contrast-agent 3.15.0 → 3.16.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -51,16 +51,23 @@ module Contrast
                   incoming_tracked = args && determine_tracked(args)
                   return ret unless self_tracked || incoming_tracked
 
+                  parent_events = []
                   if block
                     block_sub(self_tracked, source, ret)
                   elsif args.is_a?(String)
-                    string_sub(self_tracked, preshift, ret, args, incoming_tracked, global)
+                    string_sub(parent_events, self_tracked, preshift, ret, args, incoming_tracked, global)
                   elsif args.is_a?(Hash)
                     hash_sub(self_tracked, source, ret)
                   else # Enumerator, only for gsub
-                    pattern_gsub(preshift, ret)
+                    pattern_gsub(parent_events, preshift, ret)
                   end
-                  string_build_event(patcher, preshift, ret)
+
+                  if self_tracked
+                    source_properties = Contrast::Agent::Assess::Tracker.properties(source)
+                    parent_event = source_properties&.event
+                    parent_events.prepend(parent_event) if parent_event
+                  end
+                  string_build_event(parent_events, patcher, preshift, ret)
                 rescue StandardError => e
                   logger.error('Unable to apply gsub propagator', e)
                 end
@@ -84,10 +91,14 @@ module Contrast
                 end
               end
 
-              def string_sub self_tracked, preshift, ret, incoming, incoming_tracked, global
+              def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 return unless properties
 
+                incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
+                parent_event = incoming_properties&.event
+                parent_events << parent_event if parent_event
+
                 pattern = preshift.args[0]
                 source = preshift.object
 
@@ -119,8 +130,8 @@ module Contrast
                 properties.delete_tags_at_ranges(ranges)
                 properties.shift_tags(ranges)
                 return unless incoming_tracked
+                return unless incoming_properties
 
-                incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
                 tags = incoming_properties.tag_keys
                 ranges.each do |range|
                   tags.each do |tag|
@@ -139,7 +150,7 @@ module Contrast
                 properties&.splat_from(source, ret) if self_tracked
               end
 
-              def pattern_gsub preshift, ret
+              def pattern_gsub parent_events, preshift, ret
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 return unless properties
 
@@ -150,20 +161,15 @@ module Contrast
                 source_properties.tag_keys.each do |key|
                   properties.add_tag(key, 0...1)
                 end
+                parent_event = source_properties.event
+                parent_events << parent_event if parent_event
               end
 
-              def string_build_event patcher, preshift, ret
+              def string_build_event parent_events, patcher, preshift, ret
                 return unless Contrast::Agent::Assess::Tracker.tracked?(ret)
 
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 args = preshift.args
-                if args.length > 1
-                  arg = args[1]
-                  arg_properties = Contrast::Agent::Assess::Tracker.properties(arg)
-                  arg_properties&.events&.each do |event|
-                    properties.events << event
-                  end
-                end
                 properties.build_event(
                     patcher,
                     ret,
@@ -171,6 +177,7 @@ module Contrast
                     ret,
                     args,
                     2)
+                properties.event.instance_variable_set(:@_parent_events, parent_events)
               end
             end
           end

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -33,16 +33,15 @@ module Contrast
                 interpolated_inputs = []
                 handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
                 handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
+                properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 unless interpolated_inputs.empty?
+                  current_event = properties.event
                   interpolated_inputs.each do |input|
                     input_properties = Contrast::Agent::Assess::Tracker.properties(input)
-                    next unless input_properties
+                    next unless input_properties&.event
 
