contrast-agent 3.15.0 → 3.16.0

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -38,15 +38,18 @@ module Contrast
                   NON_PASSWORD_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
-            # If the value is a string, it passes for this rule
-            def value_type_passes? value
-              value.is_a?(String)
-            end
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              return false unless value_node.type == :STR
 
-            # If the value probably isn't a property name, it passes for this
-            # rule
-            def value_passes? value
-              !probably_property_name?(value)
+              # https://www.rubydoc.info/gems/ruby-internal/Node/STR
+              string = value_node.children[0]
+              !probably_property_name?(string)
             end
 
             # If a field name matches an expected password field, we'll check it's
@@ -65,6 +68,18 @@ module Contrast
             def redacted_marker
               REDACTED_MARKER
             end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
+            # If the value is a string, it passes for this rule
+            def value_type_passes? value
+              value.is_a?(String)
+            end
+
+            # If the value probably isn't a property name, it passes for this
+            # rule
+            def value_passes? value
+              !probably_property_name?(value)
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/policy/trigger_method'
 require 'contrast/components/interface'
 require 'contrast/extension/module'
 
@@ -9,14 +10,13 @@ module Contrast
     module Assess
       module Rule
         module Provider
-          # Hardcoded rules detect if any secret value has been written directly into the
-          # sourcecode of the application. To use this base class, a provider must
-          # implement four methods
+          # Hardcoded rules detect if any secret value has been written
+          # directly into the sourcecode of the application. To use this base
+          # class, a provider must implement three methods:
           # 1) name_passes? : does the constant name match a given value set
-          # 2) value_type_passes? : does the type of the value of the constant match the
-          #    type given
-          # 3) value_passes? : does the value of the constant match a given value set
-          # 4) redacted_marker : the value to plug in for the obfuscated value
+          # 2) value_node_passes? : does the value of the constant match a
+          #    given value set
+          # 3) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
             include Contrast::Components::Interface
             access_component :analysis, :app_context, :logging
@@ -25,6 +25,7 @@ module Contrast
               !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
             end
 
+            # TODO: RUBY-1014 - remove `#analyze`
             COMMON_CONSTANTS = %i[
               CONTRAST_ASSESS_POLICY_STATUS
               VERSION
@@ -69,10 +70,30 @@ module Contrast
                 # if it looks like a placeholder / pointer to a config, skip it
                 next unless value_passes?(value)
 
-                report_finding(clazz, constant_string)
+                build_finding(clazz, constant_string)
               end
             end
 
+            # Parse the file pertaining to the given TracePoint to walk its AST
+            # to determine if a Constant is hardcoded. For our purposes, this
+            # hard coding means directly set rather than as an interpolated
+            # String or through a method call.
+            #
+            # Note: This is a top layer check, we make no assertions about what
+            # the methods or interpolations do. Their presence, even if only
+            # calling a hardcoded thing, causes this check to not report.
+            #
+            # @param trace_point [TracePoint] the TracePoint event created on
+            #   the :end of a Module being loaded
+            def parse trace_point
+              return if disabled?
+
+              ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+              parse_ast(trace_point.self, ast)
+            rescue StandardError => e
+              logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)
+            end
+
             # Constants can be variable or classes defined in the given
             # class. We ONLY want the variables, which should be defined in
             # the MACRO_CASE (upper case & underscore format)
@@ -90,7 +111,57 @@ module Contrast
 
             private
 
-            def report_finding clazz, constant_string
+            # @param mod [Module] the module to which this AST pertains
+            # @param ast [RubyVM::AbstractSyntaxTree::Node, Object] a node
+            #   within the AST, which may be a leaf, so any Object
+            def parse_ast mod, ast
+              return unless ast.cs__is_a?(RubyVM::AbstractSyntaxTree::Node)
+              return unless ast.cs__respond_to?(:children)
+
+              children = ast.children
+              return unless children.any?
+
+              ast.children.each do |child|
+                parse_ast(mod, child)
+              end
+
+              # https://www.rubydoc.info/gems/ruby-internal/Node/CDECL
+              return unless ast.type == :CDECL
+
+              # The CDECL Node has two children, the first being the Constant
+              # name as a symbol, the second as the value to assign to that
+              # constant
+              children = ast.children
+              name = children[0].to_s
+              # If that constant name doesn't pass our checks, move on.
+              return unless name_passes?(name)
+
+              value = children[1]
+              # The assignment node could be a direct value or a call of some
+              # sort. We leave it to each rule to properly handle these nodes.
+              return unless value_node_passes?(value)
+
+              build_finding(mod, name)
+            end
+
+            # Constants can be set as frozen directly. We need to account for
+            # this change as it means the Node given to the :CDECL call will be
+            # a :CALL, not a constant.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a freeze call or not
+            def freeze_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              children[1] == :freeze
+            end
+
+            def build_finding clazz, constant_string
               class_name = clazz.cs__name
 
