contrast-agent 3.14.0 → 3.15.0

data/lib/contrast/extension/assess/erb.rb

@@ -7,21 +7,24 @@ module ERBPropagator
     def result_tagger patcher, preshift, ret, _block
       return unless preshift.args.length >= 1
 
+      properties = Contrast::Agent::Assess::Tracker.properties(ret)
+      return unless properties
+
       used_binding = preshift.args[0]
       binding_variable_set = used_binding.local_variables
 
       erb_pre_result = preshift.object.src
       binding_variable_set.each do |bound_var_symbol|
         bound_variable_value = used_binding.local_variable_get(bound_var_symbol)
-        next unless bound_variable_value.cs__respond_to?(:cs__tracked?) && bound_variable_value.cs__tracked?
+        next unless Contrast::Agent::Assess::Tracker.tracked?(bound_variable_value)
         next unless erb_pre_result.include?(bound_var_symbol.to_s)
 
         start_index = ret.index(bound_variable_value)
         next if start_index.nil?
 
-        ret.cs__copy_from(bound_variable_value, start_index)
+        properties.copy_from(bound_variable_value, ret, start_index)
       end
-      ret.cs__properties.build_event(
+      properties.build_event(
           patcher,
           ret,
           preshift.object,

data/lib/contrast/extension/assess/fiber.rb

@@ -54,7 +54,6 @@ module Contrast
         class << self
           def track_rb_fiber_yield fiber, _method, results
             return unless ASSESS.enabled?
-            return unless Contrast::Utils::DuckUtils.trackable?(fiber)
 
             # results will be nil if StopIteration was raised,
             # otherwise an Array of the yielded arguments
@@ -62,11 +61,11 @@ module Contrast
 
             with_contrast_scope do
               results.each do |result|
-                next unless Contrast::Utils::DuckUtils.trackable?(result)
-                next if result.cs__frozen?
+                result_properties = Contrast::Agent::Assess::Tracker.properties(result)
+                next unless result_properties
 
-                fiber.cs__splat_tags(result)
-                result.cs__properties.build_event(
+                result_properties.splat_from(fiber, result)
+                result_properties.build_event(
                     FIBER_YIELD_NODE,
                     result,
                     fiber,
@@ -80,13 +79,14 @@ module Contrast
 
           def track_rb_fiber_new fiber, _enum, _enum_method, underlying, _underlying_method
             return unless ASSESS.enabled?
-            return unless Contrast::Utils::DuckUtils.trackable?(fiber)
-            return unless Contrast::Utils::DuckUtils.trackable?(underlying)
             return unless underlying.is_a?(String) && !underlying.empty?
 
             with_contrast_scope do
-              underlying.cs__splat_tags(fiber)
-              fiber.cs__properties.build_event(
+              properties = Contrast::Agent::Assess::Tracker.properties(fiber)
+              return unless properties
+
+              properties.splat_from(underlying, fiber)
+              properties.build_event(
                   FIBER_NEW_NODE,
                   fiber,
                   underlying,

data/lib/contrast/extension/assess/hash.rb

@@ -15,10 +15,9 @@ module Contrast
         class << self
           def cs__duplicate_and_freeze object
             return object unless object.is_a?(String) && !object.cs__frozen?
-            return object unless object.cs__tracked?
+            return object unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
-            ret = object.dup
-            object.cs__transfer_properties(ret)
+            ret = Contrast::Agent::Assess::Tracker.duplicate(object)
             ret.cs__freeze
           rescue StandardError
             # we'll rescue this error, but we can't log it here as that will

data/lib/contrast/extension/assess/kernel.rb

@@ -39,12 +39,15 @@ module Contrast
           # oh, and there's also %<name>type and %{name}... b/c of course there is
           # -HM
           def sprintf_tagger patcher, preshift, ret, _block
+            properties = Contrast::Agent::Assess::Tracker.properties(ret)
+            return unless properties
+
             format_string = preshift.args[0]
             args = preshift.args[1]
 
             track_sprintf(ret, format_string, args)
 
-            ret.cs__properties.build_event(
+            properties.build_event(
                 patcher,
                 ret,
                 preshift.object,
@@ -85,12 +88,16 @@ module Contrast
           private
 
           def handle_sprintf_value value, result
-            return unless Contrast::Utils::DuckUtils.trackable?(value) && value.cs__tracked?
+            properties = Contrast::Agent::Assess::Tracker.properties(result)
+            return unless properties
+
+            value_properties = Contrast::Agent::Assess::Tracker.properties(value)
+            return unless value_properties
 
