contrast-agent 3.14.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c3ef67bfca5c3d772078af285e4b3fa1ab314b06af04355db1aa50cce0d284e8
-  data.tar.gz: 5eb0fe6b5dba8f64b5947c1c7cade90718b18224b62b5e02eed470613e6fbe6d
+  metadata.gz: 713e0f9cd16184d4b5da094f0d05b006870f557edfa0fc0ac199bf1035acfe45
+  data.tar.gz: f37a1ab7901a7c42bf5dce897c6dd0218f4df40d057c8719e3027f802ecd3c52
 SHA512:
-  metadata.gz: caf748a141fe652cbb1cb3e658969820b22ca4e58a11cdc46ee9bc94932c00e031b186b96e8c44b884d6f658951e8936a75444aa4d52cb9d0d5e563ab29ef26b
-  data.tar.gz: b3235852bb77977f244beed747b032bfa6e80eb86ebdcfab622a8dba7acc7a939f87e08022a07e795d2c455ec3d3107771e5cdae0d5b893a4c6019f09945db43
+  metadata.gz: f1bcf5495957815fbe1acc801e9cdc9567a1a25f657b425a335cfa1412054ecdf4f92662d0eef0b19bdc2a1c5295b758d19ed4adf4cb7f37ef67bfaf4b67262f
+  data.tar.gz: bd3e6f02d68c7eaa9385f6626e52b3fe16cecbac10d53f8c82dd01b733c9f39666183afd21df601318ed95c482338b786e13cb8f087c8076872cd5fb3f4cfad8

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c

@@ -14,20 +14,19 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
     if (argc >= 1) {
         source_string = argv[0];
 
-        if (rb_respond_to(source_string, rb_sym_cs_tracked)) {
-            VALUE tracked = rb_funcall(source_string, rb_sym_cs_tracked, 0);
-
-            if (tracked == Qtrue) {
-                VALUE skip = rb_funcall(contrast_patcher(),
-                                        rb_sym_skip_assess_analysis, 0);
-
-                if (skip == Qfalse) {
-                    VALUE scope =
-                        rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
-                    rb_funcall(marshal_module, rb_sym_assess_load_trigger_check,
-                               2, source_string, result);
-                    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
-                }
+        VALUE tracked =
+            rb_funcall(properties_hash, rb_sym_hash_tracked, 1, source_string);
+
+        if (tracked == Qtrue) {
+            VALUE skip =
+                rb_funcall(contrast_patcher(), rb_sym_skip_assess_analysis, 0);
+
+            if (skip == Qfalse) {
+                VALUE scope =
+                    rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
+                rb_funcall(marshal_module, rb_sym_assess_load_trigger_check, 2,
+                           source_string, result);
+                rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
             }
         }
     }
@@ -35,7 +34,11 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
 }
 
 void Init_cs__assess_marshal_module(void) {
-    marshal_module = rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
+    // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+    VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
+    properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
+    marshal_module =
+        rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
     rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
 
     contrast_register_singleton_prepend_patch(

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h

@@ -3,6 +3,7 @@
 static VALUE marshal_module;
 
 static VALUE rb_sym_assess_load_trigger_check;
+static VALUE properties_hash;
 
 /*
  * Rails is a jerk. In Rails 5, they decided to do away with the alias chaining

data/ext/cs__assess_string/cs__assess_string.c

@@ -5,44 +5,43 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 
-static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
+static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
                                            const VALUE obj) {
-    VALUE dup, tracked;
     if (!OBJ_FROZEN(obj)) {
-        tracked = rb_funcall(obj, rb_sym_cs_tracked, 0);
-        if (RTEST(tracked)) {
-            /*
-             * If the object is not frozen and the object is tracked, we cheat.
-             * We dup and then freeze to replicate the behavior of str_uminus in
-             * string.c, but we ignore any other monkey patches on String#-@
-             */
-            dup = rb_funcall(obj, rb_sym_dup, 0);
-            rb_funcall(obj, rb_intern("cs__transfer_properties"), 1, dup);
-            rb_funcall(dup, rb_sym_freeze, 0);
-            return dup;
-        }
+        rb_funcall(properties_hash, rb_sym_pre_freeze, 1, obj);
     }
-    /* in all other cases, preserve monkey patching and c call */
-    return rb_funcall(obj, rb_sym_assess_string_uminus, 0);
+    return rb_funcall(obj, rb_sym_assess_string_freeze, 0);
 }
 
