contrast-agent 3.14.0 → 4.2.0

data/service_executables/VERSION

@@ -1 +1 @@
-2.11.1
+2.16.0

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 3.14.0
+  version: 4.2.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -9,10 +9,11 @@ authors:
 - donald.propst@contrastsecurity.com
 - alex.macdonald@contrastsecurity.com
 - mark.petersen@contrastsecurity.com
+- joshua.reed@contrastsecurity.com
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-08-20 00:00:00.000000000 Z
+date: 2020-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: amazing_print
@@ -56,6 +57,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: debase
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debride
   requirement: !ruby/object:Gem::Requirement
@@ -126,6 +141,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: flay
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -258,42 +287,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.89.1
+        version: 0.93.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.89.1
+        version: 0.93.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.7.1
+        version: 1.8.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.7.1
+        version: 1.8.1
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.42.0
+        version: 1.43.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.42.0
+        version: 1.43.2
+- !ruby/object:Gem::Dependency
+  name: ruby-debug-ide
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -438,22 +481,16 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 description: This gem instantiates a Rack middleware for rack-based web applications
   in order to provide Interactive Application Security Testing and Protection.
 email:
@@ -462,20 +499,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_string/extconf.rb
 - ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_fiber_track/extconf.rb
 - ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_module/extconf.rb
-- ext/cs__assess_regexp/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_array/extconf.rb
 - ext/cs__protect_kernel/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_regexp/extconf.rb
+- ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_module/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
 - ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
-- ext/cs__assess_array/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -674,7 +711,6 @@ files:
 - lib/contrast/agent/assess/contrast_event.rb
 - lib/contrast/agent/assess/events/event_factory.rb
 - lib/contrast/agent/assess/events/source_event.rb
-- lib/contrast/agent/assess/finalizers/finalize.rb
 - lib/contrast/agent/assess/finalizers/freeze.rb
 - lib/contrast/agent/assess/finalizers/hash.rb
 - lib/contrast/agent/assess/policy/dynamic_source_factory.rb
@@ -719,6 +755,7 @@ files:
 - lib/contrast/agent/assess/properties.rb
 - lib/contrast/agent/assess/property/evented.rb
 - lib/contrast/agent/assess/property/tagged.rb
+- lib/contrast/agent/assess/property/updated.rb
 - lib/contrast/agent/assess/rule.rb
 - lib/contrast/agent/assess/rule/base.rb
 - lib/contrast/agent/assess/rule/provider.rb
@@ -727,12 +764,18 @@ files:
 - lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb
 - lib/contrast/agent/assess/rule/redos.rb
 - lib/contrast/agent/assess/tag.rb
+- lib/contrast/agent/assess/tracker.rb
 - lib/contrast/agent/at_exit_hook.rb
 - lib/contrast/agent/class_reopener.rb
 - lib/contrast/agent/deadzone/policy/deadzone_node.rb
 - lib/contrast/agent/deadzone/policy/policy.rb
 - lib/contrast/agent/disable_reaction.rb
 - lib/contrast/agent/exclusion_matcher.rb
+- lib/contrast/agent/inventory.rb
+- lib/contrast/agent/inventory/dependencies.rb
+- lib/contrast/agent/inventory/dependency_analysis.rb
+- lib/contrast/agent/inventory/dependency_usage_analysis.rb
+- lib/contrast/agent/inventory/gemfile_digest_cache.rb
 - lib/contrast/agent/inventory/policy/datastores.rb
 - lib/contrast/agent/inventory/policy/policy.rb
 - lib/contrast/agent/inventory/policy/trigger_node.rb
@@ -810,6 +853,8 @@ files:
 - lib/contrast/api/decorators/application_update.rb
 - lib/contrast/api/decorators/http_request.rb
 - lib/contrast/api/decorators/input_analysis.rb
+- lib/contrast/api/decorators/library.rb
+- lib/contrast/api/decorators/library_usage_update.rb
 - lib/contrast/api/decorators/message.rb
 - lib/contrast/api/decorators/rasp_rule_sample.rb
 - lib/contrast/api/decorators/route_coverage.rb
@@ -858,7 +903,6 @@ files:
 - lib/contrast/configuration.rb
 - lib/contrast/extension/assess.rb
 - lib/contrast/extension/assess/array.rb
-- lib/contrast/extension/assess/assess_extension.rb
 - lib/contrast/extension/assess/erb.rb
 - lib/contrast/extension/assess/eval_trigger.rb
 - lib/contrast/extension/assess/exec_trigger.rb
@@ -905,12 +949,9 @@ files:
 - lib/contrast/tasks/service.rb
 - lib/contrast/utils/assess/sampling_util.rb
 - lib/contrast/utils/assess/tracking_util.rb
-- lib/contrast/utils/boolean_util.rb
 - lib/contrast/utils/class_util.rb
 - lib/contrast/utils/duck_utils.rb
 - lib/contrast/utils/env_configuration_item.rb
-- lib/contrast/utils/freeze_util.rb
-- lib/contrast/utils/gemfile_reader.rb
 - lib/contrast/utils/hash_digest.rb
 - lib/contrast/utils/heap_dump_util.rb
 - lib/contrast/utils/invalid_configuration_util.rb

