contrast-agent 3.14.0 → 3.15.0

data/lib/contrast/utils/string_utils.rb

@@ -11,7 +11,7 @@ module Contrast
       access_component :logging
 
       UTF8 = 'utf-8'
-      HTTP_PREFIX = 'HTTP-'
+      HTTP_PREFIX = 'HTTP_'
 
       # Convenience method. We assume that we're working on Strings or tags
       # String representations of things. To that end, we'll to_s anything
@@ -69,6 +69,10 @@ module Contrast
       # Given a string return a normalized version of that string.
       # Keys are memoized so that the normalization process doesn't need
       # to happen every time.
+      #
+      # @param str [String] the String to normalize
+      # @return [String] a copy of the given String, upper cased, trimmed,
+      #   dashes replaced with underscore, and HTTP trimmed
       def self.normalized_key str
         return nil unless str
 
@@ -77,10 +81,11 @@ module Contrast
         if @_normalized_keys.key?(str)
           @_normalized_keys[str]
         else
-          up = str.upcase.strip
-          up = up.gsub(/[_-]/, '-')
-          up = up[5..-1] if up.start_with?(HTTP_PREFIX)
-          @_normalized_keys[str] = up
+          upped = str.upcase
+          stripped = upped.strip! || upped
+          trimmed = stripped.tr!('-', '_') || stripped
+          cut = trimmed.start_with?(HTTP_PREFIX) ? trimmed[5..-1] : trimmed
+          @_normalized_keys[str] = cut
         end
       end
     end

data/resources/assess/policy.json

@@ -1,14 +1,4 @@
 {
-  "tracked_classes": [
-    "ActionDispatch::Http::UploadedFile",
-    "Fiber",
-    "Symbol",
-    "Pathname",
-    "File",
-    "MatchData",
-    "URI::Generic",
-    "Rack::File::Iterator"
-  ],
   "sources":[
     {
       "class_name":"Rack::Request",

data/ruby-agent.gemspec

@@ -2,20 +2,6 @@
 # frozen_string_literal: true
 
 require_relative './lib/contrast/agent/version'
-require 'bundler'
-# https://github.com/grpc/grpc/issues/21514#issuecomment-581417788
-module BundlerHack
-  def __materialize__
-    if name == 'google-protobuf'
-      Bundler.settings.temporary(force_ruby_platform: true) do
-        super
-      end
-    else
-      super
-    end
-  end
-end
-Bundler::LazySpecification.prepend(BundlerHack)
 
 lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
@@ -36,6 +22,7 @@ def self.add_dev_dependencies spec
   spec.add_development_dependency 'amazing_print'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'climate_control' # mock ENV
+  spec.add_development_dependency 'debase'
   spec.add_development_dependency 'debride'
   spec.add_development_dependency 'execjs'
   spec.add_development_dependency 'factory_bot'
@@ -53,6 +40,7 @@ def self.add_dev_dependencies spec
   spec.add_development_dependency 'rubocop', '0.89.1'
   spec.add_development_dependency 'rubocop-performance', '1.7.1'
   spec.add_development_dependency 'rubocop-rspec', '1.42.0'
+  spec.add_development_dependency 'ruby-debug-ide'
   spec.add_development_dependency 'simplecov', '~> 0.18'
   spec.add_development_dependency 'sinatra', '>= 2'
   spec.add_development_dependency 'sqlite3', '1.3.9'
@@ -71,7 +59,7 @@ def self.add_dependencies spec
   spec.add_dependency 'ougai', '~> 1.8'
   spec.add_dependency 'parser', '~> 2.6'
   spec.add_dependency 'protobuf', '~> 3.10'
-  spec.add_dependency 'rack', '>= 2.0', '< 3.0'
+  spec.add_dependency 'rack', '~> 2.0'
 end
 
 # Enumerate the files required to build the Agent.
@@ -95,6 +83,19 @@ def self.add_files spec
   spec.files += Dir['service_executables/**/*']
   spec.files += Dir['funchook/**/*']
   spec.files += Dir['shared_libraries/**/*']
+
+  # Clean up compiled funchook files that may have been generated during
+  # testing. Only a concern locally, but better than leaving it to chance.
+  spec.files.delete_if do |file|
+    file.end_with?('ext/libfunchook.dylib',
+                   'ext/libfunchook.so',
+                   'ext/funchook.h',
+                   'shared_libraries/libfunchook.dylib',
+                   'shared_libraries/libfunchook.so',
+                   'shared_libraries/funchook.h',
+                   'funchook/src/libfunchook.dylib',
+                   'funchook/src/libfunchook.so')
+  end
 end
 
