contrast-agent 3.14.0 → 4.2.0

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -39,7 +39,7 @@ module Contrast
               def process context, trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
-                  next unless arg.cs__tracked?
+                  next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -20,10 +20,31 @@ module Contrast
           include Contrast::Components::Interface
           access_component :analysis, :logging
 
+          # The level of TeamServer compliance our traces meet when in the
+          # abnormal condition of being dataflow rules without routes
+          MINIMUM_FINDING_VERSION = 3
           # The level of TeamServer compliance our traces meet
-          CURRENT_FINDING_VERSION = 2
+          CURRENT_FINDING_VERSION = 4
 
           class << self
+            # Append the given finding to the given context to be reported when
+            # the Context's activity is sent to the Service or, in the absence
+            # of that Context, generate an Activity and queue it manually
+            # @param finding [Contrast::Api::Dtm::Finding]
+            def report_finding finding
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+              else
+                activity = Contrast::Api::Dtm::Activity.new
+                activity.findings << finding
+
+                Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              end
+              logger.debug('Finding reported',
+                           rule: finding.rule_id)
+            end
+
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -66,8 +87,8 @@ module Contrast
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -89,18 +110,17 @@ module Contrast
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              finding.version = CURRENT_FINDING_VERSION
-
               build_from_source(finding, source)
               trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
               finding.events << trigger_event
               build_hash(finding, source)
               finding.routes << context.route if context.route
-              context.activity.findings << finding
+              finding.version = determine_compliance_version(finding)
               logger.trace('Finding created',
                            node_id: trigger_node.id,
                            source_id: source.__id__,
                            rule: trigger_node.rule_id)
+              report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
@@ -110,8 +130,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -179,8 +199,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -199,8 +219,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -211,8 +231,8 @@ module Contrast
             def apply_dataflow_rule context, trigger_node, source, object, ret, *args
               return unless source
 
-              if Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties)
-                return unless source.cs__tracked?
+              if Contrast::Agent::Assess::Tracker.trackable?(source)
+                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
 
                 build_finding(context, trigger_node, source, object, ret, *args)
@@ -226,30 +246,27 @@ module Contrast
                   apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
                 end
               else
-                logger.warn('Trigger source is of unknown type. Unable to inspect.',
-                            node_id: trigger_node.id,
-                            source_id: source.__id__,
-                            source_type: source.cs__class.to_s)
+                logger.debug('Trigger source is untrackable. Unable to inspect.',
+                             node_id: trigger_node.id,
+                             source_id: source.__id__,
+                             source_type: source.cs__class.to_s,
+                             frozen: source.cs__frozen?)
                 logger.trace(source.to_s[0..99])
               end
             end
 
             def build_from_source finding, source
               return unless source
-              return unless Contrast::Utils::DuckUtils.quacks_to?(
-                  source,
-                  :cs__properties)
-              return unless source.cs__properties
+              return unless Contrast::Agent::Assess::Tracker.trackable?(source)
 
-              # events could technically be nil, but we would have failed
-              # the rule check before getting here. not worth the nil check
-              source.cs__properties.events.each do |event|
-                finding.events << event.to_dtm_event
-              end
+              properties = Contrast::Agent::Assess::Tracker.properties(source)
+              return unless properties
+
+              build_events finding, properties.event if properties.event
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this
               # long form
-              source_props = source.cs__properties.properties
+              source_props = properties.properties
               return unless source_props
 
               source_props.each_pair do |key, value|
@@ -258,11 +275,42 @@ module Contrast
               end
             end
 
+            def build_events finding, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                build_events(finding, parent_event)
+              end
+              # events could technically be nil, but we would have failed
+              # the rule check before getting here. not worth the nil check
+              finding.events << event.to_dtm_event
+            end
+
             def build_hash finding, source
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end
+
+            # Because our APIs are not versioned, TeamServer relies on a field,
+            # version, to tell it what, if any, validation it can preform on
+            # the findings we send it. Examine the finding and determine the
+            # level to which it conforms.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding]
+            # @return [int] the version of compliance
+            def determine_compliance_version finding
+              return MINIMUM_FINDING_VERSION unless finding
+              # as routes are the only variable between findings, in the case
+              # where we couldn't determine one, any finding with a route is at
+              # maximum compliance
+              return CURRENT_FINDING_VERSION if finding.routes.any?
+              # any finding without events is not of a dataflow type and
+              # therefore at maximum compliance
+              return CURRENT_FINDING_VERSION unless finding.events.any?
+
+              MINIMUM_FINDING_VERSION
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -100,16 +100,17 @@ module Contrast
             # if the source isn't tracked, there can't be a violation
             # this condition may not hold true forever, but for now it's
             # a nice optimization
-            return false unless source.cs__tracked?
+            return false unless Contrast::Agent::Assess::Tracker.tracked?(source)
 