-static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
+static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
                                            const VALUE obj) {
     if (!OBJ_FROZEN(obj)) {
-        // Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH.pre_freeze(self)
-        rb_funcall(properties_hash, rb_intern("pre_freeze"), 1, obj);
+        /* We're doing something intentionally different here. Ruby, for -@,
+         * attempts to de-duplicate the String and use an "interned" copy of
+         * the String. We cannot allow that to happen for a couple reasons:
+         * - prior to Ruby 2.7, this would cause us to track ALL instances of
+         *   that interned copy.
+         * - 2.7 and later, this action is actually missed because of a change
+         *   to the str_uminus method in Ruby, which dups the String in a way
+         *   that we cannot see.
+         * B/c we cannot track this in 2.7, rather than having a version check
+         * and two approaches, we'll instead directly call the #freeze method,
+         * so the end result is that this String itself is frozen and never
+         * deduplicated.
+         */
+        return contrast_assess_string_freeze(argc, argv, obj);
     }
-    return rb_funcall(obj, rb_sym_assess_string_freeze, 0);
+    /* in all other cases, preserve monkey patching and c call */
+    return rb_funcall(obj, rb_sym_assess_string_uminus, 0);
 }
 
 void Init_cs__assess_string(void) {
     rb_sym_dup = rb_intern("dup");
     rb_sym_freeze = rb_intern("freeze");
-
-    // Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH
-    VALUE finalizers = rb_define_module_under(assess, "Finalizers");
-    VALUE finalize = rb_define_module_under(finalizers, "Finalize");
-    properties_hash = rb_const_get(finalize, rb_intern("PROPERTIES_HASH"));
+    rb_sym_pre_freeze = rb_intern("pre_freeze");
+    // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+    VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
+    properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
 
     rb_sym_assess_string_uminus =
         contrast_register_patch("String", "-@", &contrast_assess_string_uminus);

data/ext/cs__assess_string/cs__assess_string.h

@@ -2,10 +2,12 @@
 
 static VALUE rb_sym_assess_string_uminus;
 static VALUE rb_sym_assess_string_freeze;
-// Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH
+// Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
 static VALUE properties_hash;
 static VALUE rb_sym_dup;
 static VALUE rb_sym_freeze;
+static VALUE rb_sym_pre_freeze;
+static VALUE properties_hash;
 
 /*
  * The String#-@ method calls to the str_uminus method in String.C. This method

data/ext/cs__common/cs__common.c

@@ -18,7 +18,7 @@ VALUE rb_sym_in_scope;
 VALUE rb_sym_skip_contrast_analysis;
 VALUE rb_sym_skip_assess_analysis;
 VALUE rb_sym_method;
-VALUE rb_sym_cs_tracked;
+VALUE rb_sym_hash_get, rb_sym_hash_set, rb_sym_hash_tracked;
 /* end globals */
 
 void patch_via_funchook(void *original_function, void *hook_function) {
@@ -144,7 +144,9 @@ void Init_cs__common(void) {
     rb_sym_skip_contrast_analysis = rb_intern("skip_contrast_analysis?");
     rb_sym_skip_assess_analysis = rb_intern("skip_assess_analysis?");
     rb_sym_method = rb_intern("__method__");
-    rb_sym_cs_tracked = rb_intern("cs__tracked?");
+    rb_sym_hash_get = rb_intern("[]");
+    rb_sym_hash_set = rb_intern("[]=");
+    rb_sym_hash_tracked = rb_intern("tracked?");
 
