contrast-agent 3.14.0 → 4.2.0

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -33,6 +33,64 @@ module Contrast
                   NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
+            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              # If it's a String being turned into bytes, then it matches key
+              # expectations
+              return true if bytes_call?(value_node)
+
+              type = value_node.type
+              return false unless BYTE_HOLDERS.include?(type)
+              return false unless value_node.children.any?
+
+              # Unless this is an array of literal numerics, we don't match.
+              # That array seems to always end in a nil value, so we allow
+              # those as well.
+              value_node.children.each do |child|
+                next unless child
+
+                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    child.type == :LIT &&
+                    child.children[0]&.cs__is_a?(Integer)
+              end
+
+              true
+            end
+
+            REDACTED_MARKER = ' = [**REDACTED**]'
+            def redacted_marker
+              REDACTED_MARKER
+            end
+
+            # A node is a bytes_call if it's the Node for String#bytes. We care
+            # about this specifically as it's likely to be a common way to
+            # generate a key constant, rather than directly declaring an
+            # integer array.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a node for String#bytes or not
+            def bytes_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              potential_string_node = children[0]
+              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                  potential_string_node.type == :STR
+
+              children[1] == :bytes
+            end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
             # If the value is a byte array, or at least an array of numbers, it
             # passes for this rule
             def value_type_passes? value
@@ -49,11 +107,6 @@ module Contrast
             def value_passes? _value
               true
             end
-
-            REDACTED_MARKER = ' = [**REDACTED**]'
-            def redacted_marker
-              REDACTED_MARKER
-            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -38,15 +38,18 @@ module Contrast
                   NON_PASSWORD_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
-            # If the value is a string, it passes for this rule
-            def value_type_passes? value
-              value.is_a?(String)
-            end
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              return false unless value_node.type == :STR
 
-            # If the value probably isn't a property name, it passes for this
-            # rule
-            def value_passes? value
-              !probably_property_name?(value)
+              # https://www.rubydoc.info/gems/ruby-internal/Node/STR
+              string = value_node.children[0]
+              !probably_property_name?(string)
             end
 
             # If a field name matches an expected password field, we'll check it's
@@ -65,6 +68,18 @@ module Contrast
             def redacted_marker
               REDACTED_MARKER
             end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
+            # If the value is a string, it passes for this rule
+            def value_type_passes? value
+              value.is_a?(String)
+            end
+
+            # If the value probably isn't a property name, it passes for this
+            # rule
+            def value_passes? value
+              !probably_property_name?(value)
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/policy/trigger_method'
 require 'contrast/components/interface'
 require 'contrast/extension/module'
 
@@ -9,14 +10,13 @@ module Contrast
     module Assess
       module Rule
         module Provider
-          # Hardcoded rules detect if any secret value has been written directly into the
-          # sourcecode of the application. To use this base class, a provider must
-          # implement four methods
+          # Hardcoded rules detect if any secret value has been written
+          # directly into the sourcecode of the application. To use this base
+          # class, a provider must implement three methods:
           # 1) name_passes? : does the constant name match a given value set
-          # 2) value_type_passes? : does the type of the value of the constant match the
-          #    type given
-          # 3) value_passes? : does the value of the constant match a given value set
-          # 4) redacted_marker : the value to plug in for the obfuscated value
+          # 2) value_node_passes? : does the value of the constant match a
+          #    given value set
+          # 3) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
             include Contrast::Components::Interface
             access_component :analysis, :app_context, :logging
@@ -25,6 +25,7 @@ module Contrast
               !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
             end
 
+            # TODO: RUBY-1014 - remove `#analyze`
             COMMON_CONSTANTS = %i[
               CONTRAST_ASSESS_POLICY_STATUS
               VERSION
@@ -69,10 +70,31 @@ module Contrast
                 # if it looks like a placeholder / pointer to a config, skip it
                 next unless value_passes?(value)
 
-                report_finding(clazz, constant_string)
+                build_finding(clazz, constant_string)
               end
             end
 
