contrast-agent 3.15.0 → 4.3.0

data/lib/contrast/agent/assess/events/source_event.rb

@@ -21,7 +21,7 @@ module Contrast
             @request = Contrast::Agent::REQUEST_TRACKER.current&.request
           end
 
-          def find_parent_ids _policy_node, _object, _ret, _args
+          def parent_events
             nil
           end
 
@@ -58,19 +58,14 @@ module Contrast
 
           # We have to do a little work to figure out what our TS appropriate
           # target is. To break this down, the logic is as follows:
-          # 1) If I have a highlight, it means that I have a P target that is
-          #    not in integer form (it was a named / keyword type for which I had
-          #    to find the index). I need to address this so that TS can process
-          #    it.
-          # 2) I'll set the event's source and target to TS values.
-          # 3) Return the highlight or the first source/target as the taint
-          #    target.
+          # 1) I'll set the event's source and target to TS values.
+          # 2) Return the first source/target as the taint target.
           def determine_taint_target event_dtm
             return unless @policy_node&.targets&.any?
 
             event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
-            @highlight || @policy_node.targets[0]
+            event_dtm.target = @policy_node.target_string
+            @policy_node.targets[0]
           end
         end
       end

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -110,16 +110,23 @@ module Contrast
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
-              properties.events.each do |event|
-                dynamic_source.events << event.to_dtm_event
-              end
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
               url = current_context.request.normalized_uri
               dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
+              append_events(dynamic_source, properties.event)
               dynamic_source
             end
+
+            def append_events dynamic_source, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                append_events(dynamic_source, parent_event)
+              end
+              dynamic_source.events << event.to_dtm_event
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -52,12 +52,13 @@ module Contrast
               Contrast::Utils::ObjectShare::CLASS,
               Contrast::Utils::ObjectShare::MODULE
             ].cs__freeze
-            def patch_assess_method clazz, method_name
+            def patch_assess_method mod, method_name
               # Module.define_method is called a lot in Class and Module. We
               # currently do not expect these define_methods to result in methods
               # that require patching, so for the sake of performance, we're going
               # to skip evaluating them
-              class_name = clazz.cs__name
+              mod = mod.cs__class unless mod.cs__is_a?(Module)
+              class_name = mod.cs__class
               return if CLASS_TYPES.include?(class_name)
               return unless ASSESS.enabled?
 
@@ -73,7 +74,7 @@ module Contrast
                                                                                     method_name: source_node.method_name,
                                                                                     method_visibility: source_node.method_visibility,
                                                                                     instance_method: true)
-                patcher.patch_method(clazz, method_array, method_policy)
+                patcher.patch_method(mod, method_array, method_policy)
               end
             rescue StandardError => e
               logger.warn(

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -19,8 +19,8 @@ module Contrast
             @source_string = policy_hash[JSON_SOURCE]
             @target_string = policy_hash[JSON_TARGET]
             @tags = Set.new(policy_hash[JSON_TAGS])
-            generate_sources
-            generate_targets
+            @sources = convert_policy_markers(source_string)
+            @targets = convert_policy_markers(target_string)
           end
 
           def feature
@@ -47,7 +47,7 @@ module Contrast
 
           def target_string= value
             @target_string = value
-            generate_targets
+            @targets = convert_policy_markers(value)
           end
 
           # Sometimes we need to tie information to an event. We'll add a
@@ -66,62 +66,6 @@ module Contrast
             @properties[name]
           end
 