     /* Used for returning unbound C functions */
     rb_sym_register_c_patch = rb_intern("register_c_patch");

data/ext/cs__common/cs__common.h

@@ -23,7 +23,7 @@ extern VALUE rb_sym_in_scope;
 extern VALUE rb_sym_skip_contrast_analysis;
 extern VALUE rb_sym_skip_assess_analysis;
 extern VALUE rb_sym_method;
-extern VALUE rb_sym_cs_tracked;
+extern VALUE rb_sym_hash_get, rb_sym_hash_set, rb_sym_hash_tracked;
 
 static VALUE patcher;
 static VALUE rb_sym_instance_method;

data/lib/contrast.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 # Used to prevent deprecation warnings from flooding stdout
-ENV['PB_IGNORE_DEPRECATIONS'] = 'truee'
+ENV['PB_IGNORE_DEPRECATIONS'] = 'true'
 
 # Top-level namespace for Contrast Security agent
 module Contrast

data/lib/contrast/agent.rb

@@ -23,7 +23,6 @@ require 'contrast/extension/protect'
 require 'contrast/extension/protect/kernel'
 
 require 'contrast/utils/object_share'
-require 'contrast/utils/boolean_util'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/io_util'
 require 'contrast/utils/os'
@@ -88,18 +87,11 @@ require 'contrast/agent/assess'
 # protect rules
 require 'contrast/agent/protect/rule'
 
-# application libraries
-require 'contrast/utils/gemfile_reader'
+# application libraries and technologies
+require 'contrast/agent/inventory'
 
 # rack event monitoring
 require 'contrast/agent/middleware'
 
-# TODO: RUBY-919
-# Refactor to use Contrast::Framework::Manager
-# Contrast::Framework::Manager.before_load_patches!
-if defined?(::Rails)
-  require 'contrast/framework/rails/patch/support'
-  require 'contrast/framework/rails/patch/rails_application_configuration'
-  Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
-  require 'contrast/agent/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
-end
+# Install the patches we need before the application has a chance to initialize
+Contrast::Agent.framework_manager.before_load_patches!

data/lib/contrast/agent/assess.rb

@@ -8,6 +8,7 @@ module Contrast
     # class under this namespace should be required here, providing a single
     # point of require for this functionality.
     module Assess
+      require 'contrast/agent/assess/tracker'
       require 'contrast/agent/module_data'
       require 'contrast/agent/rewriter'
       require 'contrast/agent/assess/policy/preshift'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -16,10 +16,32 @@ module Contrast
       # This class holds the data about an event in the application
       # We'll use it to build an event that TeamServer can consume if
       # the object to which this event belongs ends in a trigger.
+      #
+      # @attr_reader event_id [Integer] the atomic id of this event
+      # @attr_reader policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+      #   the node that governs this event.
+      # @attr_reader stack_trace [Array<String>] the execution stack at the
+      #   time the method for this event was invoked
+      # @attr_reader time [Integer] the time, in epoch ms, when this event was
+      #   created
+      # @attr_reader thread [Integer] the object id of the thread on which this
+      #   event was generated
+      # @attr_reader object [String] the safe representation of the Object on
+      #   which the method was invoked
+      # @attr_reader ret [String] the safe representation of the Return of the
+      #   invoked method
+      # @attr_reader args [Array<Object>] the safe representation of the
+      #   Arguments with which the method was invoked
       class ContrastEvent
         include Contrast::Utils::PreventSerialization
 
         class << self
+          # Given an array of arguments, copy them into a safe, meaning String,
+          # format that we can use to send to SR and TS for rendering.
+          #
+          # @param args [Array<Object>] the arguments to translate
+          # @return [Array<String>] the String forms of those Objects, as
+          #   determined by Contrast::Utils::ClassUtil.to_contrast_string
           def safe_args_representation args
             return nil unless args
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
@@ -36,32 +58,31 @@ module Contrast
             rep
           end
 