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), source.cs__properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_any_tag(source.cs__properties, disallowed_tags)
+            secure_ranges = ranges_with_any_tag(properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
 
@@ -178,68 +179,62 @@ module Contrast
           # @param length [Integer] the length of the object which may have the
           #   given tags -- used as the maximum index to search for all of the
           #   tags.
-          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
-          # @param tags [Set<String>] the list of tags on which to match
+          # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_all_tags length, cs__properties, tags
-            # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
-
-            # :zap: faster to treat all as any if there's only one tag
-            return find_ranges_by_any_tag(cs__properties, tags) if tags.length == 1
+          def ranges_with_all_tags length, properties, required_tags
+            # if there are no tags, not required tags, or the tags don't have
+            # all the required tags, we can just return here.
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
 
             ranges = []
-            # TODO: RUBY-946 clean this up, perhaps with
-            #   tags.each { |tag| applicable << cs__properties.fetch_tag(tag) }
-            #   return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless applicable.length == tags.length
-            #   ...
+            chunking = false
             # find all the indicies on the source that have all the given tags
             (0..length).each do |idx|
-              tags_at = cs__properties.tags_at(idx)
-              ranges << idx if tags.all? do |tag|
-                found = false
-                tags_at.each do |tag_at|
-                  found = tag_at.label == tag
-                  break if found
-                end
-                found
+              tags_at = properties.tags_at(idx).to_a
+              # only those that have all the required tags in the tags_at
+              # satisfy the requirement
+              satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
+              # if this range matches all the required tags and we're already
+              # chunking, meaning the previous range matched, do nothing
+              next if satisfied && chunking
+
+              # if we are satisfied and we were not chunking, this represents
+              # the start of the next range, so create a new entry.
+              if satisfied
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                chunking = true
+              # if we are chunking and not satisfied, this represents the end
+              # of the range, meaning the last index is what satisfied the
+              # range. Because the range is exclusive end, we can just use this
+              # index.
+              elsif chunking
+                ranges[-1]&.update_end(idx)
+                chunking = false
               end
             end
-            # break early if no indicies satisfy all the tags
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if ranges.empty?
-
-            # chunk all the adjacent ranges
-            chunked = ranges.chunk_while { |i, j| i + 1 == j }
-            tag_ranges = []
-            # and convert them into Tags
-            chunked.each do |join|
-              start = join[0]
-              stop = join[-1]
-              # add the 1 to account for end index being exclusive
-              tag_length = stop - start + 1
-              tag_ranges = Contrast::Utils::TagUtil.ordered_merge(tag_ranges, Tag.new(tag_length, start))
-            end
-            tag_ranges
+            ranges
           end
 
           # Find the ranges that satisfy any of the given tags.
           #
-          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_any_tag cs__properties, tags
+          def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
 
             ranges = []
             tags.each do |desired|
-              found = cs__properties.fetch_tag(desired)
+              found = properties.fetch_tag(desired)
               next unless found
 
               # we need to dup here so that we don't change the tags if target is

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -38,7 +38,8 @@ module Contrast
               finish = match.begin(:path)
               finish ||= url.length
 
-              args[0].cs__properties.any_tags_between?(start, finish)
+              properties = Contrast::Agent::Assess::Tracker.properties(args[0])
+              properties.any_tags_between?(start, finish)
             end
           end
         end

data/lib/contrast/agent/assess/properties.rb

@@ -5,6 +5,7 @@ require 'base64'
 require 'set'
 require 'contrast/agent/assess/property/evented'
 require 'contrast/agent/assess/property/tagged'
+require 'contrast/agent/assess/property/updated'
 require 'contrast/utils/prevent_serialization'
 
 module Contrast
@@ -20,6 +21,7 @@ module Contrast
         include Contrast::Utils::PreventSerialization
         include Contrast::Agent::Assess::Property::Evented
         include Contrast::Agent::Assess::Property::Tagged
+        include Contrast::Agent::Assess::Property::Updated
 
         attr_accessor :dupped_from
 

data/lib/contrast/agent/assess/property/evented.rb

@@ -10,23 +10,11 @@ module Contrast
       module Property
         # This module serves to hold the functionality required for the
         # management of our dataflow events.
+        #
+        # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
+        #   latest event to track
         module Evented
-          # The events for this object.
-          #
-          # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
-          def events
-            @_events ||= []
-          end
-
-          # Add an event to these properties. It will be used to build
-          # a trace if this object ends up in a trigger.
-          #
-          # @param event [Contrast::Agent::Assess::ContrastEvent] the latest
-          #   event to track
-          def add_event event
-            events << event
-            self
-          end
+          attr_accessor :event
 
