contrast-agent 3.15.0 → 4.3.0

data/lib/contrast/extension/assess/regexp.rb

@@ -48,14 +48,9 @@ module Contrast
 
             target = info_hash[:back_ref]
             with_contrast_scope do
-              result = info_hash[:result]
-              return unless result
-
-              string = info_hash[:string]
-              return unless string
-
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
-              return unless properties
+              return unless (result = info_hash[:result])
+              return unless (string = info_hash[:string])
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
               properties.splat_from(string, target)
               properties.build_event(
@@ -71,9 +66,9 @@ module Contrast
 
           def instrument_regexp_track
             @_instrument_regexp_track ||= begin
-                                               require 'cs__assess_regexp/cs__assess_regexp'
-                                               true
-                                             end
+              require 'cs__assess_regexp/cs__assess_regexp'
+              true
+            end
           rescue StandardError, LoadError => e
             logger.error('Error loading regexp track patch', e)
             false

data/lib/contrast/extension/assess/string.rb

@@ -36,15 +36,18 @@ module Contrast
             return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
 
             with_contrast_scope do
-              properties = Contrast::Agent::Assess::Tracker.properties(result)
-              return unless properties
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(result))
 
+              parent_events = []
               offset = 0
               inputs.each do |input|
                 properties.copy_from(input, result, offset)
                 offset += input.length
+                parent_event = Contrast::Agent::Assess::Tracker.properties(input)&.event
+                parent_events << parent_event if parent_event
               end
               properties.build_event(INTERPOLATION_NODE, result, inputs, result, inputs)
+              properties.event.instance_variable_set(:@_parent_events, parent_events)
             end
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
@@ -52,9 +55,9 @@ module Contrast
 
           def instrument_string
             @_instrument_string ||= begin
-                                      require 'cs__assess_string/cs__assess_string'
-                                      true
-                                    end
+              require 'cs__assess_string/cs__assess_string'
+              true
+            end
           rescue StandardError, LoadError => e
             logger.error('Error loading hash track patch', e)
             false
@@ -63,14 +66,12 @@ module Contrast
           def instrument_string_interpolation
             if @_instrument_string_interpolation.nil?
               @_instrument_string_interpolation = begin
-                                                    if AGENT.patch_interpolation? && Funchook.available?
-                                                      require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
-                                                    end
-                                                    true
-                                                  rescue StandardError, LoadError => e
-                                                    logger.error('Error loading interpolation patch', e)
-                                                    false
-                                                  end
+                require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26' if AGENT.patch_interpolation? && Funchook.available?
+                true
+              rescue StandardError, LoadError => e
+                logger.error('Error loading interpolation patch', e)
+                false
+              end
             end
             @_instrument_string_interpolation
           end

data/lib/contrast/extension/protect/kernel.rb

@@ -30,9 +30,9 @@ module Contrast
 
           def instrument
             @_instrument ||= begin
-                                               require 'cs__protect_kernel/cs__protect_kernel'
-                                               true
-                                             end
+              require 'cs__protect_kernel/cs__protect_kernel'
+              true
+            end
           rescue StandardError, LoadError => e
             logger.error('Error loading kernel protect patch', e)
             false

data/lib/contrast/framework/base_support.rb

@@ -4,68 +4,66 @@
 module Contrast
   module Framework
     # The API for all subclasses to implement to correctly support a given framework
-    class BaseSupport
-      class << self
-        # The top level module name used by the framework
-        def detection_class
-          raise NoMethodError('Subclasses of BaseSupport should implement this method')
-        end
+    module BaseSupport
+      # The top level module name used by the framework
+      def detection_class
+        raise NoMethodError('Subclasses of BaseSupport should implement this method')
+      end
 
-        def version
-          raise NoMethodError('Subclasses of BaseSupport should implement this method')
-        end
+      def version
+        raise NoMethodError('Subclasses of BaseSupport should implement this method')
+      end
 
-        def application_name
-          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
-        end
+      def application_name
+        raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+      end
 
-        def server_type
-          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
-        end
+      def server_type
+        raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+      end
 
-        # Find all the predefined routes for this application and append them to the
-        # provided inventory message
-        # msg should be a Contrast::Api::Dtm::ApplicationUpdate or some other msg
-        # that has a routes array consisting of Contrast::Api::Dtm::RouteCoverage
-        def collect_routes
-          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
-        end
+      # Find all the predefined routes for this application and append them to the
+      # provided inventory message
+      # msg should be a Contrast::Api::Dtm::ApplicationUpdate or some other msg
+      # that has a routes array consisting of Contrast::Api::Dtm::RouteCoverage
+      def collect_routes
+        raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+      end
 
-        def current_route
-          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
-        end
+      def current_route
+        raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+      end
 
-        def retrieve_request _env
-          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
-        end
+      def retrieve_request _env
+        raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+      end
 