+            # Parse the file pertaining to the given TracePoint to walk its AST
+            # to determine if a Constant is hardcoded. For our purposes, this
+            # hard coding means directly set rather than as an interpolated
+            # String or through a method call.
+            #
+            # Note: This is a top layer check, we make no assertions about what
+            # the methods or interpolations do. Their presence, even if only
+            # calling a hardcoded thing, causes this check to not report.
+            #
+            # @param trace_point [TracePoint] the TracePoint event created on
+            #   the :end of a Module being loaded
+            # @param ast [RubyVM::AbstractSyntaxTree::Node] the abstract syntax
+            #   tree of the Module defined in the TracePoint end event
+            def parse trace_point, ast
+              return if disabled?
+
+              parse_ast(trace_point.self, ast)
+            rescue StandardError => e
+              logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)
+            end
+
             # Constants can be variable or classes defined in the given
             # class. We ONLY want the variables, which should be defined in
             # the MACRO_CASE (upper case & underscore format)
@@ -90,7 +112,57 @@ module Contrast
 
             private
 
-            def report_finding clazz, constant_string
+            # @param mod [Module] the module to which this AST pertains
+            # @param ast [RubyVM::AbstractSyntaxTree::Node, Object] a node
+            #   within the AST, which may be a leaf, so any Object
+            def parse_ast mod, ast
+              return unless ast.cs__is_a?(RubyVM::AbstractSyntaxTree::Node)
+              return unless ast.cs__respond_to?(:children)
+
+              children = ast.children
+              return unless children.any?
+
+              ast.children.each do |child|
+                parse_ast(mod, child)
+              end
+
+              # https://www.rubydoc.info/gems/ruby-internal/Node/CDECL
+              return unless ast.type == :CDECL
+
+              # The CDECL Node has two children, the first being the Constant
+              # name as a symbol, the second as the value to assign to that
+              # constant
+              children = ast.children
+              name = children[0].to_s
+              # If that constant name doesn't pass our checks, move on.
+              return unless name_passes?(name)
+
+              value = children[1]
+              # The assignment node could be a direct value or a call of some
+              # sort. We leave it to each rule to properly handle these nodes.
+              return unless value_node_passes?(value)
+
+              build_finding(mod, name)
+            end
+
+            # Constants can be set as frozen directly. We need to account for
+            # this change as it means the Node given to the :CDECL call will be
+            # a :CALL, not a constant.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a freeze call or not
+            def freeze_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              children[1] == :freeze
+            end
+
+            def build_finding clazz, constant_string
               class_name = clazz.cs__name
 
               finding = Contrast::Api::Dtm::Finding.new
@@ -104,13 +176,10 @@ module Contrast
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-
-              activity = Contrast::Api::Dtm::Activity.new
-              activity.findings << finding
-
-              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
+              nil
             end
           end
         end

data/lib/contrast/agent/assess/tag.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Initialize a new tag
         #
-        # @param label [String] the lable of the tag
+        # @param label [String] the label of the tag
         # @param length [Integer] the length of the string described with this
         #   tag
         # @param start_idx [Integer] (0) the starting position in the string for

data/lib/contrast/agent/assess/tracker.rb

@@ -0,0 +1,66 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/finalizers/hash'
+
+module Contrast
+  module Agent
+    module Assess
+      # How we track the Assess properties attached to objects
+      #
+      # Finalized objects should run through this class as the Finalizers
+      # have tightly coupled dependencies on each other.
+      class Tracker
+        PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
+
+        class << self
+          def properties source
+            return unless trackable?(source)
+
+            PROPERTIES_HASH[source] ||= Contrast::Agent::Assess::Properties.new
+          end
+
+          def trackable? source
+            PROPERTIES_HASH.trackable?(source)
+          end
+
+          def tracked? source
+            PROPERTIES_HASH.tracked?(source)
+          end
+
+          def pre_freeze source
+            PROPERTIES_HASH.pre_freeze(source)
+          end
+
+          # Copy the properties from one object to the next, assuming the
+          # target does not already have its own properties.
+          #
+          # @param source [Object] the instance from which to copy properties
+          # @param target [Object] the instance to which to copy properties
+          def copy source, target
+            PROPERTIES_HASH[target] ||= properties(source).dup
+          end
+
+          # Duplicate the given object, returning the duplicate after copying
+          # the properties of the original and storing them as the properties
+          # of the duplicate.
+          #
+          # @param source [Object] the thing to duplicate
+          # @return [Object] the duplicate of the original, or the original if
+          #   it does not respond to duplication
+          def duplicate source
+            return source unless source
+
+            duplicate = source.dup
+            PROPERTIES_HASH[duplicate] ||= PROPERTIES_HASH[source].dup
+            duplicate
+          rescue StandardError
+            source
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'contrast/agent/assess/finalizers/freeze'