 def self.add_metadata spec

data/service_executables/VERSION

@@ -1 +1 @@
-2.11.1
+2.12.0

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 3.14.0
+  version: 3.15.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-08-20 00:00:00.000000000 Z
+date: 2020-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: amazing_print
@@ -56,6 +56,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: debase
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debride
   requirement: !ruby/object:Gem::Requirement
@@ -294,6 +308,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 1.42.0
+- !ruby/object:Gem::Dependency
+  name: ruby-debug-ide
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -438,22 +466,16 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 description: This gem instantiates a Rack middleware for rack-based web applications
   in order to provide Interactive Application Security Testing and Protection.
 email:
@@ -462,20 +484,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_string/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_hash/extconf.rb
 - ext/cs__assess_yield_track/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
 - ext/cs__assess_module/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_string/extconf.rb
+- ext/cs__assess_fiber_track/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
-- ext/cs__protect_kernel/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_hash/extconf.rb
 - ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
 - ext/cs__assess_array/extconf.rb
+- ext/cs__protect_kernel/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -674,7 +696,6 @@ files:
 - lib/contrast/agent/assess/contrast_event.rb
 - lib/contrast/agent/assess/events/event_factory.rb
 - lib/contrast/agent/assess/events/source_event.rb
-- lib/contrast/agent/assess/finalizers/finalize.rb
 - lib/contrast/agent/assess/finalizers/freeze.rb
 - lib/contrast/agent/assess/finalizers/hash.rb
 - lib/contrast/agent/assess/policy/dynamic_source_factory.rb
@@ -719,6 +740,7 @@ files:
 - lib/contrast/agent/assess/properties.rb
 - lib/contrast/agent/assess/property/evented.rb
 - lib/contrast/agent/assess/property/tagged.rb
+- lib/contrast/agent/assess/property/updated.rb
 - lib/contrast/agent/assess/rule.rb
 - lib/contrast/agent/assess/rule/base.rb
 - lib/contrast/agent/assess/rule/provider.rb
@@ -727,6 +749,7 @@ files:
 - lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb
 - lib/contrast/agent/assess/rule/redos.rb
 - lib/contrast/agent/assess/tag.rb
+- lib/contrast/agent/assess/tracker.rb
 - lib/contrast/agent/at_exit_hook.rb
 - lib/contrast/agent/class_reopener.rb
 - lib/contrast/agent/deadzone/policy/deadzone_node.rb
@@ -858,7 +881,6 @@ files:
 - lib/contrast/configuration.rb
 - lib/contrast/extension/assess.rb
 - lib/contrast/extension/assess/array.rb
-- lib/contrast/extension/assess/assess_extension.rb
 - lib/contrast/extension/assess/erb.rb
 - lib/contrast/extension/assess/eval_trigger.rb
 - lib/contrast/extension/assess/exec_trigger.rb
@@ -909,7 +931,6 @@ files:
 - lib/contrast/utils/class_util.rb
 - lib/contrast/utils/duck_utils.rb
 - lib/contrast/utils/env_configuration_item.rb
-- lib/contrast/utils/freeze_util.rb
 - lib/contrast/utils/gemfile_reader.rb
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/heap_dump_util.rb

data/lib/contrast/agent/assess/finalizers/finalize.rb

@@ -1,21 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/finalizers/hash'
-require 'contrast/agent/assess/finalizers/freeze'
-
-module Contrast
-  module Agent
-    module Assess
-      module Finalizers
-        # Our module for handling finalizing, allowing for the tracking of
-        # Objects without impacting GC and causing a memory leak. Access to any
-        # Finalizers object should run through this module as the Finalizers
-        # have tightly coupled dependencies on each other.
-        module Finalize
-          PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extension/assess/assess_extension.rb