-            value.cs__properties.events.each do |event|
-              result.cs__properties.events << event
+            value_properties.events.each do |event|
+              properties.events << event
             end
-            value.cs__splat_tags(result)
+            properties.splat_from(value, result)
           end
 
           def handle_sprintf_array args, result

data/lib/contrast/extension/assess/marshal.rb

@@ -22,7 +22,7 @@ module Contrast
 
             # Since we know this is the source of the trigger, we can do some
             # optimization here and return when it is not tracked
-            return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
 
             # source might not be all the args passed in, but it is the one we care
             # about. we could pass in all the args in the last param here if it
@@ -34,7 +34,8 @@ module Contrast
                 self,
                 ret,
                 source)
-            ret.cs__copy_from(source) if ret.cs__respond_to?(:cs__copy_from)
+            properties = Contrast::Agent::Assess::Tracker.properties(ret)
+            properties.copy_from(source, ret)
           rescue StandardError => e
             logger.error('Unable to determine if a trigger occurred in Marshal.load', e)
           end

data/lib/contrast/extension/assess/regexp.rb

@@ -47,8 +47,6 @@ module Contrast
             return if scope_for_current_ec.instance_variable_get(:@contrast_scope) > 1
 
             target = info_hash[:back_ref]
-            return unless Contrast::Utils::DuckUtils.trackable?(target)
-
             with_contrast_scope do
               result = info_hash[:result]
               return unless result
@@ -56,8 +54,11 @@ module Contrast
               string = info_hash[:string]
               return unless string
 
-              string.cs__splat_tags(target)
-              target.cs__properties.build_event(
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              return unless properties
+
+              properties.splat_from(string, target)
+              properties.build_event(
                   REGEXP_EQUAL_SQUIGGLE_NODE,
                   target,
                   self,

data/lib/contrast/extension/assess/string.rb

@@ -3,13 +3,6 @@
 
 require 'contrast/agent/assess/policy/propagation_node'
 require 'contrast/components/interface'
-require 'contrast/extension/assess/assess_extension'
-
-# This patch installs our extension as early as possible. The alternative is to
-# litter our code with Contrast::Utils::DuckUtils.trackable? checks.
-class String
-  include Contrast::Extension::Assess::AssessExtension
-end
 
 module Contrast
   module Extension
@@ -40,16 +33,21 @@ module Contrast
           def track_interpolation inputs, result
             return unless AGENT.interpolation_enabled?
             return if in_contrast_scope?
-            return unless inputs.any?(&:cs__tracked?)
+            return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
 
             with_contrast_scope do
+              properties = Contrast::Agent::Assess::Tracker.properties(result)
+              return unless properties
+
               offset = 0
               inputs.each do |input|
-                result.cs__copy_from(input, offset)
+                properties.copy_from(input, result, offset)
                 offset += input.length
               end
-              result.cs__properties.build_event(INTERPOLATION_NODE, result, inputs, result, inputs)
+              properties.build_event(INTERPOLATION_NODE, result, inputs, result, inputs)
             end
+          rescue StandardError => e
+            logger.error('Unable to track interpolation', e)
           end
 
           def instrument_string

data/lib/contrast/framework/rack/patch/session_cookie.rb

@@ -67,12 +67,10 @@ module Contrast
                   options,
                   safe_default: false)
 
-              with_contrast_scope do
-                cs__report_finding(
-                    CS__SECURE_RULE_NAME,
-                    options,
-                    caller_locations(10, 9)[0])
-              end
+              cs__report_finding(
+                  CS__SECURE_RULE_NAME,
+                  options,
+                  caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to secure session', e)
@@ -88,12 +86,10 @@ module Contrast
                                                 safe_default: false,
                                                 comparison_type: :greater_than)
 
-              with_contrast_scope do
-                cs__report_finding(
-                    CS__SESSION_TIMEOUT_NAME,
-                    options,
-                    caller_locations(10, 9)[0])
-              end
+              cs__report_finding(
+                  CS__SESSION_TIMEOUT_NAME,
+                  options,
+                  caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to set session timeout', e)
@@ -105,12 +101,10 @@ module Contrast
             def apply_httponly options
               return unless vulnerable_setting?(:httponly, true, options)
 
