contrast-agent 3.14.0 → 4.2.0

data/lib/contrast/agent/assess/events/source_event.rb

@@ -21,7 +21,7 @@ module Contrast
             @request = Contrast::Agent::REQUEST_TRACKER.current&.request
           end
 
-          def find_parent_ids _policy_node, _object, _ret, _args
+          def parent_events
             nil
           end
 

data/lib/contrast/agent/assess/finalizers/freeze.rb

@@ -1,13 +1,15 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/tracker'
+
 # Our patch of the Object#freeze method, allowing any Object we track to
 # function with our Contrast::Agent::Assess::Finalizers::Hash
 class Object
   alias_method :cs__patched_object_freeze, :freeze
 
   def freeze
-    Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH.pre_freeze(self)
+    Contrast::Agent::Assess::Tracker.pre_freeze(self)
     cs__patched_object_freeze
   end
 end

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -29,6 +29,43 @@ module Contrast
             super key.__id__
           end
 
+          # Something is trackable if it is not a collection and either not
+          # frozen or it was frozen after we put a finalizer on it.
+          #
+          # @param key [Object] the thing to determine if trackable
+          # @return [Boolean]
+          def trackable? key
+            # Track things in these, not them themselves.
+            return false if Contrast::Utils::DuckUtils.iterable_hash?(key)
+            return false if Contrast::Utils::DuckUtils.iterable_enumerable?(key)
+            # If it's not frozen, we can finalize/ track it.
+            return true unless key.cs__frozen?
+
+            # Otherwise, we can only track it if we've finalized it in our
+            # freeze patch.
+            FROZEN_FINALIZED_IDS.include?(key.__id__)
+          end
+
+          # Determine if the given Object is tracked, meaning it has a known
+          # set of properties and those properties are tracked.
+          #
+          # @param key [Object] the Object whose properties, by id, we want to
+          #   check for tracked status
+          # @return [Boolean]
+          def tracked? key
+            key?(key.__id__) && fetch(key.__id__, nil)&.tracked?
+          end
+
+          # Remove the given key from our frozen and properties tracking during
+          # finalization of the Object to which the given key_id pertains.
+          # NOTE: by necessity, this is the only method which takes the __id__,
+          # not the Object itself. You CANNOT pass the Object to this as a
+          # finalizer cannot hold reference to the Object being finalized; that
+          # prevents GC, which introduces a memory leak and defeats the entire
+          # purpose of this.
+          #
+          # @param key_id [Integer] the Object Identifier to clean up during
+          #   finalization.
           def finalize key_id
             proc do
               FROZEN_FINALIZED_IDS.delete(key_id)
@@ -36,12 +73,19 @@ module Contrast
             end
           end
 
+          # Frozen things cannot be finalized. To avoid any issue here, we
+          # intercept the #freeze call and set finalizers on the Object. To
+          # ensure later we know it's been pre-finalized, we add it's __id__ to
+          # our tracking.
+          #
+          # @param key [Object] the Object on which we need to pre-define
+          #   finalizers
           def pre_freeze key
             return if key.cs__frozen?
             return if FROZEN_FINALIZED_IDS.include?(key.__id__)
-            return unless Contrast::Utils::DuckUtils.trackable?(key)
 
             ObjectSpace.define_finalizer(key, finalize(key.__id__))
+
             FROZEN_FINALIZED_IDS << key.__id__
           rescue StandardError => _e
             nil

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -110,16 +110,23 @@ module Contrast
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
-              properties.events.each do |event|
-                dynamic_source.events << event.to_dtm_event
-              end
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
               url = current_context.request.normalized_uri
               dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
+              append_events(dynamic_source, properties.event)
               dynamic_source
             end
+
+            def append_events dynamic_source, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                append_events(dynamic_source, parent_event)
+              end
+              dynamic_source.events << event.to_dtm_event
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -37,7 +37,7 @@ module Contrast
               return unless ASSESS.enabled?
               return if in_contrast_scope?
 
-              with_contrast_scope { patcher.patch_specific_module(mod) }
+              patcher.patch_specific_module(mod)
             rescue StandardError => e
               logger.warn(
                   'Unable to patch assess during eval',

data/lib/contrast/agent/assess/policy/policy.rb

@@ -72,8 +72,6 @@ module Contrast
                 add_node(trigger_node)
               end
             end
-
-            tracked_classes.concat(policy_data[TRACKED_CLASSES_KEY])
           end
 
