contrast-agent 3.15.0 → 4.3.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -51,16 +51,23 @@ module Contrast
                   incoming_tracked = args && determine_tracked(args)
                   return ret unless self_tracked || incoming_tracked
 
+                  parent_events = []
                   if block
                     block_sub(self_tracked, source, ret)
                   elsif args.is_a?(String)
-                    string_sub(self_tracked, preshift, ret, args, incoming_tracked, global)
+                    string_sub(parent_events, self_tracked, preshift, ret, args, incoming_tracked, global)
                   elsif args.is_a?(Hash)
                     hash_sub(self_tracked, source, ret)
                   else # Enumerator, only for gsub
-                    pattern_gsub(preshift, ret)
+                    pattern_gsub(parent_events, preshift, ret)
                   end
-                  string_build_event(patcher, preshift, ret)
+
+                  if self_tracked
+                    source_properties = Contrast::Agent::Assess::Tracker.properties(source)
+                    parent_event = source_properties&.event
+                    parent_events.prepend(parent_event) if parent_event
+                  end
+                  string_build_event(parent_events, patcher, preshift, ret)
                 rescue StandardError => e
                   logger.error('Unable to apply gsub propagator', e)
                 end
@@ -84,9 +91,12 @@ module Contrast
                 end
               end
 
-              def string_sub self_tracked, preshift, ret, incoming, incoming_tracked, global
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+              def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
+
+                incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
+                parent_event = incoming_properties&.event
+                parent_events << parent_event if parent_event
 
                 pattern = preshift.args[0]
                 source = preshift.object
@@ -119,8 +129,8 @@ module Contrast
                 properties.delete_tags_at_ranges(ranges)
                 properties.shift_tags(ranges)
                 return unless incoming_tracked
+                return unless incoming_properties
 
-                incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
                 tags = incoming_properties.tag_keys
                 ranges.each do |range|
                   tags.each do |tag|
@@ -130,40 +140,36 @@ module Contrast
               end
 
               def block_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def hash_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
-              end
+                return unless self_tracked
 
-              def pattern_gsub preshift, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
+              end
 
+              def pattern_gsub parent_events, preshift, ret
                 source = preshift.object
-                source_properties = Contrast::Agent::Assess::Tracker.properties(source)
-                return unless source_properties
+                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source_properties.tag_keys.each do |key|
                   properties.add_tag(key, 0...1)
                 end
+                parent_event = source_properties.event
+                parent_events << parent_event if parent_event
               end
 
-              def string_build_event patcher, preshift, ret
+              def string_build_event parent_events, patcher, preshift, ret
                 return unless Contrast::Agent::Assess::Tracker.tracked?(ret)
 
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 args = preshift.args
-                if args.length > 1
-                  arg = args[1]
-                  arg_properties = Contrast::Agent::Assess::Tracker.properties(arg)
-                  arg_properties&.events&.each do |event|
-                    properties.events << event
-                  end
-                end
                 properties.build_event(
                     patcher,
                     ret,
@@ -171,6 +177,7 @@ module Contrast
                     ret,
                     args,
                     2)
+                properties.event.instance_variable_set(:@_parent_events, parent_events)
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -11,13 +11,11 @@ module Contrast
           # Disclaimer: there may be a better way, but we're
           # in a 'get it work' state. hopefully, we'll be in
           # a 'get it right' state soon.
-          class Trim
+          module Trim
             class << self
               def tr_tagger patcher, preshift, ret, _block
                 return ret unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return ret unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args
@@ -59,9 +57,7 @@ module Contrast
 
               def tr_s_tagger patcher, preshift, ret, _block
                 return unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -178,8 +178,8 @@ module Contrast
               # don't apply second source -- probably needs tuning later if we
               # use more than 'UNTRUSTED' in our sources
               return if Contrast::Agent::Assess::Tracker.tracked?(target)
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
               # otherwise for each tag this source_node applies, create a tag range
               # on the target object
               # I realize this looping is counter-intuitive from the above
@@ -243,19 +243,7 @@ module Contrast
               when Contrast::Utils::ObjectShare::OBJECT_KEY
                 object
               else
-                if source_target.is_a?(Integer)
-                  args[source_target]
-                  # If this isn't an index param, it's a named one. R.I.P.
-                else
-                  arg = nil
-                  args.each do |search|
-                    next unless search.is_a?(Hash)
-
-                    arg = search[source_target]
-                    break if arg
-                  end
-                  arg
-                end
+                args[source_target]
               end
             end
 

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -25,24 +25,22 @@ module Contrast
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
               def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 scope = args[0]
                 erb_template_prerender = object.instance_variable_get(:@data)
                 interpolated_inputs = []
-                handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
-                handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
+                handle_binding_variables(scope, erb_template_prerender, ret, properties, interpolated_inputs)
+                handle_local_variables(args, erb_template_prerender, ret, properties, interpolated_inputs)
+                properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 unless interpolated_inputs.empty?
+                  current_event = properties.event
                   interpolated_inputs.each do |input|
                     input_properties = Contrast::Agent::Assess::Tracker.properties(input)
-                    next unless input_properties
+                    next unless input_properties&.event
 
-                    input_properties.events.each do |event|
-                      properties.events << event
-                    end
+                    current_event.parent_events << input_properties.event
                   end
-                  properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
@@ -54,8 +52,7 @@ module Contrast
 
               private
 
-              def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_binding_variables scope, erb_template_prerender, ret, properties, interpolated_inputs
                 binding_variables = scope.instance_variables
 
                 binding_variables.each do |bound_variable_sym|
@@ -72,8 +69,7 @@ module Contrast
                 end
               end
 