-                    input_properties.events.each do |event|
-                      properties.events << event
-                    end
+                    current_event.parent_events << input_properties.event
                   end
-                  properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -27,6 +27,24 @@ module Contrast
           CURRENT_FINDING_VERSION = 4
 
           class << self
+            # Append the given finding to the given context to be reported when
+            # the Context's activity is sent to the Service or, in the absence
+            # of that Context, generate an Activity and queue it manually
+            # @param finding [Contrast::Api::Dtm::Finding]
+            def report_finding finding
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+              else
+                activity = Contrast::Api::Dtm::Activity.new
+                activity.findings << finding
+
+                Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              end
+              logger.debug('Finding reported',
+                           rule: finding.rule_id)
+            end
+
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -69,8 +87,8 @@ module Contrast
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -98,11 +116,11 @@ module Contrast
               build_hash(finding, source)
               finding.routes << context.route if context.route
               finding.version = determine_compliance_version(finding)
-              context.activity.findings << finding
               logger.trace('Finding created',
                            node_id: trigger_node.id,
                            source_id: source.__id__,
                            rule: trigger_node.rule_id)
+              report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
@@ -112,8 +130,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -181,8 +199,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -201,8 +219,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -244,11 +262,7 @@ module Contrast
               properties = Contrast::Agent::Assess::Tracker.properties(source)
               return unless properties
 
-              # events could technically be nil, but we would have failed
-              # the rule check before getting here. not worth the nil check
-              properties.events.each do |event|
-                finding.events << event.to_dtm_event
-              end
+              build_events finding, properties.event if properties.event
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this
               # long form
@@ -261,6 +275,17 @@ module Contrast
               end
             end
 
+            def build_events finding, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                build_events(finding, parent_event)
+              end
+              # events could technically be nil, but we would have failed
+              # the rule check before getting here. not worth the nil check
+              finding.events << event.to_dtm_event
+            end
+
             def build_hash finding, source
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -104,13 +104,13 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_any_tag(properties, disallowed_tags)
+            secure_ranges = ranges_with_any_tag(properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
 
@@ -181,49 +181,43 @@ module Contrast
           #   tags.
           # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
-          # @param tags [Set<String>] the list of tags on which to match
+          # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_all_tags length, properties, tags
-            # if there aren't any all_tags or tags, break early
+          def ranges_with_all_tags length, properties, required_tags
+            # if there are no tags, not required tags, or the tags don't have
+            # all the required tags, we can just return here.
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
-
-            # :zap: faster to treat all as any if there's only one tag
-            return find_ranges_by_any_tag(properties, tags) if tags.length == 1
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
 
             ranges = []
-            # TODO: RUBY-946 clean this up, perhaps with
-            #   tags.each { |tag| applicable << properties.fetch_tag(tag) }
-            #   return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless applicable.length == tags.length
-            #   ...
+            chunking = false
             # find all the indicies on the source that have all the given tags
             (0..length).each do |idx|
-              tags_at = properties.tags_at(idx)
-              ranges << idx if tags.all? do |tag|
-                found = false
-                tags_at.each do |tag_at|
-                  found = tag_at.label == tag
-                  break if found
-                end
-                found
+              tags_at = properties.tags_at(idx).to_a
+              # only those that have all the required tags in the tags_at
+              # satisfy the requirement
+              satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
+              # if this range matches all the required tags and we're already
+              # chunking, meaning the previous range matched, do nothing
+              next if satisfied && chunking
+
+              # if we are satisfied and we were not chunking, this represents
+              # the start of the next range, so create a new entry.
+              if satisfied
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                chunking = true
+              # if we are chunking and not satisfied, this represents the end
+              # of the range, meaning the last index is what satisfied the
+              # range. Because the range is exclusive end, we can just use this
+              # index.
+              elsif chunking
+                ranges[-1]&.update_end(idx)
+                chunking = false
               end
             end
-            # break early if no indicies satisfy all the tags
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if ranges.empty?
-
-            # chunk all the adjacent ranges
-            chunked = ranges.chunk_while { |i, j| i + 1 == j }
-            tag_ranges = []
-            # and convert them into Tags
-            chunked.each do |join|
-              start = join[0]
-              stop = join[-1]
-              # add the 1 to account for end index being exclusive
-              tag_length = stop - start + 1
-              tag_ranges = Contrast::Utils::TagUtil.ordered_merge(tag_ranges, Tag.new(tag_length, start))
-            end
-            tag_ranges
+            ranges
           end
 