-        # Some Frameworks require specific patching for their classes to handle
-        # functionality like configuration scanning. To accommodate this, this
-        # method provides a place to register those patches for invocation on
-        # Agent load.
-        #
-        # By default, and hopefully in all cases, we won't need these patches,
-        # so we're allowing nil here rather than raising an exception.
-        def before_load_patches; end
+      # Some Frameworks require specific patching for their classes to handle
+      # functionality like configuration scanning. To accommodate this, this
+      # method provides a place to register those patches for invocation on
+      # Agent load.
+      #
+      # By default, and hopefully in all cases, we won't need these patches,
+      # so we're allowing nil here rather than raising an exception.
+      def before_load_patches!; end
 
-        # Some Frameworks require specific patching for their classes to handle
-        # functionality like routing. To accommodate this, this method provides
-        # a place to register those patches for invocation in our
-        # AfterLoadPatcher flow.
-        #
-        # By default, and hopefully in all cases, we won't need these patches,
-        # so we're allowing nil here rather than raising an exception.
-        #
-        # @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>,nil]
-        #   those patches required for a Framework which can only be installed
-        #   once a specific module has been loaded.
-        def after_load_patches; end
+      # Some Frameworks require specific patching for their classes to handle
+      # functionality like routing. To accommodate this, this method provides
+      # a place to register those patches for invocation in our
+      # AfterLoadPatcher flow.
+      #
+      # By default, and hopefully in all cases, we won't need these patches,
+      # so we're allowing nil here rather than raising an exception.
+      #
+      # @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>,nil]
+      #   those patches required for a Framework which can only be installed
+      #   once a specific module has been loaded.
+      def after_load_patches; end
 
-        # We only support websockets in rails right now, so we won't detect streaming in
-        # any other framework
-        def streaming? _env
-          false
-        end
+      # We only support websockets in rails right now, so we won't detect streaming in
+      # any other framework
+      def streaming? _env
+        false
       end
     end
   end

data/lib/contrast/framework/manager.rb

@@ -39,9 +39,9 @@ module Contrast
       # configuration.
       def before_load_patches!
         @_before_load_patches ||= begin
-                                    SUPPORTED_FRAMEWORKS.each(&:before_load_patches)
-                                    true
-                                  end
+          SUPPORTED_FRAMEWORKS.each(&:before_load_patches!)
+          true
+        end
       end
 
       # Return all the After Load Patches for all the Frameworks we know, even
@@ -128,9 +128,10 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        @_frameworks.flat_map do |framework|
+        data = @_frameworks.flat_map do |framework|
           framework.send(method_name)
-        end.compact
+        end
+        data.compact
       end
 
       # This returns a single object from the first framework to successfully respond

data/lib/contrast/framework/rack/patch/session_cookie.rb

@@ -24,20 +24,20 @@ module Contrast
 
             def instrument
               @_instrument ||= begin
-                                 ::Rack::Session::Cookie.class_eval do
-                                   alias_method :cs__patched_initialize, :initialize
-                                   def initialize app, options = {}
-                                     Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
-                                     cs__patched_initialize(app, options)
-                                   end
-                                 end
-                                 true
-                               end
+                ::Rack::Session::Cookie.class_eval do
+                  alias_method :cs__patched_initialize, :initialize
+                  def initialize app, options = {} # rubocop:disable Style/OptionHash
+                    Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
+                    cs__patched_initialize(app, options)
+                  end
+                end
+                true
+              end
             end
 
             def analyze options
               return unless AGENT.enabled?
-              return if PROTECT.enabled?
+              return if ASSESS.forcibly_disabled?
 
               apply_session_timeout(options)
               apply_httponly(options)

data/lib/contrast/framework/rack/support.rb

@@ -9,7 +9,8 @@ module Contrast
     module Rack
       # Used when Rack is present to define framework specific behavior. For
       # now, the only part of this implemented is the Patch Support.
-      class Support < BaseSupport
+      module Support
+        extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rack::Patch::Support
         class << self
           def detection_class

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -7,7 +7,7 @@ module Contrast
       module Patch
         # This class acts as our patch into the ActionController::Live::Buffer
         # class, allowing us to track the close event on streamed responses.
-        class ActionControllerLiveBuffer
+        module ActionControllerLiveBuffer
           class << self
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
@@ -19,19 +19,19 @@ module Contrast
 
             def instrument
               @_instrument ||= begin
-                                 ::ActionController::Live::Buffer.class_eval do
-                                   # normally pre->in->post filters are applied however, in a streamed response
-                                   # we can run into a case where it's pre -> in -> post -> more infilters
-                                   # in order to submit anything found during the infilters after the response has
-                                   # been written we need to explicitly send them
-                                   alias_method :cs__close, :close
-                                   def close
-                                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages
-                                     cs__close
-                                   end
-                                 end
-                                 true
-                               end
+                ::ActionController::Live::Buffer.class_eval do
+                  # normally pre->in->post filters are applied however, in a streamed response
+                  # we can run into a case where it's pre -> in -> post -> more infilters
+                  # in order to submit anything found during the infilters after the response has
+                  # been written we need to explicitly send them
+                  alias_method :cs__close, :close
+                  def close
+                    Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages
+                    cs__close
+                  end
+                end
+                true
+              end
             end
           end
         end