-              def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_local_variables args, erb_template_prerender, ret, properties, interpolated_inputs
                 locals = args[1]
                 locals.each do |local_name, local_value|
                   next unless Contrast::Agent::Assess::Tracker.tracked?(local_value)

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -43,7 +43,7 @@ module Contrast
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, args)
+                      context, trigger_node, arg, object, ret, *args)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -27,6 +27,24 @@ module Contrast
           CURRENT_FINDING_VERSION = 4
 
           class << self
+            # Append the given finding to the given context to be reported when
+            # the Context's activity is sent to the Service or, in the absence
+            # of that Context, generate an Activity and queue it manually
+            # @param finding [Contrast::Api::Dtm::Finding]
+            def report_finding finding
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+              else
+                activity = Contrast::Api::Dtm::Activity.new
+                activity.findings << finding
+
+                Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              end
+              logger.debug('Finding reported',
+                           rule: finding.rule_id)
+            end
+
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -69,8 +87,8 @@ module Contrast
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -98,11 +116,11 @@ module Contrast
               build_hash(finding, source)
               finding.routes << context.route if context.route
               finding.version = determine_compliance_version(finding)
-              context.activity.findings << finding
               logger.trace('Finding created',
                            node_id: trigger_node.id,
                            source_id: source.__id__,
                            rule: trigger_node.rule_id)
+              report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
@@ -112,8 +130,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -181,8 +199,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -201,8 +219,8 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
+            # @param context [Contrast::Agent::RequestContext] the current
+            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -244,11 +262,7 @@ module Contrast
               properties = Contrast::Agent::Assess::Tracker.properties(source)
               return unless properties
 
-              # events could technically be nil, but we would have failed
-              # the rule check before getting here. not worth the nil check
-              properties.events.each do |event|
-                finding.events << event.to_dtm_event
-              end
+              build_events finding, properties.event if properties.event
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this
               # long form
@@ -261,6 +275,17 @@ module Contrast
               end
             end
 
+            def build_events finding, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                build_events(finding, parent_event)
+              end
+              # events could technically be nil, but we would have failed
+              # the rule check before getting here. not worth the nil check
+              finding.events << event.to_dtm_event
+            end
+
             def build_hash finding, source
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -104,13 +104,13 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_any_tag(properties, disallowed_tags)
+            secure_ranges = ranges_with_any_tag(properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
 
@@ -181,49 +181,43 @@ module Contrast
           #   tags.
           # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
-          # @param tags [Set<String>] the list of tags on which to match
+          # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_all_tags length, properties, tags
-            # if there aren't any all_tags or tags, break early
+          def ranges_with_all_tags length, properties, required_tags
+            # if there are no tags, not required tags, or the tags don't have
+            # all the required tags, we can just return here.
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
-
-            # :zap: faster to treat all as any if there's only one tag
-            return find_ranges_by_any_tag(properties, tags) if tags.length == 1
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
 
             ranges = []
-            # TODO: RUBY-946 clean this up, perhaps with
-            #   tags.each { |tag| applicable << properties.fetch_tag(tag) }
-            #   return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless applicable.length == tags.length
-            #   ...
+            chunking = false
             # find all the indicies on the source that have all the given tags
             (0..length).each do |idx|
-              tags_at = properties.tags_at(idx)
-              ranges << idx if tags.all? do |tag|
-                found = false
-                tags_at.each do |tag_at|
-                  found = tag_at.label == tag
-                  break if found
-                end
-                found
+              tags_at = properties.tags_at(idx).to_a
+              # only those that have all the required tags in the tags_at
+              # satisfy the requirement
+              satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
+              # if this range matches all the required tags and we're already
+              # chunking, meaning the previous range matched, do nothing
+              next if satisfied && chunking
+
+              # if we are satisfied and we were not chunking, this represents
+              # the start of the next range, so create a new entry.
+              if satisfied
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                chunking = true
+              # if we are chunking and not satisfied, this represents the end
+              # of the range, meaning the last index is what satisfied the
+              # range. Because the range is exclusive end, we can just use this
+              # index.
+              elsif chunking
+                ranges[-1]&.update_end(idx)
+                chunking = false
               end
             end
-            # break early if no indicies satisfy all the tags
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if ranges.empty?
-
-            # chunk all the adjacent ranges
-            chunked = ranges.chunk_while { |i, j| i + 1 == j }
-            tag_ranges = []
-            # and convert them into Tags
-            chunked.each do |join|
-              start = join[0]
-              stop = join[-1]
-              # add the 1 to account for end index being exclusive
-              tag_length = stop - start + 1
-              tag_ranges = Contrast::Utils::TagUtil.ordered_merge(tag_ranges, Tag.new(tag_length, start))
-            end
-            tag_ranges
+            ranges
           end
 
           # Find the ranges that satisfy any of the given tags.
@@ -233,7 +227,7 @@ module Contrast
           # @param tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def find_ranges_by_any_tag properties, tags
+          def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -39,7 +39,7 @@ module Contrast
               finish ||= url.length
 
               properties = Contrast::Agent::Assess::Tracker.properties(args[0])
-              properties.any_tags_between?(start, finish)
+              properties&.any_tags_between?(start, finish)
             end
           end
         end