-          def safe_arg_hash_representation hash
-            # since this is the named hash for arguments, only the value is
-            # suspect here
-            hash.transform_values { |v| Contrast::Utils::ClassUtil.to_contrast_string(v) }
-          end
-
           # if given an object that can be duped, duplicate it. otherwise just
           # return the original object. swallow all exceptions from
           # non-duplicable things.
           #
           # we can't just check respond_to? though b/c dup exists on the
           # base Object class
+          #
+          # @param original [Object, nil] the thing to duplicate
+          # @return [Object, nil] a copy of that thing
           def safe_dup original
             return nil unless original
 
-            begin
-              duplicate = original.dup
-              original.cs__transfer_properties(duplicate)
-              duplicate
-            rescue StandardError
-              original
-            end
+            Contrast::Agent::Assess::Tracker.duplicate(original)
+          end
+
+          private
+
+          def safe_arg_hash_representation hash
+            # since this is the named hash for arguments, only the value is
+            # suspect here
+            hash.transform_values { |v| Contrast::Utils::ClassUtil.to_contrast_string(v) }
           end
         end
 
-        attr_reader :event_id, :parent_ids, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args
+        attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args
 
         # We need this to track the parent id's of events to build up a flow
         # chart of the finding
@@ -76,6 +97,13 @@ module Contrast
           end
         end
 
+        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+        #   the node that governs this event.
+        # @param tagged [Object] the Target to which this event pertains.
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
         def initialize policy_node, tagged, object, ret, args
           @policy_node = policy_node
           # so long as this event is built in a factory, we know Contrast Code
@@ -86,28 +114,110 @@ module Contrast
 
           # These methods rely on the above being set. Don't move them!
           @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
-          @parent_ids = find_parent_ids(policy_node, object, ret, args)
-          snapshot(tagged, object, ret, args)
+          find_parent_events!(policy_node, object, ret, args)
+          snapshot!(tagged, object, ret, args)
+        end
+
+        def parent_events
+          @_parent_events ||= []
         end
 
-        # Parent IDs are the event ids of all the sources of this event which
-        # were tracked prior to this event occurring
-        def find_parent_ids policy_node, object, ret, args
-          mapped = policy_node.sources.map do |source|
-            value_of_source(source, object, ret, args)
+        # We have to do a little work to figure out what our TS appropriate
+        # target is. To break this down, the logic is as follows:
+        # 1) If my policy_node has a target, work on targets. Else, work on sources.
+        #    Per TS law, each policy_node must have at least a source or a target.
+        #    The only type of policy_node w/o targets is a Trigger, but that may
+        #    change.
+        # 2) If I have a highlight, it means that I have a P target that is
+        #    not in integer form (it was a named / keyword type for which I had
+        #    to find the index). I need to address this so that TS can process
+        #    it.
+        # 3) I'll set the event's source and target to TS values.
+        # 4) Return the highlight or the first source/target as the taint
+        #    target.
+        def determine_taint_target event_dtm
+          if @policy_node&.targets&.any?
+            event_dtm.source = @policy_node.source_string if @policy_node.source_string
+            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
+            @highlight || @policy_node.targets[0]
+          elsif policy_node&.sources&.any?
+            event_dtm.source = @highlight ? "P#{ @highlight }" : @policy_node.source_string
+            event_dtm.target = @policy_node.target_string if @policy_node.target_string
+            @highlight || @policy_node.sources[0]
           end
-          selected = mapped.select do |source|
-            source &&
-                Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties) &&
-                source.cs__properties.events &&
-                source.cs__properties.events.last
+        end
+
+        # Convert this event into a DTM that TeamServer can consume
+        def to_dtm_event
+          Contrast::Api::Dtm::TraceEvent.build(self)
+        end
+
+        private
+
+        # Parent events are the events of all the sources of this event which
+        # were tracked prior to this event occurring. Depending on which, if
+        # any of the sources were tracked, there may be more than one parent.
+        #
+        # All events except for [Contrast::Agent::Assess::Events::SourceEvent]
+        # will have at least one parent.
+        #
+        # We set those events to this event's instance variables.
+        #
+        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+        #   the node that governs this event.
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
+        def find_parent_events! policy_node, object, ret, args
+          policy_node.sources.each do |source_marker|
+            source = value_of_source(source_marker, object, ret, args)
+            next unless source
+
+            event = Contrast::Agent::Assess::Tracker.properties(source)&.event
+            parent_events << event if event
           end
-          selected.map do |source|
-            source.cs__properties.events.last.event_id
+        end
+
+        # @param source [String] the marker for the source type
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
+        # @return [Object,nil] the literal value of the source indicated by the
+        #   given marker
+        def value_of_source source, object, ret, args
+          case source
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            if source.is_a?(Integer)
+              args[source]
+            else
+              args.each do |search|
+                next unless search.is_a?(Hash)
+
+                s = search[source]
+                return s if s
+              end
+            end
           end
         end
 
