contrast-agent 3.14.0 → 4.2.0

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -26,7 +26,7 @@ module Contrast
 
               action = properties['action']
               write_marker = write?(action, *args)
-              possible_write = write_marker && possible_write(write_marker)
+              possible_write = write_marker && possible_write?(write_marker)
               path_traversal_rule(path, possible_write, object, method)
 
               # If the action was copy, we need to handle the write half of it.
@@ -48,7 +48,7 @@ module Contrast
 
             private
 
-            def possible_write input
+            def possible_write? input
               input.cs__respond_to?(:to_s) &&
                   input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
             end
@@ -62,7 +62,7 @@ module Contrast
               return true if action == WRITE
 
               write_marker = args.length > 1 ? args[1] : nil
-              write_marker && possible_write(write_marker)
+              write_marker && possible_write?(write_marker)
             end
 
             def path_traversal_rule path, possible_write, object, method
@@ -83,6 +83,7 @@ module Contrast
                   tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
                   gems = ENV['GEM_PATH']
                   tmp += gems.split(Contrast::Utils::ObjectShare::COLON) if gems
+                  tmp.map!(&:downcase)
                   tmp
                 else
                   []

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -27,7 +27,7 @@ module Contrast
             def apply_rule__io method, _exception, _properties, object, args
               need_rewind = false
               potential_xml = args[0]
-              return unless potential_xml&.respond_to?(:rewind)
+              return unless potential_xml.cs__respond_to?(:rewind)
 
               xml = potential_xml.read
               need_rewind = true

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/at_exit_hook'
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
@@ -45,11 +44,6 @@ module Contrast
             raise Contrast::SecurityException.new(
                 self,
                 "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
-          ensure
-            # Kernel#exec replaces the current process and does not go through
-            # at_exit hooks. Kernel#` runs as a subshell - messages appended
-            # here do not seem to be present in the original process.
-            Contrast::Agent::AtExitHook.on_exit if %i[exec `].include?(method.to_sym)
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -104,37 +98,27 @@ module Contrast
 
           def report_command_execution context, command, **kwargs
             return unless report_any_command_execution?
-            return nil if protect_excluded_by_code?
+            return if protect_excluded_by_code?
 
             build_attack_with_match(context, nil, nil, command, **kwargs)
           end
 
           def find_probable_attacker context, potential_attack_string, ia_results, **kwargs
-            result = nil
-            if chained_command?(potential_attack_string) # this is probably an attack
-              most_likely = nil
-              ia_results.each do |input_analysis_result|
-                next unless chained_command?(input_analysis_result.value)
-
-                most_likely = input_analysis_result
-                break
-              end
-            end
-            return result unless most_likely
+            return unless chained_command?(potential_attack_string)
+
+            likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
+            return unless likely_attacker
 
-            result ||= build_attack_with_match(
+            build_attack_with_match(
                 context,
-                most_likely,
-                result,
+                likely_attacker,
+                nil,
                 potential_attack_string,
                 **kwargs)
-            result
           end
 
           def chained_command? command
-            return true if CHAINED_COMMAND_CHARS.match(command)
-
-            false
+            CHAINED_COMMAND_CHARS.match(command)
           end
 
           # Part of the Hardening for Command Injection detection is the

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb

@@ -16,6 +16,7 @@ module Contrast
             def start_line_comment? char, index, query
               if char == Contrast::Utils::ObjectShare::SLASH &&
                     query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+
                 return true
               end
 

data/lib/contrast/agent/request.rb

@@ -46,42 +46,42 @@ module Contrast
       # Should also handle the ;jsessionid.
       def normalized_uri
         @_normalized_uri ||= begin
-                               path = rack_request.path
-                               uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
-                               uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
-                               uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
-                               uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
-                             end
+          path = rack_request.path
+          uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
+          uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
+          uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
+          uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
+        end
       end
 
       def document_type
         @_document_type ||= begin
-                              if /xml/i.match?(content_type) || body&.start_with?('<?xml')
-                                :XML
-                              elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
-                                :JSON
-                              else
-                                :NORMAL
-                              end
-                            end
+          if /xml/i.match?(content_type) || body&.start_with?('<?xml')
+            :XML
+          elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
+            :JSON
+          else
+            :NORMAL
+          end
+        end
       end
 