           # Providers is a term that we're taking from Java until we come up with

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -157,19 +157,24 @@ module Contrast
           # Everything else (propagation nodes) are Source2Target
           def build_action
             @event_action ||= begin
-              source = source_string
-              target = target_string
-              if source.nil?
+              case node_class
+              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
                 :CREATION
-              elsif target.nil?
+              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
                 :TRIGGER
               else
-                # TeamServer can't handle the multi-source or multi-target
-                # values. Give it some help by changing them to 'A'
-                source = ALL_TYPE if source.include?(Contrast::Utils::ObjectShare::COMMA)
-                target = ALL_TYPE if target.include?(Contrast::Utils::ObjectShare::COMMA)
-                str = source[0] + TO_MARKER + target[0]
-                str.to_sym
+                if source_string.nil?
+                  :CREATION
+                elsif target_string.nil?
+                  :TRIGGER
+                else
+                  # TeamServer can't handle the multi-source or multi-target
+                  # values. Give it some help by changing them to 'A'
+                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
+                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
+                  str = source[0] + TO_MARKER + target[0]
+                  str.to_sym
+                end
               end
             end
             @event_action

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
-require 'contrast/extension/assess/assess_extension'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -18,18 +17,35 @@ module Contrast
           access_component :analysis
 
           class << self
+            # Use the given trace_point, built from an :end event, to determine
+            # where the loaded code lives and scan that code for policy
+            # violations.
+            #
+            # @param trace_point [TracePoint] the TracePoint generated by an
+            #   :end event at the end of a Module definition.
             def scan trace_point
               return unless ASSESS.enabled?
               return unless ASSESS.require_scan?
 
+              provider_values = policy.providers.values
+              return if provider_values.all?(&:disabled?)
+
               return unless trace_point.path
               return if trace_point.path.start_with?(Gem.dir)
 
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              policy.providers.each_value do |provider|
-                provider.analyze mod
+              # TODO: RUBY-1014 - remove non-AST approach
+              if RUBY_VERSION >= '2.6.0'
+                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+                provider_values.each do |provider|
+                  provider.parse(trace_point, ast)
+                end
+              else
+                provider_values.each do |provider|
+                  provider.analyze(mod)
+                end
               end
             end
 

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -77,25 +77,21 @@ module Contrast
                                        0
                                      end
             return unless can
+            return unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
-            props = Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[object]
-            return unless props
-
-            Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[preshift.object] ||= props.dup
+            Contrast::Agent::Assess::Tracker.copy(object, preshift.object)
           end
 
           def append_arg_details preshift, args
             preshift.args = args.dup
-            preshift.args.each_with_index do |arg, index|
+            preshift.args.each_with_index do |preshift_arg, index|
               original_arg = args[index]
-              next if arg.__id__ == original_arg.__id__
-
-              props = Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[original_arg]
-              next unless props
+              next if preshift_arg.__id__ == original_arg.__id__
+              next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
 
-              Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[arg] ||= props.dup
+              Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |arg| Contrast::Utils::DuckUtils.quacks_to?(arg, :length) ? arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -18,7 +18,7 @@ module Contrast
         # Strings
         module PropagationMethod
           include Contrast::Components::Interface
-          access_component :logging
+          access_component :analysis, :logging
 
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
@@ -124,15 +124,16 @@ module Contrast
                 Contrast::Agent::Assess::Policy::Propagator::Custom.propagate(propagation_node, preshift, ret, block)
               elsif propagation_node.action == SPLIT_ACTION
                 Contrast::Agent::Assess::Policy::Propagator::Split.propagate(propagation_node, preshift, target)
-              elsif Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
-                handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, args, block)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
                 handle_hash_propagation(propagation_node, preshift, target, object, ret, args, block)
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
                 handle_enumerable_propagation(propagation_node, preshift, target, object, ret, args, block)
+              else
+                handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, args, block)
               end
             rescue StandardError => e
               logger.warn('Unable to apply propagation', e, node_id: propagation_node.id)
+              nil
             end
 
             # Custom actions tend to be the more complex of our propagations.
@@ -186,28 +187,32 @@ module Contrast
               false
             end
 
+            # We cannot propagate to frozen things that have not been updated
+            # to work with our property tracking, unless they're duplicable and
+            # the return.
+            # We probably shouldn't propagate to frozen things at all, as
+            # they're supposed to be immutable, but third parties do jenky
+            # things, so allow it as long as it is safe to do.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+            #   the node that governs this propagation event.
+            # @param target [Object] the Target to which to propagate.
+            # @return [Boolean] if the target can be propagated to
             def appropriate_target? propagation_node, target
-              # We cannot propagate to things that do not have cs__properties.
-              return false unless Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
-
-              # We cannot propagate to frozen things that have not been
-              # previously tracked. We probably shouldn't propagate to frozen
-              # things at all, as they're supposed to be immutable, but third
-              # parties do jenky things, so allow it as long as it is safe to do.
-              return false if target.cs__frozen? &&
-                  !target.cs__tracked? &&
-                  propagation_node.targets[0] != Contrast::Utils::ObjectShare::RETURN_KEY
+              # special handle Returns b/c we can do unfreezing magic during propagation
+              return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
 
