contrast-agent 3.15.0 → 4.3.0

data/lib/contrast/framework/rails/rewrite/active_record_named.rb

@@ -58,9 +58,9 @@ module Contrast
 
             def instrument
               @_instrument_named_track ||= begin
-                                                 require 'cs__assess_active_record_named/cs__assess_active_record_named'
-                                                 true
-                                               end
+                require 'cs__assess_active_record_named/cs__assess_active_record_named'
+                true
+              end
             rescue StandardError, LoadError => e
               logger.error('Error loading active record named track patch', e)
               false

data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb

@@ -9,22 +9,22 @@ module Contrast
         # TODO: RUBY-714 remove w/ EOL of 2.5
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
-        class ActiveRecordTimeZoneInherited
+        module ActiveRecordTimeZoneInherited
           def self.instrument
             @_instrument ||= begin
-                               ::ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods.class_eval do
-                                 private
+              ::ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods.class_eval do
+                private
 
-                                 alias_method :cs__patched_inherited, :inherited
-                                 def inherited klass # rubocop:disable Lint/MissingSuper
-                                   klass&.instance_variable_set(:@cs__defining_class, true)
-                                   cs__patched_inherited(klass) # This calls the original inherited, which should handle super as needed.
-                                 ensure
-                                   klass&.instance_variable_set(:@cs__defining_class, false)
-                                 end
-                               end
-                               true
-                             end
+                alias_method :cs__patched_inherited, :inherited
+                def inherited klass # rubocop:disable Lint/MissingSuper
+                  klass&.instance_variable_set(:@cs__defining_class, true)
+                  cs__patched_inherited(klass) # This calls the original inherited, which should handle super as needed.
+                ensure
+                  klass&.instance_variable_set(:@cs__defining_class, false)
+                end
+              end
+              true
+            end
           end
         end
       end

data/lib/contrast/framework/rails/support.rb

@@ -10,7 +10,8 @@ module Contrast
   module Framework
     module Rails
       # Used when Rails is present to define framework specific behavior
-      class Support < BaseSupport
+      class Support
+        extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rails::Patch::Support
 
         class << self
@@ -45,6 +46,9 @@ module Contrast
             find_all_routes(::Rails.application, [])
           end
 
+          # Find the current route, based on the provided Request wrapper
+          # @param request[Contrast::Agent::Request]
+          # @return [Contrast::Api::Dtm::RouteCoverage]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
 

data/lib/contrast/framework/sinatra/patch/base.rb

@@ -34,17 +34,17 @@ module Contrast
 
             def instrument
               @_instrument ||= begin
-                                ::Sinatra::Base.class_eval do
-                                  alias_method :cs__patched_sinatra_base_call!, :call!
-                                  # publicly available method for Sinatra::Base things -- unfortunately,
-                                  # getting the routes appear to require a lookup every time
-                                  def call! *args
-                                    Contrast::Framework::Sinatra::Patch::Base.map_route(cs__class, settings, *args)
-                                    cs__patched_sinatra_base_call!(*args)
-                                  end
-                                end
-                                true
-                              end
+                ::Sinatra::Base.class_eval do
+                  alias_method :cs__patched_sinatra_base_call!, :call!
+                  # publicly available method for Sinatra::Base things -- unfortunately,
+                  # getting the routes appear to require a lookup every time
+                  def call! *args
+                    Contrast::Framework::Sinatra::Patch::Base.map_route(cs__class, settings, *args)
+                    cs__patched_sinatra_base_call!(*args)
+                  end
+                end
+                true
+              end
             end
 
             private

data/lib/contrast/framework/sinatra/support.rb

@@ -8,7 +8,8 @@ module Contrast
   module Framework
     module Sinatra
       # Used when Sinatra is present to define framework specific behavior
-      class Support < BaseSupport
+      class Support
+        extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Sinatra::Patch::Support
         class << self
           def detection_class
@@ -67,13 +68,13 @@ module Contrast
           private
 
           def app_class
-            return nil unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
 
             @_app_class ||= begin
-                              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
-                              result_layer = sinatra_layers.find { |layer| layer.app.nil? }
-                              result_layer
-                            end
+              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
+              result_layer = sinatra_layers.find { |layer| layer.app.nil? }
+              result_layer
+            end
           end
 
           # Iterate over every class that extends Sinatra::Base, pull out its routes

data/lib/contrast/logger/application.rb

@@ -33,7 +33,7 @@ module Contrast
       def application_configuration
         return unless info?
 
