              # if the tag already exists, drop all but the first range
+              # then change that range to cover the entire return
+              if existing
+                existing.drop(existing.length - 1)
+                range = existing[0]
+                range.repurpose(0, splat_length)
+              else
+                add_tag(key, 0...splat_length)
+              end
+            end
+          end
+
+          # Splat all the tags existing on this set of Properties
+          #
+          # @param splat_length [Integer] the length to which to to set all
+          #   tags.
+          def splat_from_ret splat_length
+            return unless tracked?
+
+            tag_keys.each do |key|
+              next unless key
+
+              existing = fetch_tag(key)
+              next unless existing
+
+              existing.each do |range|
+                range.repurpose(0, splat_length)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/tracker.rb

@@ -0,0 +1,66 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/finalizers/hash'
+
+module Contrast
+  module Agent
+    module Assess
+      # How we track the Assess properties attached to objects
+      #
+      # Finalized objects should run through this class as the Finalizers
+      # have tightly coupled dependencies on each other.
+      class Tracker
+        PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
+
+        class << self
+          def properties source
+            return unless trackable?(source)
+
+            PROPERTIES_HASH[source] ||= Contrast::Agent::Assess::Properties.new
+          end
+
+          def trackable? source
+            PROPERTIES_HASH.trackable?(source)
+          end
+
+          def tracked? source
+            PROPERTIES_HASH.tracked?(source)
+          end
+
+          def pre_freeze source
+            PROPERTIES_HASH.pre_freeze(source)
+          end
+
+          # Copy the properties from one object to the next, assuming the
+          # target does not already have its own properties.
+          #
+          # @param source [Object] the instance from which to copy properties
+          # @param target [Object] the instance to which to copy properties
+          def copy source, target
+            PROPERTIES_HASH[target] ||= properties(source).dup
+          end
+
+          # Duplicate the given object, returning the duplicate after copying
+          # the properties of the original and storing them as the properties
+          # of the duplicate.
+          #
+          # @param source [Object] the thing to duplicate
+          # @return [Object] the duplicate of the original, or the original if
+          #   it does not respond to duplication
+          def duplicate source
+            return source unless source
+
+            duplicate = source.dup
+            PROPERTIES_HASH[duplicate] ||= PROPERTIES_HASH[source].dup
+            duplicate
+          rescue StandardError
+            source
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'contrast/agent/assess/finalizers/freeze'

data/lib/contrast/agent/class_reopener.rb

@@ -37,7 +37,7 @@ module Contrast
     #   being phased out with support for those language versions.
     class ClassReopener
       include Contrast::Components::Interface
-      access_component :logging
+      access_component :logging, :scope
 
       END_NEW_LINE = "end\n"
       PROTECTED_WITH_NEW_LINE = "protected\n"
@@ -101,11 +101,13 @@ module Contrast
       # Evaluate the patches that have been staged for this class, replacing
       # the method definitions with those our rewrite.
       def commit_patches
-        return unless staged_changes?
+        with_contrast_scope do
+          return unless staged_changes?
 
-        content = build_content
-        valid = Ripper.sexp(content)
-        unbound_eval(class_name, content) if !!valid && !class_name.empty?
+          content = build_content
+          valid = Ripper.sexp(content)
+          unbound_eval(class_name, content) if !!valid && !class_name.empty?
+        end
       end
 
       # Find the sourcecode of the method at the given location and return it

data/lib/contrast/agent/middleware.rb

@@ -13,7 +13,6 @@ require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
 
 require 'contrast/utils/timer'
-require 'contrast/utils/freeze_util'
 
 module Contrast
   module Agent

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -77,19 +77,21 @@ module Contrast
             # This method is called by TracePointHook to instrument a specific class during a require
             # or eval of dynamic class definition
             def patch_specific_module mod
-              mod_name = mod.cs__name
-              return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
-              return if AGENT.skip_instrumentation?(mod_name)
+              with_contrast_scope do
+                mod_name = mod.cs__name
+                return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
+                return if AGENT.skip_instrumentation?(mod_name)
 