       # Header keys upcased and any underscores replaced with dashes
       def headers
         @_headers ||= begin
-                        with_contrast_scope do
-                          hash = {}
-                          env.each do |key, value|
-                            next unless key
-
-                            name = key.to_s
-                            next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
-
-                            hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
-                          end
-                          hash
-                        end
-                      end
+          with_contrast_scope do
+            hash = {}
+            env.each do |key, value|
+              next unless key
+
+              name = key.to_s
+              next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
+
+              hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
+            end
+            hash
+          end
+        end
       end
 
       def body
@@ -121,13 +121,13 @@ module Contrast
 
       def file_names
         @_file_names ||= begin
-                           names = {}
-                           parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
-                           traverse_parsed_multipart(parsed_data, names)
-                         rescue StandardError => _e
-                           logger.warn('Unable to parse multipart request!')
-                           {}
-                         end
+          names = {}
+          parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
+          traverse_parsed_multipart(parsed_data, names)
+        rescue StandardError => _e
+          logger.warn('Unable to parse multipart request!')
+          {}
+        end
       end
 
       def hash_id

data/lib/contrast/agent/request_handler.rb

@@ -18,7 +18,7 @@ module Contrast
       end
 
       def send_activity_messages
-        Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
+        Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
         [context.server_activity, context.activity, context.observed_route].each do |message|
           Contrast::Agent.messaging_queue.send_event_eventually(message)
         end

data/lib/contrast/agent/response.rb

@@ -44,14 +44,9 @@ module Contrast
         context_response = Contrast::Api::Dtm::HttpResponse.new
         context_response.response_code = response_code.to_i
         headers&.each_pair do |key, value|
-          k = Contrast::Utils::StringUtils.force_utf8(key)
-          v = Contrast::Utils::StringUtils.force_utf8(value)
-          context_response.response_headers[k] = v
+          append_pair(context_response.normalized_response_headers, key, value)
         end
-        context_response.parsed_response_headers = true
-
         context_response.response_body_binary = Contrast::Utils::StringUtils.force_utf8(body)
-        context_response.parsed_response_body = false
 
         doc_type = document_type
         context_response.document_type = doc_type if doc_type
@@ -97,6 +92,22 @@ module Contrast
 
       private
 
+      # From the dtm for normalized_response_headers:
+      #   Key is UPPERCASE_UNDERSCORE
+      #
+      #   Example: Content-Type: text/html; charset=utf-8
+      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
+      def append_pair map, key, value
+        return unless key && value
+        return if value.is_a?(Hash)
+
+        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
+        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
+        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
+        map[hash_key].key = safe_key
+        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
+      end
+
       HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
 
       # Given some holder of the content of the response's body, extract that

data/lib/contrast/agent/rewriter.rb

@@ -61,9 +61,7 @@ module Contrast
           status ||= Contrast::Agent::Patching::Policy::PatchStatus.get_status(mod)
           status.failed_rewrite!
         ensure
-          with_contrast_scope do
-            opener&.commit_patches
-          end
+          opener&.commit_patches
           logger.trace('Rewriting complete',
                        module: module_data.name,
                        result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(

data/lib/contrast/agent/scope.rb

@@ -15,67 +15,73 @@ module Contrast
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
     class Scope
-      # The following %i[] list is the authoritative list
-      # of scopes.  If you define a new symbol here, you'll
-      # get scope methods:
-      #   %i[monkey] ->
-      #     enter_monkey_scope!
-      #     exit_monkey_scope!
-      #     in_monkey_scope?
-      #     with_monkey_scope { special_monkey_function }
       SCOPE_LIST = %i[contrast deserialization].cs__freeze
 
-      iv_list = SCOPE_LIST.map { |name| :"@#{ name }_scope" }
-      define_method 'initialize' do
-        iv_list.each do |iv_sym|
-          instance_variable_set(iv_sym, 0)
-        end
+      def initialize
+        instance_variable_set(:@contrast_scope, 0)
+        instance_variable_set(:@deserialization_scope, 0)
       end
 
-      SCOPE_LIST.each do |name|
-        iv_sym = :"@#{ name }_scope"
+      def in_contrast_scope?
+        instance_variable_get(:@contrast_scope).positive?
+      end
 