-        def snapshot tagged, object, ret, args
+        # Everything* is mutable in Ruby. As such, to ensure we can accurately
+        # report the application state at the time of this method's invocation,
+        # we have to snapshot the given values, making safe representations of
+        # them for our later use. We set those safe values to this event's
+        # instance variables.
+        #
+        # @param tagged [Object] the Target to which this event pertains.
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
+        def snapshot! tagged, object, ret, args
           target = @policy_node.target
           case target
             # If the target is nil, this rule was violated simply by a method
@@ -141,6 +251,10 @@ module Contrast
         # I know we're creating an extra string here since we replace the safe
         # one w/ a dup, but good enough for now. Trying not to make this too
         # complicated. - HM 8/8/19
+        #
+        # @param target [String,Integer] the marker for the target index
+        # @param tagged [Object] the actual Object that we're acting on which
+        #   has tags
         def save_target_arg target, tagged
           return if @args.cs__frozen?
 
@@ -158,56 +272,6 @@ module Contrast
             break
           end
         end
-
-        # We have to do a little work to figure out what our TS appropriate
-        # target is. To break this down, the logic is as follows:
-        # 1) If my policy_node has a target, work on targets. Else, work on sources.
-        #    Per TS law, each policy_node must have at least a source or a target.
-        #    The only type of policy_node w/o targets is a Trigger, but that may
-        #    change.
-        # 2) If I have a highlight, it means that I have a P target that is
-        #    not in integer form (it was a named / keyword type for which I had
-        #    to find the index). I need to address this so that TS can process
-        #    it.
-        # 3) I'll set the event's source and target to TS values.
-        # 4) Return the highlight or the first source/target as the taint
-        #    target.
-        def determine_taint_target event_dtm
-          if @policy_node&.targets&.any?
-            event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
-            @highlight || @policy_node.targets[0]
-          elsif policy_node&.sources&.any?
-            event_dtm.source = @highlight ? "P#{ @highlight }" : @policy_node.source_string
-            event_dtm.target = @policy_node.target_string if @policy_node.target_string
-            @highlight || @policy_node.sources[0]
-          end
-        end
-
-        def value_of_source source, object, ret, args
-          case source
-          when Contrast::Utils::ObjectShare::OBJECT_KEY
-            object
-          when Contrast::Utils::ObjectShare::RETURN_KEY
-            ret
-          else
-            if source.is_a?(Integer)
-              args[source]
-            else
-              args.each do |search|
-                next unless search.is_a?(Hash)
-
-                s = search[source]
-                return s if s
-              end
-            end
-          end
-        end
-
-        # Convert this event into a DTM that TeamServer can consume
-        def to_dtm_event
-          Contrast::Api::Dtm::TraceEvent.build(self)
-        end
       end
     end
   end