-          # Given a source in the format A,B,C, populate the sources of this node
-          # 1) Split on ','
-          # 2) If 'O', add the source, else it's P (we don't have R sources) and
-          #    needs to be converted. P type will either be P:name or P# where #
-          #    is the index of the parameter. Drop the P and store the int as int
-          #    or name as symbol
-          def generate_sources
-            if source_string
-              @sources = []
-              source_string.split(Contrast::Utils::ObjectShare::COMMA).each do |s|
-                is_object = (s == Contrast::Utils::ObjectShare::OBJECT_KEY)
-                if is_object
-                  @sources << s
-                else
-                  parameter_source = s[1..-1]
-                  @sources << if parameter_source.start_with?(Contrast::Utils::ObjectShare::COLON)
-                                parameter_source[1..-1].to_sym
-                              else
-                                parameter_source.to_i
-                              end
-                end
-              end
-            else
-              @sources = Contrast::Utils::ObjectShare::EMPTY_ARRAY
-            end
-          end
-
-          # Given a target in the format A,B,C, populate the targets of this node
-          # 1) Split on ','
-          # 2) If 'O' or 'R', add the target, else it's P and needs to be
-          #    converted. P type will either be P:name or P# where # is the index
-          #    of the paramter. Drop the P and store the int as int or name as
-          #    symbol
-          def generate_targets
-            if target_string
-              @targets = []
-              target_string.split(Contrast::Utils::ObjectShare::COMMA).each do |t|
-                case t
-                when Contrast::Utils::ObjectShare::OBJECT_KEY
-                  @targets << t
-                when Contrast::Utils::ObjectShare::RETURN_KEY
-                  @targets << t
-                else
-                  parameter_target = t[1..-1]
-                  @targets << if parameter_target.start_with?(Contrast::Utils::ObjectShare::COLON)
-                                parameter_target[1..-1].to_sym
-                              else
-                                parameter_target.to_i
-                              end
-                end
-              end
-            else
-              @targets = Contrast::Utils::ObjectShare::EMPTY_ARRAY
-            end
-          end
-
           # Don't let nodes be created that will be missing things we need
           # later on. Really, if they don't have these things, they couldn't have
           # done their jobs anyway.
@@ -157,19 +101,24 @@ module Contrast
           # Everything else (propagation nodes) are Source2Target
           def build_action
             @event_action ||= begin
-              source = source_string
-              target = target_string
-              if source.nil?
+              case node_class
+              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
                 :CREATION
-              elsif target.nil?
+              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
                 :TRIGGER
               else
-                # TeamServer can't handle the multi-source or multi-target
-                # values. Give it some help by changing them to 'A'
-                source = ALL_TYPE if source.include?(Contrast::Utils::ObjectShare::COMMA)
-                target = ALL_TYPE if target.include?(Contrast::Utils::ObjectShare::COMMA)
-                str = source[0] + TO_MARKER + target[0]
-                str.to_sym
+                if source_string.nil?
+                  :CREATION
+                elsif target_string.nil?
+                  :TRIGGER
+                else
+                  # TeamServer can't handle the multi-source or multi-target
+                  # values. Give it some help by changing them to 'A'
+                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
+                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
+                  str = source[0] + TO_MARKER + target[0]
+                  str.to_sym
+                end
               end
             end
             @event_action
@@ -181,6 +130,34 @@ module Contrast
           JSON_TARGET = 'target'
           JSON_TAGS = 'tags'
           JSON_DATAFLOW = 'dataflow'
+
+          private
+
+          # Given a policy string in the format A,B,C, populate the given array
+          # 1) Split on ','
+          # 2) If 'O' or 'R', add the array, else it's P and needs to be
+          #    converted. P type will either be P# where # is the index
+          #    of the parameter. Drop the P and store the # as an int.
+          #
+          # @param markers [String] the String from the policy to parse
+          # @return [Array] the array generated by converting the marker string
+          def convert_policy_markers markers
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless markers
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if markers.empty?
+
+            converted = []
+            markers.split(Contrast::Utils::ObjectShare::COMMA).each do |t|
+              case t
+              when Contrast::Utils::ObjectShare::OBJECT_KEY,
+                   Contrast::Utils::ObjectShare::RETURN_KEY
+
+                converted << t
+              else
+                converted << Integer(t[1..-1])
+              end
+            end
+            converted
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -17,18 +17,35 @@ module Contrast
           access_component :analysis
 
           class << self
+            # Use the given trace_point, built from an :end event, to determine
+            # where the loaded code lives and scan that code for policy
+            # violations.
+            #
+            # @param trace_point [TracePoint] the TracePoint generated by an
+            #   :end event at the end of a Module definition.
             def scan trace_point
               return unless ASSESS.enabled?
               return unless ASSESS.require_scan?
 
+              provider_values = policy.providers.values
+              return if provider_values.all?(&:disabled?)
+
               return unless trace_point.path
               return if trace_point.path.start_with?(Gem.dir)
 
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              policy.providers.each_value do |provider|
-                provider.analyze mod
+              # TODO: RUBY-1014 - remove non-AST approach
+              if RUBY_VERSION >= '2.6.0'
+                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+                provider_values.each do |provider|
+                  provider.parse(trace_point, ast)
+                end
+              else
+                provider_values.each do |provider|
+                  provider.analyze(mod)
+                end
               end
             end
 

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -36,11 +36,11 @@ module Contrast
           #   the state of the object and arguments just prior to the method
           #   being called or nil if one is not required.
           def build_preshift propagation_node, object, args
-            return nil unless propagation_node
-            return nil unless ASSESS.enabled?
+            return unless propagation_node
+            return unless ASSESS.enabled?
 
             initializing = propagation_node.method_name == :initialize
-            return nil if unsafe_io_object?(object, initializing)
+            return if unsafe_io_object?(object, initializing)
 
             needs_object = propagation_node.needs_object?
             needs_args = propagation_node.needs_args?