-              with_contrast_scope do
-                cs__report_finding(
-                    CS__HTTPONLY_NAME,
-                    options,
-                    caller_locations(10, 9)[0])
-              end
+              cs__report_finding(
+                  CS__HTTPONLY_NAME,
+                  options,
+                  caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to httponly', e)

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -12,7 +12,7 @@ module Contrast
         module AssessConfiguration
           include Contrast::Components::Interface
 
-          access_component :agent, :analysis, :logging, :scope
+          access_component :agent, :analysis, :logging
 
           CS__SESSION_TIMEOUT_NAME = 'session-timeout'
           SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
@@ -52,9 +52,7 @@ module Contrast
               return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
 
               rails_session_settings = args[1]
-              with_contrast_scope do
-                cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(6, 5)[0])
-              end
+              cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(3, 2)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to set session timeout', e)
@@ -68,9 +66,7 @@ module Contrast
               return unless vulnerable_setting?(:secure, true, args)
 
               rails_session_settings = args[1]
-              with_contrast_scope do
-                cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(6, 5)[0])
-              end
+              cs__report_finding(CS__SECURE_RULE_NAME, rails_session_settings, caller_locations(3, 2)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to disable secure cookies', e)
@@ -84,9 +80,7 @@ module Contrast
               return unless vulnerable_setting?(:httponly, true, args)
 
               rails_session_settings = args[1]
-              with_contrast_scope do
-                cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(6, 5)[0])
-              end
+              cs__report_finding(CS__HTTPONLY_RULE_NAME, rails_session_settings, caller_locations(3, 2)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to disable httponly in session cookie', e)

data/lib/contrast/framework/rails/support.rb

@@ -118,6 +118,8 @@ module Contrast
 
           # Rails engine routes need to be detected by inspecting Engine class route set
           def find_all_routes app, route_list
+            return route_list unless app.cs__respond_to?(:routes) && app.routes.cs__respond_to?(:routes)
+
             app.routes.routes.each do |route|
               if route.cs__respond_to?(:app) && route.app.cs__class == ActionDispatch::Routing::RouteSet::Dispatcher
                 route_list << Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route)

data/lib/contrast/logger/application.rb

@@ -33,9 +33,17 @@ module Contrast
       def application_configuration
         return unless info?
 
-        loggable = CONFIG.raw.send(:load_config)
-        loggable.delete('api')
-        info('Current configuration', configuration: JSON.pretty_generate(loggable))
+        loggable = CONFIG.raw.loggable
+        info('Current configuration', configuration: loggable)
+        env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
+        env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
+        env_translations = env_items.each_with_object({}) do |conversion, hash|
+          hash[conversion.key] = conversion.dot_path_array.join('.')
+        end
+        info('Set by environment', overrides: env_translations)
+      rescue StandardError => e
+        puts e
+        sleep(5)
       end
 
       def application_libraries

data/lib/contrast/utils/assess/tracking_util.rb

@@ -1,7 +1,9 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/tracker'
 require 'contrast/components/interface'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Utils
@@ -23,6 +25,16 @@ module Contrast
             _tracked?(obj, 0)
           end
 
+          # Public interface to our tracking check, isolating the internals
+          # required for recursion.
+          #
+          # @param obj [Object] the thing to check if tracked
+          # @return [Boolean] if the obj, or something in it if a collection, is
+          #   tracked.
+          def trackable? obj
+            _trackable?(obj, 0)
+          end
+
           private
 