-              load_patches_for_module(mod_name)
+                load_patches_for_module(mod_name)
 
-              return unless all_module_names.any? { |name| name == mod_name }
+                return unless all_module_names.any? { |name| name == mod_name }
 
-              module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
-              patch_into_module(module_data)
-              all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
-            rescue StandardError => e
-              logger.error('Unable to patch module', e, module: mod_name)
+                module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
+                patch_into_module(module_data)
+                all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
+              rescue StandardError => e
+                logger.error('Unable to patch module', e, module: mod_name)
+              end
             end
 
             # We did it, team. We found a patcher(s) that applies to the given
@@ -186,7 +188,7 @@ module Contrast
               clazz = module_data.mod
 
               status.patching!
-              patched = include_module(module_data)
+              patched = false
 
               counts = 0
               # Monkey patch any methods in this class that have matching nodes in the policy
@@ -219,17 +221,6 @@ module Contrast
                                module_data.mod).patch_status)
             end
 
-            # Includes the given module with the
-            # Contrast::Extension::Assess::AssessExtension
-            # @param module_data [Contrast::Agent::ModuleData] the module, and
-            #   its name, that's being patched into
-            def include_module module_data
-              return false unless Contrast::Agent::Assess::Policy::Policy.instance.tracked_classes.include?(module_data.name)
-
-              module_data.mod.send(:include, Contrast::Extension::Assess::AssessExtension)
-              true
-            end
-
             # Get all of the instance methods on the given module, excluding
             # those from super classes. this list will always include the
             # initialize method

data/lib/contrast/agent/patching/policy/policy.rb

@@ -37,13 +37,12 @@ module Contrast
 
           access_component :analysis, :logging
 
-          attr_reader :sources, :propagators, :triggers, :providers, :tracked_classes
+          attr_reader :sources, :propagators, :triggers, :providers
 
           SOURCES_KEY =          'sources'
           PROPAGATION_KEY =      'propagators'
           RULES_KEY = 'rules'
           TRIGGERS_KEY = 'triggers'
-          TRACKED_CLASSES_KEY = 'tracked_classes'
 
           def self.policy_json
             File.join(policy_folder, 'policy.json').cs__freeze
@@ -54,7 +53,6 @@ module Contrast
             @propagators = []
             @triggers = []
             @providers = {}
-            @tracked_classes = []
 
             json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
             from_hash_string(json)
@@ -114,7 +112,6 @@ module Contrast
           def module_names
             @_module_names ||= begin
               m = Set.new
-              tracked_classes.each { |tracked| m << tracked }
               sources.each { |source| m << source.class_name }
               propagators.each { |propagator| m << propagator.class_name }
               triggers.each { |trigger| m << trigger.class_name }

data/lib/contrast/agent/response.rb

@@ -44,14 +44,9 @@ module Contrast
         context_response = Contrast::Api::Dtm::HttpResponse.new
         context_response.response_code = response_code.to_i
         headers&.each_pair do |key, value|
-          k = Contrast::Utils::StringUtils.force_utf8(key)
-          v = Contrast::Utils::StringUtils.force_utf8(value)
-          context_response.response_headers[k] = v
+          append_pair(context_response.normalized_response_headers, key, value)
         end
-        context_response.parsed_response_headers = true
-
         context_response.response_body_binary = Contrast::Utils::StringUtils.force_utf8(body)
-        context_response.parsed_response_body = false
 
         doc_type = document_type
         context_response.document_type = doc_type if doc_type
@@ -97,6 +92,22 @@ module Contrast
 
       private
 
+      # From the dtm for normalized_response_headers:
+      #   Key is UPPERCASE_UNDERSCORE
+      #
+      #   Example: Content-Type: text/html; charset=utf-8
+      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
+      def append_pair map, key, value
+        return unless key && value
+        return if value.is_a?(Hash)
+
+        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
+        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
+        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
+        map[hash_key].key = safe_key
+        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
+      end
+
       HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
 
       # Given some holder of the content of the response's body, extract that