               finding = Contrast::Api::Dtm::Finding.new
@@ -104,13 +175,10 @@ module Contrast
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-
-              activity = Contrast::Api::Dtm::Activity.new
-              activity.findings << finding
-
-              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
+              nil
             end
           end
         end

data/lib/contrast/agent/assess/tag.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Initialize a new tag
         #
-        # @param label [String] the lable of the tag
+        # @param label [String] the label of the tag
         # @param length [Integer] the length of the string described with this
         #   tag
         # @param start_idx [Integer] (0) the starting position in the string for

data/lib/contrast/agent/at_exit_hook.rb

@@ -11,11 +11,11 @@ module Contrast
       access_component :logging
       def self.exit_hook
         @_exit_hook ||= begin
-                          at_exit do
-                            on_exit
-                          end
-                          true
-                        end
+          at_exit do
+            on_exit
+          end
+          true
+        end
       end
 
       # Actions to take when a process exits. Typically called from our

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -15,7 +15,7 @@ module Contrast
           access_component :scope
           attr_reader :applied, :module_name, :instrumentation_file_path, :method_to_instrument, :instrumenting_module
 
-          def initialize module_name, instrumentation_file_path, method_to_instrument: nil, instrumenting_module:
+          def initialize module_name, instrumentation_file_path, method_to_instrument: nil, instrumenting_module: nil
             @applied = false
             @module_name = module_name
             @method_to_instrument = method_to_instrument
@@ -71,10 +71,10 @@ module Contrast
 
           def module_lookup
             @_module_lookup ||= begin
-                                  Module.cs__const_get module_name
-                                rescue StandardError => _e
-                                  nil
-                                end
+              Module.cs__const_get module_name
+            rescue StandardError => _e
+              nil
+            end
           end
         end
       end

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -30,20 +30,20 @@ module Contrast
           # extensions.
           def apply_direct_patches!
             @_apply_direct_patches ||= begin
-                                    Contrast::Extension::Assess::ArrayPropagator.instrument_array_track
-                                    Contrast::Extension::Assess::EvalTrigger.instrument_basic_object_track
-                                    Contrast::Extension::Assess::EvalTrigger.instrument_module_track
-                                    Contrast::Extension::Assess::FiberPropagator.instrument_fiber_track
-                                    Contrast::Extension::Assess::HashPropagator.instrument_hash_track
-                                    Contrast::Extension::Assess::KernelPropagator.instrument_kernel_track
-                                    Contrast::Extension::Assess::MarshalPropagator.instrument_marshal_load
-                                    Contrast::Extension::Assess::RegexpPropagator.instrument_regexp_track
-                                    Contrast::Extension::Assess::StringPropagator.instrument_string
-                                    Contrast::Extension::Assess::StringPropagator.instrument_string_interpolation
+              Contrast::Extension::Assess::ArrayPropagator.instrument_array_track
+              Contrast::Extension::Assess::EvalTrigger.instrument_basic_object_track
+              Contrast::Extension::Assess::EvalTrigger.instrument_module_track
+              Contrast::Extension::Assess::FiberPropagator.instrument_fiber_track
+              Contrast::Extension::Assess::HashPropagator.instrument_hash_track
+              Contrast::Extension::Assess::KernelPropagator.instrument_kernel_track
+              Contrast::Extension::Assess::MarshalPropagator.instrument_marshal_load
+              Contrast::Extension::Assess::RegexpPropagator.instrument_regexp_track
+              Contrast::Extension::Assess::StringPropagator.instrument_string
+              Contrast::Extension::Assess::StringPropagator.instrument_string_interpolation
 
-                                    Contrast::Extension::Protect::Kernel.instrument
-                                    true
-                                  end
+              Contrast::Extension::Protect::Kernel.instrument
+              true
+            end
           end
 
           def apply_load_patches!
@@ -65,13 +65,13 @@ module Contrast
           # handling
           def apply_require_patches!
             @_apply_require_patches ||= begin
-                                          require 'contrast/extension/thread'
-                                          require 'contrast/extension/kernel'
-                                          true
-                                        rescue LoadError, StandardError => e
-                                          logger.error('failed instrumenting apply_require_patches!', e)
-                                          false
-                                        end
+              require 'contrast/extension/thread'
+              require 'contrast/extension/kernel'
+              true
+            rescue LoadError, StandardError => e
+              logger.error('failed instrumenting apply_require_patches!', e)
+              false
+            end
           end
 