           # Sometimes things are nested inside of each other, such as an Array
@@ -49,10 +61,8 @@ module Contrast
               obj.any? do |ele|
                 _tracked?(ele, idx) unless obj == ele
               end
-            elsif Contrast::Utils::DuckUtils.quacks_to?(obj, :cs__tracked?)
-              obj.cs__tracked?
             else
-              false
+              Contrast::Agent::Assess::Tracker.tracked?(obj)
             end
           rescue StandardError => e
             # This is used to ask if a ton of objects are tracked. They may not
@@ -61,6 +71,41 @@ module Contrast
             logger.warn('Failed to determine tracking', e, module: obj.cs__class)
             false
           end
+
+          # Sometimes things are nested inside of each other, such as an Array
+          # holding a Hash, holding that Array. In those cases, rather than
+          # entering an infinite loop, we'll break out.
+          # Right now, that level of nesting has been arbitrarily set to 10.
+          #
+          # @param obj [Object] the thing to check if trackable
+          # @param idx [Integer] the number of levels nested we've gone
+          # @return [Boolean] if the obj, or something in it if a collection, is
+          #   trackable.
+          def _trackable? obj, idx
+            return false if obj.nil?
+            return false if idx > 10
+
+            idx += 1
+            if Contrast::Utils::DuckUtils.iterable_hash?(obj)
+              obj.each_pair do |k, v|
+                return true if _trackable?(k, idx)
+                return true if _trackable?(v, idx)
+              end
+              false
+            elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
+              obj.any? do |ele|
+                _trackable?(ele, idx) unless obj == ele
+              end
+            else
+              Contrast::Agent::Assess::Tracker.trackable?(obj)
+            end
+          rescue StandardError => e
+            # This is used to ask if a ton of objects are tracked. They may not
+            # all be iterable. Bad things could happen in some cases, like when
+            # checking a closed statement for SQL injection trigger events
+            logger.warn('Failed to determine trackable', e, module: obj.cs__class)
+            false
+          end
         end
       end
     end

data/lib/contrast/utils/duck_utils.rb

@@ -62,16 +62,6 @@ module Contrast
           # otherwise, don't risk it
           false
         end
-
-        # This method will return true if the object being checked has been patched
-        # to have the cs__properties field. We check the cs__tracked? method since it
-        # is side effect free (ie doesn't cause the properties object to be created).
-        def trackable? object
-          return true if object.cs__respond_to?(:cs__tracked?)
-          return false unless object.is_a?(Delegator)
-
-          object.cs__delegator_respond_to?(:cs__tracked?)
-        end
       end
     end
   end

data/lib/contrast/utils/env_configuration_item.rb

@@ -10,10 +10,11 @@ module Contrast
       END_UNDERSCORE   = /(_+)$/.cs__freeze
       REPEATING_UNDERSCORE = /_{3,}/.cs__freeze
 
-      attr_reader :value, :dot_path_array
+      attr_reader :value, :dot_path_array, :key
 
       def initialize key, value
         key = EnvConfigurationItem.resolve_corrected_path(key)
+        @key = key
         @dot_path_array = key.downcase.split(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE)
         @value = value
 

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -9,7 +9,7 @@ module Contrast
     # customer applications, as determined by Configuration Rules at runtime.
     module InvalidConfigurationUtil
       include Contrast::Components::Interface
-      access_component :analysis, :app_context, :logging
+      access_component :analysis, :app_context, :logging, :scope
 
       CS__PATH = 'path'
       CS__SESSION_ID = 'sessionId'
@@ -23,28 +23,30 @@ module Contrast
       # @param call_location [Thread::Backtrace::Location] the location where
       #   the bad configuration was set
       def cs__report_finding rule_id, user_provided_options, call_location
-        finding = Contrast::Api::Dtm::Finding.new
-        finding.rule_id = rule_id
-        path = call_location.path
-        # just get the file name, not the full path
-        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
-        session_id = user_provided_options[:key].to_s if user_provided_options
+        with_contrast_scope do
+          finding = Contrast::Api::Dtm::Finding.new
+          finding.rule_id = rule_id
+          path = call_location.path
+          # just get the file name, not the full path
+          path = path.split(Contrast::Utils::ObjectShare::SLASH).last
+          session_id = user_provided_options[:key].to_s if user_provided_options
 
-        finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
-        finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
-        finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
-        file_path = call_location.absolute_path
-        snippet = file_snippet(file_path, call_location)
-        finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
+          finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
+          finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
+          finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
+          file_path = call_location.absolute_path
+          snippet = file_snippet(file_path, call_location)
+          finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
 
-        hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
-        finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
-        finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
+          hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
+          finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
+          finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
 
-        activity = Contrast::Api::Dtm::Activity.new
-        activity.findings << finding
+          activity = Contrast::Api::Dtm::Activity.new
+          activity.findings << finding
 
-        Contrast::Agent.messaging_queue.send_event_eventually(activity)
+          Contrast::Agent.messaging_queue.send_event_eventually(activity)
+        end
       rescue StandardError => e
         logger.error('Unable to build a finding', e, rule: rule_id)
       end