data/lib/contrast/agent/assess/finalizers/finalize.rb

@@ -1,21 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/finalizers/hash'
-require 'contrast/agent/assess/finalizers/freeze'
-
-module Contrast
-  module Agent
-    module Assess
-      module Finalizers
-        # Our module for handling finalizing, allowing for the tracking of
-        # Objects without impacting GC and causing a memory leak. Access to any
-        # Finalizers object should run through this module as the Finalizers
-        # have tightly coupled dependencies on each other.
-        module Finalize
-          PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
-        end
-      end
-    end
-  end
-end

data/lib/contrast/extension/assess/assess_extension.rb

@@ -1,145 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/assess/properties'
-require 'contrast/agent/assess/finalizers/finalize'
-
-module Contrast
-  module Extension
-    module Assess
-      # This module is responsible for maintaining the data we need to
-      # construct a trace event for the object in which it is included. Rather
-      # than have this code all over the place, any class that wants to use
-      # dataflow features should be sent
-      # 'include Contrast::Extension::Assess::AssessExtension'
-      module AssessExtension
-        def cs__transfer_properties dup
-          Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[dup] ||= Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self].dup
-        end
-
-        # Lazily build properties object. Only objects that have been tracked
-        # will have the @_cs__properties, but all will respond to the
-        # cs__properties method call. You should only call this method if you
-        # either intend to start tracking an object or you have already checked
-        # cs__tracked? and it is true.
-        def cs__properties
-          Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self] ||= Contrast::Agent::Assess::Properties.new
-        end
-
-        # This is a way to check if we are already tracking an object without
-        # adding tracking to it. If the object already has been tracked we will
-        # return the tracking state of its properties. If the object hasn't
-        # already been tracked we will return false without starting to track
-        # it
-        def cs__tracked?
-          !!Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self]&.tracked?
-        end
-
-        def cs__reset_properties
-          Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[self] = nil
-        end
-
-        # copy tags and info from object to self if object support methods
-        # obj: the object from which to copy tags and events
-        # shift: how far to shift the tags, negative moves left
-        # skip_tags: array of tags to skip copying
-        def cs__copy_from obj, shift = 0, skip_tags = nil
-          return if obj.equal?(self)
-          return unless Contrast::Utils::DuckUtils.quacks_to?(obj,
-                                                              :cs__tracked?)
-          return unless obj.cs__tracked?
-          return unless cs__properties
-
-          cs__adjust_duplicate(obj)
-
-          obj.cs__properties.events.each do |event|
-            cs__properties.events << event
-          end
-
-          obj.cs__properties.tag_keys.each do |key|
-            next if skip_tags&.include?(key)
-
-            new_tags = []
-            value = obj.cs__properties.fetch_tag(key)
-            value.each do |tag|
-              new_tags << tag.copy_modified(shift)
-            end
-            existing = cs__properties.fetch_tag(key)
-            if existing
-              existing.concat(new_tags)
-              Contrast::Utils::TagUtil.size_aware_merge(self, existing)
-            else
-              cs__properties.set_tags(key, new_tags)
-            end
-          end
-        end
-
-        # Some propagation occurred, but we're not sure what the
-        # exact transformation was. To be safe, we just explode
-        # all the tags from the source to the return.
-        #
-        # If the return already had that tag, the existing tag