           def after_load_patches

data/lib/contrast/agent/patching/policy/module_policy.rb

@@ -61,16 +61,16 @@ module Contrast
           # @return [Integer] count of methods to be patched
           def num_expected_patches
             @_num_expected_patches ||= begin
-                                         instance_methods = Set.new
-                                         singleton_methods = Set.new
-                                         sort_method_names(source_nodes, instance_methods, singleton_methods)
-                                         sort_method_names(propagator_nodes, instance_methods, singleton_methods)
-                                         sort_method_names(trigger_nodes, instance_methods, singleton_methods)
-                                         sort_method_names(inventory_nodes, instance_methods, singleton_methods)
-                                         sort_method_names(protect_nodes, instance_methods, singleton_methods)
-                                         sort_method_names(deadzone_nodes, instance_methods, singleton_methods)
-                                         instance_methods.length + singleton_methods.length
-                                       end
+              instance_methods = Set.new
+              singleton_methods = Set.new
+              sort_method_names(source_nodes, instance_methods, singleton_methods)
+              sort_method_names(propagator_nodes, instance_methods, singleton_methods)
+              sort_method_names(trigger_nodes, instance_methods, singleton_methods)
+              sort_method_names(inventory_nodes, instance_methods, singleton_methods)
+              sort_method_names(protect_nodes, instance_methods, singleton_methods)
+              sort_method_names(deadzone_nodes, instance_methods, singleton_methods)
+              instance_methods.length + singleton_methods.length
+            end
           end
 
           private

data/lib/contrast/agent/patching/policy/policy.rb

@@ -124,12 +124,26 @@ module Contrast
           end
 
           def find_source_node class_name, method_name, instance_method
-            sources.find { |source| source.class_name == class_name && source.method_name == method_name && source.instance_method == instance_method }
+            sources.find do |source|
+              source.class_name == class_name &&
+                  source.method_name == method_name &&
+                  source.instance_method == instance_method
+            end
+          end
+
+          def find_propagator_node class_name, method_name, instance_method
+            propagators.find do |propagator|
+              propagator.class_name == class_name &&
+                  propagator.method_name == method_name &&
+                  propagator.instance_method == instance_method
+            end
           end
 
           def find_node rule_id, class_name, method_name, instance_method
             find_triggers_by_rule(rule_id).find do |node|
-              node.class_name == class_name && node.method_name == method_name && node.instance_method == instance_method
+              node.class_name == class_name &&
+                  node.method_name == method_name &&
+                  node.instance_method == instance_method
             end
           end
         end

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -30,11 +30,9 @@ module Contrast
               Contrast::Agent::Protect::Policy::AppliesDeserializationRule.apply_deserialization_command_check(command)
               return if skip_analysis?
 
-              begin
-                clazz = object.is_a?(Module) ? object : object.cs__class
-                class_name = clazz.cs__name
-                rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
-              end
+              clazz = object.is_a?(Module) ? object : object.cs__class
+              class_name = clazz.cs__name
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
             end
 
             protected

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -27,7 +27,7 @@ module Contrast
             def apply_rule__io method, _exception, _properties, object, args
               need_rewind = false
               potential_xml = args[0]
-              return unless potential_xml&.respond_to?(:rewind)
+              return unless potential_xml.cs__respond_to?(:rewind)
 
               xml = potential_xml.read
               need_rewind = true

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb

@@ -16,6 +16,7 @@ module Contrast
             def start_line_comment? char, index, query
               if char == Contrast::Utils::ObjectShare::SLASH &&
                     query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+
                 return true
               end
 

data/lib/contrast/agent/request.rb

@@ -46,42 +46,42 @@ module Contrast
       # Should also handle the ;jsessionid.
       def normalized_uri
         @_normalized_uri ||= begin
-                               path = rack_request.path
-                               uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
-                               uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
-                               uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
-                               uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
-                             end
+          path = rack_request.path
+          uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
+          uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
+          uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
+          uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
+        end
       end
 
       def document_type
         @_document_type ||= begin
-                              if /xml/i.match?(content_type) || body&.start_with?('<?xml')
-                                :XML
-                              elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
-                                :JSON
-                              else
-                                :NORMAL
-                              end
-                            end
+          if /xml/i.match?(content_type) || body&.start_with?('<?xml')
+            :XML
+          elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
+            :JSON
+          else
+            :NORMAL
+          end
+        end
       end
 
       # Header keys upcased and any underscores replaced with dashes
       def headers
         @_headers ||= begin
-                        with_contrast_scope do
-                          hash = {}
-                          env.each do |key, value|
-                            next unless key
-
-                            name = key.to_s
-                            next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
-
-                            hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
-                          end
-                          hash
-                        end
-                      end
+          with_contrast_scope do
+            hash = {}
+            env.each do |key, value|
+              next unless key
+
+              name = key.to_s
+              next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
+
+              hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
+            end
+            hash
+          end
+        end
       end
 
       def body
@@ -121,13 +121,13 @@ module Contrast
 
       def file_names
         @_file_names ||= begin
-                           names = {}
-                           parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
-                           traverse_parsed_multipart(parsed_data, names)
-                         rescue StandardError => _e
-                           logger.warn('Unable to parse multipart request!')
-                           {}
-                         end
+          names = {}
+          parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
+          traverse_parsed_multipart(parsed_data, names)
+        rescue StandardError => _e
+          logger.warn('Unable to parse multipart request!')
+          {}
+        end
       end
 
       def hash_id