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -23,7 +23,7 @@ module Contrast
             include Contrast::Utils::InvalidConfigurationUtil
 
             def analyze_session_store *args
-              return if PROTECT.enabled?
+              return if ASSESS.forcibly_disabled?
 
               apply_httponly_disabled(*args)
               apply_secure_cookie_disabled(*args)

data/lib/contrast/framework/rails/patch/rails_application_configuration.rb

@@ -10,19 +10,19 @@ module Contrast
         # for the runtime detection of insecure configurations on individual
         # ActionDispatch::Session::AbstractStore instances within the
         # application.
-        class RailsApplicationConfiguration
+        module RailsApplicationConfiguration
           def self.instrument
             @_instrument ||= begin
-                               ::Rails::Application::Configuration.class_eval do
-                                 alias_method :cs__patched_session_store, :session_store
-                                 def session_store *args
-                                   ret = cs__patched_session_store(*args)
-                                   Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
-                                   ret
-                                 end
-                               end
-                               true
-                             end
+              ::Rails::Application::Configuration.class_eval do
+                alias_method :cs__patched_session_store, :session_store
+                def session_store *args
+                  ret = cs__patched_session_store(*args)
+                  Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args)
+                  ret
+                end
+              end
+              true
+            end
           end
         end
       end

data/lib/contrast/framework/rails/patch/support.rb

@@ -11,7 +11,7 @@ module Contrast
         # Extension point allowing for the registration of Patches required to
         # support the Rails framework.
         module Support
-          # (See BaseSupport#before_load_patches)
+          # (See BaseSupport#before_load_patches!)
           def before_load_patches!
             return unless defined?(::Rails)
 

data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb

@@ -12,20 +12,20 @@ module Contrast
         # TODO: RUBY-714 remove w/ EOL of 2.5
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
-        class ActionControllerRailtiesHelperInherited
+        module ActionControllerRailtiesHelperInherited
           def self.instrument
             @_instrument ||= begin
-                               ::ActionController::Railties::Helpers.class_eval do
-                                 alias_method :cs__patched_helper_inherited, :inherited
-                                 def inherited klass # rubocop:disable Lint/MissingSuper
-                                   klass&.instance_variable_set(:@cs__defining_class, true)
-                                   cs__patched_helper_inherited(klass) # This calls the original inherited, which should handle super as needed.
-                                 ensure
-                                   klass&.instance_variable_set(:@cs__defining_class, false)
-                                 end
-                               end
-                               true
-                             end
+              ::ActionController::Railties::Helpers.class_eval do
+                alias_method :cs__patched_helper_inherited, :inherited
+                def inherited klass # rubocop:disable Lint/MissingSuper
+                  klass&.instance_variable_set(:@cs__defining_class, true)
+                  cs__patched_helper_inherited(klass) # This calls the original inherited, which should handle super as needed.
+                ensure
+                  klass&.instance_variable_set(:@cs__defining_class, false)
+                end
+              end
+              true
+            end
           end
         end
       end

data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb

@@ -14,23 +14,23 @@ module Contrast
         # TODO: RUBY-714 remove w/ EOL of 2.5
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
-        class ActiveRecordAttributeMethodsRead
+        module ActiveRecordAttributeMethodsRead
           def self.instrument
             @_instrument ||= begin
-                           ::ActiveRecord::AttributeMethods::Read::ClassMethods.class_eval do
-                             alias_method :cs__patched_define_method_attribute, :define_method_attribute
+              ::ActiveRecord::AttributeMethods::Read::ClassMethods.class_eval do
+                alias_method :cs__patched_define_method_attribute, :define_method_attribute
 
-                             def define_method_attribute *args, &block
-                               ret = cs__patched_define_method_attribute(*args, &block)
-                               method_name = args[0]
-                               Contrast::Agent::Assess::Policy::Patcher.patch_assess_method(self, method_name)
-                               ret
-                             end
+                def define_method_attribute *args, &block
+                  ret = cs__patched_define_method_attribute(*args, &block)
+                  method_name = args[0]
+                  Contrast::Agent::Assess::Policy::Patcher.patch_assess_method(self, method_name)
+                  ret
+                end
 
-                             protected :cs__patched_define_method_attribute, :define_method_attribute
-                           end
-                           true
-                         end
+                protected :cs__patched_define_method_attribute, :define_method_attribute
+              end
+              true
+            end
           end
         end
       end