-        loggable = CONFIG.raw.loggable
+        loggable = CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
@@ -41,9 +41,6 @@ module Contrast
           hash[conversion.key] = conversion.dot_path_array.join('.')
         end
         info('Set by environment', overrides: env_translations)
-      rescue StandardError => e
-        puts e
-        sleep(5)
       end
 
       def application_libraries

data/lib/contrast/logger/log.rb

@@ -49,14 +49,19 @@ module Contrast
         path        = valid_path(config_path   || log_file)
         level_const = valid_level(config_level || log_level)
 
+        path_change = path != previous_path
+        level_change = level_const != previous_level
+
         # don't needlessly recreate logger
-        return if @_logger && (path == previous_path) && (level_const == previous_level)
+        return if @_logger && !(path_change || level_change)
 
         @previous_path  = path
         @previous_level = level_const
 
         @_logger = build(path: path, level_const: level_const)
-        log_update
+        # If we're logging to a new path, then let's start it w/ our helpful
+        # data gathering messages
+        log_update if path_change
       rescue StandardError => e
         if logger
           logger.error('Unable to process update to LoggerManager.', e)

data/lib/contrast/utils/duck_utils.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # Utility methods for identifying instances that can be used interchangeably
-    class DuckUtils
+    module DuckUtils
       class << self
         # Determine if the given object, or the object to which it delegates,
         # responds to the given method.

data/lib/contrast/utils/heap_dump_util.rb

@@ -106,7 +106,7 @@ module Contrast
           logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
           logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
           logger.info('*****************************************************')
-          exit # We weren't kidding!
+          exit # rubocop:disable Rails/Exit We weren't kidding!
         end
       end
     end

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/policy/trigger_method'
 require 'contrast/components/interface'
 
 module Contrast
@@ -41,11 +42,7 @@ module Contrast
           hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
           finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
           finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-
-          activity = Contrast::Api::Dtm::Activity.new
-          activity.findings << finding
-
-          Contrast::Agent.messaging_queue.send_event_eventually(activity)
+          Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
         end
       rescue StandardError => e
         logger.error('Unable to build a finding', e, rule: rule_id)

data/lib/contrast/utils/inventory_util.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/timer'
 require 'contrast/utils/object_share'
-require 'contrast/utils/gemfile_reader'
 require 'contrast/components/interface'
 
 module Contrast
@@ -25,12 +24,6 @@ module Contrast
       DEFAULT = 'default'
       LOCALHOST = 'localhost'
 
-      def self.inventory_class class_path
-        Contrast::Utils::GemfileReader.instance.map_class(class_path)
-      rescue StandardError => e
-        logger.error('Unable to inventory module', e, path: class_path)
-      end
-
       def self.active_record_config
         return @_active_record_config if instance_variable_defined?(:@_active_record_config)
 

data/lib/contrast/utils/object_share.rb

@@ -1,13 +1,13 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# rubocop:disable  Object/Freeze
+# rubocop:disable Security/Object/Freeze
 module Contrast
   module Utils
     # A utility class where a series of commonly used Strings and other
     # commonly used objects can be store and frozen to prevent unnecessary
     # duplication.
-    class ObjectShare
+    module ObjectShare
       # Strings
       ASTERISK =      '*'
       BACK_SLASH =    '\\'
@@ -76,4 +76,4 @@ module Contrast
     end
   end
 end
-# rubocop:enable  Object/Freeze
+# rubocop:enable Security/Object/Freeze

data/lib/contrast/utils/preflight_util.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # Utility for generating preflight message token
-    class PreflightUtil
+    module PreflightUtil
       def self.create_preflight finding
         "#{ finding.rule_id },#{ finding.hash_code }"
       end

data/lib/contrast/utils/prevent_serialization.rb

@@ -7,7 +7,7 @@ module Contrast
     #
     # Marshal is pretty cool. It does a lot of things well. What it doesn't
     # mess around with though is StringIO. And what we don't want to do is
-    # serialize ourselves out with Marshal#dump.
+    # serialize ourselves out with Marshal.dump.
     #
     # Unfortunately, we have to mess around w/ that. To isolate our things from
     # user dumped Strings (and so that we can marshal findings), we have

data/lib/contrast/utils/resource_loader.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # ResourceLoader can attempt to read a file from a predefined resource directory
-    class ResourceLoader
+    module ResourceLoader
       RESOURCES = 'resources'
 
       # __FILE__/../../../resources

data/lib/contrast/utils/sha256_builder.rb

@@ -29,8 +29,8 @@ module Contrast
 
       # Generate a SHA256 hash of the combined source code of this Gem
       def sha256 path
-        return nil unless path
-        return nil unless File.exist?(path) && !File.directory?(path)
+        return unless path
+        return unless File.exist?(path) && !File.directory?(path)
 