@@ -1,145 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/properties'
-require 'contrast/agent/assess/finalizers/finalize'
-
-module Contrast
-  module Extension
-    module Assess
-      # This module is responsible for maintaining the data we need to
-      # construct a trace event for the object in which it is included. Rather
-      # than have this code all over the place, any class that wants to use
-      # dataflow features should be sent
-      # 'include Contrast::Extension::Assess::AssessExtension'
-      module AssessExtension
-        def cs__transfer_properties dup
-          Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[dup] ||= Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self].dup
-        end
-
-        # Lazily build properties object. Only objects that have been tracked
-        # will have the @_cs__properties, but all will respond to the
-        # cs__properties method call. You should only call this method if you
-        # either intend to start tracking an object or you have already checked
-        # cs__tracked? and it is true.
-        def cs__properties
-          Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self] ||= Contrast::Agent::Assess::Properties.new
-        end
-
-        # This is a way to check if we are already tracking an object without
-        # adding tracking to it. If the object already has been tracked we will
-        # return the tracking state of its properties. If the object hasn't
-        # already been tracked we will return false without starting to track
-        # it
-        def cs__tracked?
-          !!Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self]&.tracked?
-        end
-
-        def cs__reset_properties
-          Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self] = nil
-        end
-
-        # copy tags and info from object to self if object support methods
-        # obj: the object from which to copy tags and events
-        # shift: how far to shift the tags, negative moves left
-        # skip_tags: array of tags to skip copying
-        def cs__copy_from obj, shift = 0, skip_tags = nil
-          return if obj.equal?(self)
-          return unless Contrast::Utils::DuckUtils.quacks_to?(obj,
-                                                              :cs__tracked?)
-          return unless obj.cs__tracked?
-          return unless cs__properties
-
-          cs__adjust_duplicate(obj)
-
-          obj.cs__properties.events.each do |event|
-            cs__properties.events << event
-          end
-
-          obj.cs__properties.tag_keys.each do |key|
-            next if skip_tags&.include?(key)
-
-            new_tags = []
-            value = obj.cs__properties.fetch_tag(key)
-            value.each do |tag|
-              new_tags << tag.copy_modified(shift)
-            end
-            existing = cs__properties.fetch_tag(key)
-            if existing
-              existing.concat(new_tags)
-              Contrast::Utils::TagUtil.size_aware_merge(self, existing)
-            else
-              cs__properties.set_tags(key, new_tags)
-            end
-          end
-        end
-
-        # Some propagation occurred, but we're not sure what the
-        # exact transformation was. To be safe, we just explode
-        # all the tags from the source to the return.
-        #
-        # If the return already had that tag, the existing tag
-        # range is recycled to save us an object.
-        def cs__splat_tags ret, source = self
-          return unless Contrast::Utils::DuckUtils.trackable?(ret)
-
-          length = Contrast::Utils::StringUtils.ret_length(ret)
-          return if length.zero?
-
-          cs__splat_from_source(ret, length, source)
-          cs__splat_from_ret(ret, length)
-        end
-
-        def cs__splat_from_source ret, ret_length, source
-          splat_source = Contrast::Utils::DuckUtils.trackable?(source)
-          splat_source &&= source.cs__tracked?
-          return unless splat_source
-
-          source.cs__properties.tag_keys.each do |key|
-            existing = ret.cs__properties.fetch_tag(key)
-            # if the tag already exists, drop all but the first range
-            # then change that range to cover the entire return
-            if existing
-              existing.drop(existing.length - 1)
-              range = existing[0]
-              range.repurpose(0, ret_length)
-            else
-              ret.cs__properties.add_tag(key, 0...ret_length)
-            end
-          end
-        end
-
-        def cs__splat_from_ret ret, length
-          return unless ret.cs__tracked?
-
-          ret.cs__properties.tag_keys.each do |key|
-            next unless key
-
-            existing = ret.cs__properties.fetch_tag(key)
-            next unless existing
-
-            existing.each do |range|
-              range.update_end(length) if range.end_idx > length
-            end
-          end
-        end
-
-        private
-
-        # Because of how our tracking works now, sometimes the Source and
-        # Target are the same, but their IDs in our map will be different due
-        # to PreShift duplication. To account for this, we have to ensure that
-        # the Object we're copying from does not have the same Properties
-        # that the Object we're copying to does. If they are the same, wipe the
-        # Target so that the copy method can update events and ranges as
-        # necessary.
-        # DO NOT TAKE THIS OUT!
-        def cs__adjust_duplicate obj
-          cs__reset_properties if obj.cs__properties == cs__properties
-          cs__reset_properties if obj.cs__properties.__id__ == cs__properties.dupped_from
-          cs__reset_properties if obj.cs__properties.dupped_from == cs__properties.__id__
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/freeze_util.rb

@@ -1,32 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/duck_utils'
-
-module Contrast
-  module Utils
-    # This utility allows us to act on frozen objects, creating an unfrozen
-    # duplicate in those cases where that is possible.
-    class FreezeUtil
-      class << self
-        # Make every attempt to duplicate the frozen object so that it can
-        # be tracked.
-        #
-        # @param original [Object] something frozen, usually a String
-        # @return [Object] the original or an unfrozen copy
-        def unfreeze_dup original
-          return original unless original.cs__frozen?
-
-          copy = original.dup
-          if Contrast::Utils::DuckUtils.iterable_hash?(copy)
-            copy.each_key do |key|
-              value = original[key]
-              copy[key] = value.dup
-            end
-          end
-          copy
-        end
-      end
-    end
-  end
-end