-        # range is recycled to save us an object.
-        def cs__splat_tags ret, source = self
-          return unless Contrast::Utils::DuckUtils.trackable?(ret)
-
-          length = Contrast::Utils::StringUtils.ret_length(ret)
-          return if length.zero?
-
-          cs__splat_from_source(ret, length, source)
-          cs__splat_from_ret(ret, length)
-        end
-
-        def cs__splat_from_source ret, ret_length, source
-          splat_source = Contrast::Utils::DuckUtils.trackable?(source)
-          splat_source &&= source.cs__tracked?
-          return unless splat_source
-
-          source.cs__properties.tag_keys.each do |key|
-            existing = ret.cs__properties.fetch_tag(key)
-            # if the tag already exists, drop all but the first range
-            # then change that range to cover the entire return
-            if existing
-              existing.drop(existing.length - 1)
-              range = existing[0]
-              range.repurpose(0, ret_length)
-            else
-              ret.cs__properties.add_tag(key, 0...ret_length)
-            end
-          end
-        end
-
-        def cs__splat_from_ret ret, length
-          return unless ret.cs__tracked?
-
-          ret.cs__properties.tag_keys.each do |key|
-            next unless key
-
-            existing = ret.cs__properties.fetch_tag(key)
-            next unless existing
-
-            existing.each do |range|
-              range.update_end(length) if range.end_idx > length
-            end
-          end
-        end
-
-        private
-
-        # Because of how our tracking works now, sometimes the Source and
-        # Target are the same, but their IDs in our map will be different due
-        # to PreShift duplication. To account for this, we have to ensure that
-        # the Object we're copying from does not have the same Properties
-        # that the Object we're copying to does. If they are the same, wipe the
-        # Target so that the copy method can update events and ranges as
-        # necessary.
-        # DO NOT TAKE THIS OUT!
-        def cs__adjust_duplicate obj
-          cs__reset_properties if obj.cs__properties == cs__properties
-          cs__reset_properties if obj.cs__properties.__id__ == cs__properties.dupped_from
-          cs__reset_properties if obj.cs__properties.dupped_from == cs__properties.__id__
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/boolean_util.rb

@@ -1,30 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/object_share'
-
-module Contrast
-  module Utils
-    # Utility methods for asserting truthy or falsy state of a value expected
-    # to equate to a boolean
-    class BooleanUtil
-      class << self
-        def false? config
-          return false if config == true
-          return true if config == false
-          return false unless config.cs__is_a?(String)
-
-          Contrast::Utils::ObjectShare::FALSE.casecmp?(config)
-        end
-
-        def true? config
-          return false if config == false
-          return true if config == true
-          return false unless config.cs__is_a?(String)
-
-          Contrast::Utils::ObjectShare::TRUE.casecmp?(config)
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/freeze_util.rb

@@ -1,32 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/utils/duck_utils'
-
-module Contrast
-  module Utils
-    # This utility allows us to act on frozen objects, creating an unfrozen
-    # duplicate in those cases where that is possible.
-    class FreezeUtil
-      class << self
-        # Make every attempt to duplicate the frozen object so that it can
-        # be tracked.
-        #
-        # @param original [Object] something frozen, usually a String
-        # @return [Object] the original or an unfrozen copy
-        def unfreeze_dup original
-          return original unless original.cs__frozen?
-
-          copy = original.dup
-          if Contrast::Utils::DuckUtils.iterable_hash?(copy)
-            copy.each_key do |key|
-              value = original[key]
-              copy[key] = value.dup
-            end
-          end
-          copy
-        end
-      end
-    end
-  end
-end