         @sha256_cache[path] ||= Digest::SHA256.file(path).to_s
       end
@@ -52,18 +52,6 @@ module Contrast
         parent_dir = File.dirname(gems_dir)
         File.join(parent_dir, Contrast::Utils::ObjectShare::CACHE)
       end
-
-      def self.files path
-        instance.files(path)
-      end
-
-      def self.sha256 path
-        instance.sha256(path)
-      end
-
-      def self.build_from_spec spec
-        instance.build_from_spec(spec)
-      end
     end
   end
 end

data/lib/contrast/utils/string_utils.rb

@@ -74,7 +74,7 @@ module Contrast
       # @return [String] a copy of the given String, upper cased, trimmed,
       #   dashes replaced with underscore, and HTTP trimmed
       def self.normalized_key str
-        return nil unless str
+        return unless str
 
         str = str.to_s
         @_normalized_keys ||= {}

data/lib/contrast/utils/tag_util.rb

@@ -19,16 +19,15 @@ module Contrast
 
             relationship = tag.compare_range(range.start_idx, range.end_idx)
             case relationship
-            when Contrast::Agent::Assess::Tag::BELOW
               # since the tags are ordered, if we're below, nope out
-              return false
-            when Contrast::Agent::Assess::Tag::LOW_SPAN
-              # if we ever get a low span, that means a low part
-              # won't be covered. there's no need to continue
-              return false
-            when Contrast::Agent::Assess::Tag::WITHOUT
-              # if we ever get a without, that means a low part won't
-              # be covered. there's no need to continue
+            when Contrast::Agent::Assess::Tag::BELOW,
+                # if we ever get a low span, that means a low part
+                # won't be covered. there's no need to continue
+                Contrast::Agent::Assess::Tag::LOW_SPAN,
+                # if we ever get a without, that means a low part won't
+                # be covered. there's no need to continue
+                Contrast::Agent::Assess::Tag::WITHOUT
+
               return false
             when Contrast::Agent::Assess::Tag::WITHIN
               # if we're within, then 0 out this tag since it is
@@ -131,10 +130,7 @@ module Contrast
           smallered = []
           curr = nil
           tags.each do |tag|
-            if curr.nil?
-              curr = tag
-              smallered << curr
-            elsif tag.start_idx <= curr.end_idx
+            if curr && tag.start_idx <= curr.end_idx
               curr.update_end(tag.end_idx) if tag.end_idx > curr.end_idx
             else
               curr = tag

data/resources/assess/policy.json

@@ -275,7 +275,7 @@
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"insert",
-      "source":"P1",
+      "source":"O,P1",
       "target":"O",
       "action":"INSERT"
     }, {
@@ -614,7 +614,6 @@
       "action":"CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::MatchData",
       "patch_method": "captures_tagger"
-
     }, {
       "class_name":"MatchData",
       "instance_method": true,
@@ -640,7 +639,9 @@
       "method_name": "gsub",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
-      "patch_method": "gsub_tagger"
+      "patch_method": "gsub_tagger",
+      "source": "O,P1",
+      "target": "R"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -648,7 +649,9 @@
       "method_name": "gsub!",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
-      "patch_method": "gsub_tagger"
+      "patch_method": "gsub_tagger",
+      "source": "O,P1",
+      "target": "O"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -656,7 +659,9 @@
       "method_name": "sub",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
-      "patch_method": "sub_tagger"
+      "patch_method": "sub_tagger",
+      "source": "O,P1",
+      "target": "R"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -664,7 +669,9 @@
       "method_name": "sub!",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
-      "patch_method": "sub_tagger"
+      "patch_method": "sub_tagger",
+      "source": "O,P1",
+      "target": "O"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -672,7 +679,9 @@
       "method_name": "tr",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
-      "patch_method": "tr_tagger"
+      "patch_method": "tr_tagger",
+      "source": "O,P1",
+      "target": "R"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -680,7 +689,9 @@
       "method_name": "tr!",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
-      "patch_method": "tr_tagger"
+      "patch_method": "tr_tagger",
+      "source": "O,P1",
+      "target": "O"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -688,7 +699,9 @@
       "method_name": "tr_s",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
-      "patch_method": "tr_s_tagger"
+      "patch_method": "tr_s_tagger",
+      "source": "O,P1",
+      "target": "R"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -696,7 +709,9 @@
       "method_name": "tr_s!",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
-      "patch_method": "tr_s_tagger"
+      "patch_method": "tr_s_tagger",
+      "source": "O,P1",
+      "target": "O"
     }, {
       "class_name": "String",
       "instance_method": true,
@@ -704,7 +719,9 @@
       "method_name": "[]",
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Select",
-      "patch_method": "select_tagger"
+      "patch_method": "select_tagger",
+      "source": "O",
+      "target": "R"
     }, {
       "class_name":"CGI::Util",
       "method_name":"escapeHTML",
@@ -966,7 +983,9 @@
       "method_name": "sprintf",
       "action": "CUSTOM",
       "patch_class": "Contrast::Extension::Assess::KernelPropagator",
-      "patch_method": "sprintf_tagger"
+      "patch_method": "sprintf_tagger",
+      "source": "O,P1",
+      "target": "R"
     }, {
       "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
       "instance_method": true,