data/lib/contrast/agent/at_exit_hook.rb

@@ -11,11 +11,11 @@ module Contrast
       access_component :logging
       def self.exit_hook
         @_exit_hook ||= begin
-                          at_exit do
-                            on_exit
-                          end
-                          true
-                        end
+          at_exit do
+            on_exit
+          end
+          true
+        end
       end
 
       # Actions to take when a process exits. Typically called from our

data/lib/contrast/agent/class_reopener.rb

@@ -37,7 +37,7 @@ module Contrast
     #   being phased out with support for those language versions.
     class ClassReopener
       include Contrast::Components::Interface
-      access_component :logging
+      access_component :logging, :scope
 
       END_NEW_LINE = "end\n"
       PROTECTED_WITH_NEW_LINE = "protected\n"
@@ -101,11 +101,13 @@ module Contrast
       # Evaluate the patches that have been staged for this class, replacing
       # the method definitions with those our rewrite.
       def commit_patches
-        return unless staged_changes?
+        with_contrast_scope do
+          return unless staged_changes?
 
-        content = build_content
-        valid = Ripper.sexp(content)
-        unbound_eval(class_name, content) if !!valid && !class_name.empty?
+          content = build_content
+          valid = Ripper.sexp(content)
+          unbound_eval(class_name, content) if !!valid && !class_name.empty?
+        end
       end
 
       # Find the sourcecode of the method at the given location and return it

data/lib/contrast/agent/inventory.rb

@@ -0,0 +1,15 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # Namespace used for inventory behavior
+    module Inventory
+    end
+  end
+end
+
+require 'contrast/agent/inventory/dependencies'
+require 'contrast/agent/inventory/gemfile_digest_cache'
+require 'contrast/agent/inventory/dependency_usage_analysis'
+require 'contrast/agent/inventory/dependency_analysis'

data/lib/contrast/agent/inventory/dependencies.rb

@@ -0,0 +1,50 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Inventory
+      # this module is included in classes that need access to the applications dependencies
+      module Dependencies
+        CONTRAST_AGENT = 'contrast-agent'
+
+        # the #clone is necessary here, as a require in another thread could
+        # potentially result in adding a key to the loaded_specs hash during
+        # iteration.  (as in RUBY-330)
+        # this takes care of filtering out contrast-only dependencies
+        def loaded_specs
+          specs = Gem.loaded_specs.clone
+          specs.delete_if { |name, _v| contrast?(name) }
+        end
+
+        private
+
+        def contrast_gems
+          @_contrast_gems ||= find_contrast_gems
+        end
+
+        def contrast? name
+          contrast_gems.include?(name)
+        end
+
+        # Go through all dependents, given as a pair from the DependencyList: `dependency`
+        # is the dependency itself, filled with all its specs. `dependents` is the array of reverse
+        # dependencies for the aforementioned dependency. If the dependency is also in contrast_dep_set,
+        # then contrast depends on it. If its array of dependents is 1, then contrast is the
+        # only dependency in that list. Since only contrast depends on it, we should ignore it.
+        def find_contrast_gems
+          ignore = Set.new([CONTRAST_AGENT])
+          contrast_specs = Gem::DependencyList.from_specs.specs.find do |dependency|
+            dependency.name == CONTRAST_AGENT
+          end
+          contrast_dep_set = contrast_specs.dependencies.map(&:name).to_set
+
+          Gem::DependencyList.from_specs.spec_predecessors.each_pair do |dependency, dependents|
+            ignore.add(dependency.name) if contrast_dep_set.include?(dependency.name) && dependents.length == 1
+          end
+          ignore
+        end
+      end
+    end
+  end
+end