-              true
+              Contrast::Agent::Assess::Tracker.trackable?(target)
             end
 
             # If this patcher has tags, apply them to the entire target
             def apply_tags propagation_node, target
               return unless propagation_node.tags
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
               length = Contrast::Utils::StringUtils.ret_length(target)
               propagation_node.tags.each do |tag|
-                target.cs__properties.add_tag(tag, 0...length)
+                properties.add_tag(tag, 0...length)
               end
             end
 
@@ -215,8 +220,11 @@ module Contrast
             def apply_untags propagation_node, target
               return unless propagation_node.untags
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              return unless properties
+
               propagation_node.untags.each do |tag|
-                target.cs__properties.delete_tags(tag)
+                properties.delete_tags(tag)
               end
             end
 
@@ -230,6 +238,15 @@ module Contrast
               true
             end
 
+            # Safely duplicate the target, or return nil
+            #
+            # @param target [Object] the thing to check for duplication
+            def safe_dup target
+              target.dup
+            rescue StandardError => _e
+              nil
+            end
+
             def handle_hash_propagation propagation_node, preshift, target, object, ret, args, block
               target.each_pair do |key, value|
                 apply_propagator(propagation_node, preshift, key, object, ret, args, block)
@@ -249,30 +266,33 @@ module Contrast
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
 
-              # propagate all the tags from the sources to the target
               propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
               unless propagation_class
                 logger.warn(
-                    'Unknown propgation action receieved. Unable to propagate.',
+                    'Unknown propagation action received. Unable to propagate.',
                     node_id: propagation_node.id,
                     action: propagation_node.action)
-                return ret
+                return
               end
-
               restore_frozen_state = false
-              if target.cs__frozen?
-                return ret unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
+                return unless ASSESS.track_frozen_sources?
+                return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+                dup = safe_dup(ret)
+                return unless dup
 
                 restore_frozen_state = true
-                ret = Contrast::Utils::FreezeUtil.unfreeze_dup(target)
+                ret = dup
                 target = ret
+                Contrast::Agent::Assess::Tracker.pre_freeze(ret)
+                ret.cs__freeze
+                # double check that we were able to finalize the replaced return
+                return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-
               propagation_class.propagate(propagation_node, preshift, target)
-
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied
               apply_tags(propagation_node, target)
-
               # Even though we skipped propagating tags from the source if they
               # were included in untags, the target may have already had some on
               # it. Let's go ahead and remove them.
@@ -280,16 +300,13 @@ module Contrast
               # both and there should never be a propagator that has a tag in
               # its untag.
               apply_untags(propagation_node, target)
-
-              target.cs__properties.add_properties(propagation_node.properties)
-
-              target.cs__properties.build_event(propagation_node, target, object, ret, args)
-
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              properties.add_properties(propagation_node.properties)
+              properties.build_event(propagation_node, target, object, ret, args)
               logger.trace('Propagation detected',
                            node_id: propagation_node.id,
                            target_id: target.__id__)
-              ret.cs__freeze if restore_frozen_state
-              ret
+              restore_frozen_state ? ret : nil
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/append.rb

@@ -16,6 +16,9 @@ module Contrast
               # copy tags from the param to the target in chunks of param size or less
               # if param is appended in space less than param length
               def propagate propagation_node, preshift, target
+                properties = Contrast::Agent::Assess::Tracker.properties(target)
+                return unless properties
+
                 sources = propagation_node.sources
                 source1 = find_source(sources[0], preshift)
                 # Some appends have two args. If they don't this is probably something
@@ -25,25 +28,25 @@ module Contrast
                 # if the object and the return are the same length just copy the tags
                 # from the object(since nothing from args was added to return)
                 if source1.length == target.length
-                  target.cs__copy_from(source1, 0, propagation_node.untags)
+                  properties.copy_from(source1, target, 0, propagation_node.untags)
                 else
                   # find original in the target, copy tags to the new position in
                   # target
                   original_start_index = target.index(source1)
-                  target.cs__copy_from(source1, original_start_index, propagation_node.untags)
+                  properties.copy_from(source1, target, original_start_index, propagation_node.untags)
 
                   start = original_start_index + source1.length
                   while start < target.length
-                    target.cs__copy_from(source2, start, propagation_node.untags)
+                    properties.copy_from(source2, target, start, propagation_node.untags)
                     start += source2.length
                     next unless start > target.length
 
-                    target.cs__properties.tags_at(start - source2.length).each do |tag|
+                    properties.tags_at(start - source2.length).each do |tag|
                       tag.update_end(target.length)
                     end
                   end
                 end
-                target.cs__properties.cleanup_tags
+                properties.cleanup_tags
               end
             end
           end