           # Create a new event and add it to the event set.
           #
@@ -43,8 +31,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
-            add_event(event)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
             report_sources(tagged, event)
           end
 

data/lib/contrast/agent/assess/property/tagged.rb

@@ -162,15 +162,21 @@ module Contrast
           end
 
           # We'll use this as a helper method to retrieve tags from the hash.
-          # Because the hash auto-populates an empty array when we try to access
-          # a tag in it, we cannot use the [] method without side effect. To get
-          # around this, we'll use a fetch work around.
+          # Because the hash auto-populates an empty array when we try to
+          # access a tag in it, we cannot use the [] method without side
+          # effect. To get around this, we'll use a fetch work around.
+          #
+          # @param label [Symbol] the label to look up
+          # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+          #   that label
           def fetch_tag label
             tags.fetch(label, nil) if tracked?
           end
 
           # Convert the tags of this object into the TraceTaintRange required
           # to be sent to the service
+          #
+          # @return [Array<Contrast::Api::Dtm::TraceTaintRange>]
           def tags_to_dtm
             Contrast::Api::Dtm::TraceTaintRange.build_for_event(tags)
           end

data/lib/contrast/agent/assess/property/updated.rb

@@ -0,0 +1,131 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/duck_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Property
+        # This module serves to hold the functionality required for the
+        # update of properties as they go through dataflow.
+        module Updated
+          # copy tags and info from source's properties to self
+          # @param source [Object] the object from which existing properties
+          #   should be copied.
+          # @param owner [Object] the object to which these properties apply.
+          # @param shift [Integer] (0) how far to shift the tags during copy,
+          #   useful for insert and append operations.
+          # @param skip_tags [Set<String>] (nil) the tags to not copy over,
+          #   useful for propagation events that have 'untags'.
+          def copy_from source, owner, shift = 0, skip_tags = nil
+            return if owner.equal?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            original = Contrast::Agent::Assess::Tracker.properties(source)
+            return unless original
+
+            adjust_duplicate(original)
+            original.tag_keys.each do |key|
+              next if skip_tags&.include?(key)
+
+              existing = tags[key]
+              had_existing = existing.any?
+              value = original.fetch_tag(key)
+              value.each do |tag|
+                existing << tag.copy_modified(shift)
+              end
+              Contrast::Utils::TagUtil.size_aware_merge(owner, existing) if had_existing
+            end
+          end
+
+          # Some propagation occurred, but we're not sure what the
+          # exact transformation was. To be safe, we just explode
+          # all the tags from the source to the return.
+          #
+          # If the return already had that tag, the existing tag
+          # range is recycled to save us an object.
+          #
+          # @param source [Object] the object from which existing properties
+          #   should be copied.
+          # @param owner [Object] the object to which these properties apply.
+          def splat_from source, owner
+            splat_length = Contrast::Utils::StringUtils.ret_length(owner)
+            return if splat_length.zero?
+
+            splat_from_ret(splat_length)
+            splat_from_source(source, splat_length)
+            cleanup_tags
+          end
+
+          private
+
+          # Because of how our tracking works now, sometimes the Source and
+          # Target are the same, but their IDs in our map will be different due
+          # to PreShift duplication. To account for this, we have to ensure that
+          # the Object we're copying from does not have the same Properties
+          # that the Object we're copying to does. If they are the same, wipe the
+          # Target so that the copy method can update events and ranges as
+          # necessary.
+          # DO NOT TAKE THIS OUT!
+          def adjust_duplicate original
+            reset_properties if original == self
+            reset_properties if original.__id__ == dupped_from
+            reset_properties if original.dupped_from == __id__
+          end
+
+          # Wipe out the instance variables on this Properties instance,
+          # allowing them to be rebuilt.
+          def reset_properties
+            @_tags = nil
+            @_events = nil
+            @_properties = nil
+          end
+
+          # Splat all the tags from the source to this set of Properties
+          #
+          # @param source [Object] the object from which tags will be copied
+          #   and splatted.
+          # @param splat_length [Integer] the length to which to to set all
+          #   tags.
+          def splat_from_source source, splat_length
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
+            return unless properties
+
+            properties.tag_keys.each do |key|
+              existing = fetch_tag(key)
+              # if the tag already exists, drop all but the first range
+              # then change that range to cover the entire return
+              if existing
+                existing.drop(existing.length - 1)
+                range = existing[0]
+                range.repurpose(0, splat_length)
+              else
+                add_tag(key, 0...splat_length)
+              end
+            end
+          end
+
+          # Splat all the tags existing on this set of Properties
+          #
+          # @param splat_length [Integer] the length to which to to set all
+          #   tags.
+          def splat_from_ret splat_length
+            return unless tracked?
+
+            tag_keys.each do |key|
+              next unless key
+
+              existing = fetch_tag(key)
+              next unless existing
+
+              existing.each do |range|
+                range.repurpose(0, splat_length)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end