-        define_method "in_#{ name }_scope?" do
-          instance_variable_get(iv_sym).positive?
-        end
+      def in_deserialization_scope?
+        instance_variable_get(:@deserialization_scope).positive?
+      end
 
-        enter_method_sym = :"enter_#{ name }_scope!"
-        define_method enter_method_sym do
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level + 1)
-        end
+      def enter_contrast_scope!
+        level = instance_variable_get(:@contrast_scope)
+        instance_variable_set(:@contrast_scope, level + 1)
+      end
 
-        exit_method_sym = :"exit_#{ name }_scope!"
-        define_method exit_method_sym do
-          # by design, can go below zero.
-          # every exit/enter pair (regardless of series)
-          # should cancel each other out.
-          #
-          # so we prefer this sequence:
-          #   scope =  0
-          #   exit  = -1
-          #   enter =  0
-          #   enter =  1
-          #   exit  =  0
-          #   scope =  0
-          #
-          # over this sequence:
-          #   scope =  0
-          #   exit  =  0
-          #   enter =  1
-          #   enter =  2
-          #   exit  =  1
-          #   scope =  1
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level - 1)
-        end
+      def enter_deserialization_scope!
+        level = instance_variable_get(:@deserialization_scope)
+        instance_variable_set(:@deserialization_scope, level + 1)
+      end
 
-        define_method "with_#{ name }_scope" do |*_args, &block|
-          send enter_method_sym
-          block.call
-        ensure
-          send exit_method_sym
-        end
+      # Scope Exits...
+      # by design, can go below zero.
+      # every exit/enter pair (regardless of series)
+      # should cancel each other out.
+      #
+      # so we prefer this sequence:
+      #   scope =  0
+      #   exit  = -1
+      #   enter =  0
+      #   enter =  1
+      #   exit  =  0
+      #   scope =  0
+      #
+      # over this sequence:
+      #   scope =  0
+      #   exit  =  0
+      #   enter =  1
+      #   enter =  2
+      #   exit  =  1
+      #   scope =  1
+      def exit_contrast_scope!
+        level = instance_variable_get(:@contrast_scope)
+        instance_variable_set(:@contrast_scope, level - 1)
+      end
+
+      def exit_deserialization_scope!
+        level = instance_variable_get(:@deserialization_scope)
+        instance_variable_set(:@deserialization_scope, level - 1)
+      end
+
+      def with_contrast_scope
+        enter_contrast_scope!
+        yield
+      ensure
+        exit_contrast_scope!
+      end
+
+      def with_deserialization_scope
+        enter_deserialization_scope!
+        yield
+      ensure
+        exit_deserialization_scope!
       end
 
       # Dynamic versions of the above.

data/lib/contrast/agent/static_analysis.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
-require 'contrast/utils/gemfile_reader'
+require 'contrast/agent/inventory'
 require 'contrast/api/decorators/application_update'
 
 module Contrast
@@ -17,12 +17,12 @@ module Contrast
         # report the already-loaded gems.
         def catchup
           @_catchup ||= begin
-                          with_contrast_scope do
-                            Contrast::Utils::GemfileReader.instance.map_loaded_classes
-                            send_inventory_message
-                            true
-                          end
-                        end
+            with_contrast_scope do
+              Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
+              send_inventory_message
+              true
+            end
+          end
         rescue StandardError => e
           logger.warn('Unable to run post-initialization static analysis', e)
         end

data/lib/contrast/agent/tracepoint_hook.rb

@@ -35,7 +35,7 @@ module Contrast
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
-            Contrast::Utils::InventoryUtil.inventory_class(path) if path
+            Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
             Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '3.14.0'
+    VERSION = '4.2.0'
   end
 end

data/lib/contrast/api/communication/messaging_queue.rb

@@ -67,10 +67,7 @@ module Contrast
         def preprocess_event event
           return unless event.is_a?(Contrast::Api::Dtm::Activity)
 
-          # So set their tags
-          event.finding_tags = Contrast::Utils::StringUtils.force_utf8(ASSESS.tags)
-
-          # and see if they're even enabled
+          # See if they're even enabled
           event.findings.delete_if { |finding| ASSESS.rule_disabled?(finding.rule_id) }
         end
       end