           # Find the ranges that satisfy any of the given tags.
@@ -233,7 +227,7 @@ module Contrast
           # @param tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_any_tag properties, tags
+          def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?

data/lib/contrast/agent/assess/property/evented.rb

@@ -10,23 +10,11 @@ module Contrast
       module Property
         # This module serves to hold the functionality required for the
         # management of our dataflow events.
+        #
+        # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
+        #   latest event to track
         module Evented
-          # The events for this object.
-          #
-          # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
-          def events
-            @_events ||= []
-          end
-
-          # Add an event to these properties. It will be used to build
-          # a trace if this object ends up in a trigger.
-          #
-          # @param event [Contrast::Agent::Assess::ContrastEvent] the latest
-          #   event to track
-          def add_event event
-            events << event
-            self
-          end
+          attr_accessor :event
 
           # Create a new event and add it to the event set.
           #
@@ -43,8 +31,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
-            add_event(event)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
             report_sources(tagged, event)
           end
 

data/lib/contrast/agent/assess/property/tagged.rb

@@ -162,15 +162,21 @@ module Contrast
           end
 
           # We'll use this as a helper method to retrieve tags from the hash.
-          # Because the hash auto-populates an empty array when we try to access
-          # a tag in it, we cannot use the [] method without side effect. To get
-          # around this, we'll use a fetch work around.
+          # Because the hash auto-populates an empty array when we try to
+          # access a tag in it, we cannot use the [] method without side
+          # effect. To get around this, we'll use a fetch work around.
+          #
+          # @param label [Symbol] the label to look up
+          # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+          #   that label
           def fetch_tag label
             tags.fetch(label, nil) if tracked?
           end
 
           # Convert the tags of this object into the TraceTaintRange required
           # to be sent to the service
+          #
+          # @return [Array<Contrast::Api::Dtm::TraceTaintRange>]
           def tags_to_dtm
             Contrast::Api::Dtm::TraceTaintRange.build_for_event(tags)
           end

data/lib/contrast/agent/assess/property/updated.rb

@@ -26,11 +26,6 @@ module Contrast
             return unless original
 
             adjust_duplicate(original)
-
-            original.events.each do |event|
-              events << event
-            end
-
             original.tag_keys.each do |key|
               next if skip_tags&.include?(key)
 

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -33,6 +33,64 @@ module Contrast
                   NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
+            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              # If it's a String being turned into bytes, then it matches key
+              # expectations
+              return true if bytes_call?(value_node)
+
+              type = value_node.type
+              return false unless BYTE_HOLDERS.include?(type)
+              return false unless value_node.children.any?
+
+              # Unless this is an array of literal numerics, we don't match.
+              # That array seems to always end in a nil value, so we allow
+              # those as well.
+              value_node.children.each do |child|
+                next unless child
+
+                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    child.type == :LIT &&
+                    child.children[0]&.cs__is_a?(Integer)
+              end
+
+              true
+            end
+
+            REDACTED_MARKER = ' = [**REDACTED**]'
+            def redacted_marker
+              REDACTED_MARKER
+            end
+
+            # A node is a bytes_call if it's the Node for String#bytes. We care
+            # about this specifically as it's likely to be a common way to
+            # generate a key constant, rather than directly declaring an
+            # integer array.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a node for String#bytes or not
+            def bytes_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              potential_string_node = children[0]
+              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                  potential_string_node.type == :STR
+
+              children[1] == :bytes
+            end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
             # If the value is a byte array, or at least an array of numbers, it
             # passes for this rule
             def value_type_passes? value
@@ -49,11 +107,6 @@ module Contrast
             def value_passes? _value
               true
             end
-
-            REDACTED_MARKER = ' = [**REDACTED**]'
-            def redacted_marker
-              REDACTED_MARKER
-            end
           end
         end
       end