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -37,20 +37,15 @@ module Contrast
 
           class << self
             def determine_target propagation_node, ret, object, args
-              target_key = propagation_node.targets[0]
-              return ret if target_key == Contrast::Utils::ObjectShare::RETURN_KEY
-              return object if target_key == Contrast::Utils::ObjectShare::OBJECT_KEY
-
-              return args[target_key] if target_key.is_a?(Integer)
-
-              arg = nil
-              args.each do |search|
-                next unless search.is_a?(Hash)
-
-                arg = search[target_key]
-                break if arg
+              target = propagation_node.targets[0]
+              case target
+              when Contrast::Utils::ObjectShare::OBJECT_KEY
+                object
+              when Contrast::Utils::ObjectShare::RETURN_KEY
+                ret
+              else
+                args[target]
               end
-              arg
             end
 
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
@@ -208,8 +203,8 @@ module Contrast
             # If this patcher has tags, apply them to the entire target
             def apply_tags propagation_node, target
               return unless propagation_node.tags
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
 
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
               length = Contrast::Utils::StringUtils.ret_length(target)
               propagation_node.tags.each do |tag|
                 properties.add_tag(tag, 0...length)
@@ -219,9 +214,7 @@ module Contrast
             # If this patcher has tags, remove them from the entire target
             def apply_untags propagation_node, target
               return unless propagation_node.untags
-
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
-              return unless properties
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
 
               propagation_node.untags.each do |tag|
                 properties.delete_tags(tag)
@@ -256,7 +249,7 @@ module Contrast
 
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
-                next if target == value # Some Enumerable#each are overriden to return self the first time which leads to infinite propagation
+                next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
 
                 apply_propagator(propagation_node, preshift, value, object, ret, args, block)
               end
@@ -300,7 +293,8 @@ module Contrast
               # both and there should never be a propagator that has a tag in
               # its untag.
               apply_untags(propagation_node, target)
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
+
               properties.add_properties(propagation_node.properties)
               properties.build_event(propagation_node, target, object, ret, args)
               logger.trace('Propagation detected',

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -83,35 +83,23 @@ module Contrast
           end
 
           def needs_object?
-            @_needs_object ||= begin
-              if action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION
-                true
-              elsif action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION
-                true
-              elsif sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY }
-                true
-              elsif targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
-                true
-              else
-                false
-              end
+            if @_needs_object.nil?
+              @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
+                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+                  sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
+                  targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
             end
+            @_needs_object
           end
 
           def needs_args?
-            @_needs_args ||= begin
-              if action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION
-                true
-              elsif action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION
-                true
-              elsif sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) }
-                true
-              elsif targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
-                true
-              else
-                false
-              end
+            if @_needs_args.nil?
+              @_needs_args = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
+                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+                  sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
+                  targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
             end
+            @_needs_args
           end
 
           # This is a tagger if it has a tag or an untag.

data/lib/contrast/agent/assess/policy/propagator/append.rb

@@ -16,8 +16,7 @@ module Contrast
               # copy tags from the param to the target in chunks of param size or less
               # if param is appended in space less than param length
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 sources = propagation_node.sources
                 source1 = find_source(sources[0], preshift)

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -12,8 +12,7 @@ module Contrast
           class Center < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 sources = propagation_node.sources
                 source1 = find_source(sources[0], preshift)

data/lib/contrast/agent/assess/policy/propagator/custom.rb

@@ -12,7 +12,7 @@ module Contrast
           # of tags from the source to the target. Each node with the CUSTOM
           # action knows the class and method it should call to preform this
           # action.
-          class Custom
+          module Custom
             class << self
               def propagate propagation_node, preshift, ret, block
                 clazz = propagation_node.patch_class

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -30,9 +30,7 @@ module Contrast
                   arg.each_pair do |key, value|
                     next unless value
                     next if known_tainted&.include?(key)
-
-                    properties = Contrast::Agent::Assess::Tracker.properties(value)
-                    next unless properties
+                    next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
 
                     # TODO: RUBY-540 handle sanitization, handle nested objects
                     Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)