contrast-agent 3.15.0 → 4.3.0

data/lib/contrast/agent/assess/property/evented.rb

@@ -10,23 +10,11 @@ module Contrast
       module Property
         # This module serves to hold the functionality required for the
         # management of our dataflow events.
+        #
+        # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
+        #   latest event to track
         module Evented
-          # The events for this object.
-          #
-          # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
-          def events
-            @_events ||= []
-          end
-
-          # Add an event to these properties. It will be used to build
-          # a trace if this object ends up in a trigger.
-          #
-          # @param event [Contrast::Agent::Assess::ContrastEvent] the latest
-          #   event to track
-          def add_event event
-            events << event
-            self
-          end
+          attr_accessor :event
 
           # Create a new event and add it to the event set.
           #
@@ -43,8 +31,7 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
-            add_event(event)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
             report_sources(tagged, event)
           end
 

data/lib/contrast/agent/assess/property/tagged.rb

@@ -79,6 +79,10 @@ module Contrast
           # range       : 5-10
           # result      : 0-05
           #
+          # Note that we disable Lint/DuplicateBranch in this branch in order
+          # list out all tag range cases in the proper order to make this
+          # easier to understand
+          #
           # @param range [Range] the span to check, inclusive to exclusive
           # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
           #   key to tags
@@ -101,10 +105,10 @@ module Contrast
                   finish = range.size - start
                   add << Contrast::Agent::Assess::Tag.new(tag.label, finish, start)
                   # the tag spans the requested range.
-                when Contrast::Agent::Assess::Tag::WITHOUT
+                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
                   add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
                   # part of the tag is being selected
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN
+                when Contrast::Agent::Assess::Tag::HIGH_SPAN # rubocop:disable Lint/DuplicateBranch
                   add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
                 end
               end
@@ -162,19 +166,17 @@ module Contrast
           end
 
           # We'll use this as a helper method to retrieve tags from the hash.
-          # Because the hash auto-populates an empty array when we try to access
-          # a tag in it, we cannot use the [] method without side effect. To get
-          # around this, we'll use a fetch work around.
+          # Because the hash auto-populates an empty array when we try to
+          # access a tag in it, we cannot use the [] method without side
+          # effect. To get around this, we'll use a fetch work around.
+          #
+          # @param label [Symbol] the label to look up
+          # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+          #   that label
           def fetch_tag label
             tags.fetch(label, nil) if tracked?
           end
 
-          # Convert the tags of this object into the TraceTaintRange required
-          # to be sent to the service
-          def tags_to_dtm
-            Contrast::Api::Dtm::TraceTaintRange.build_for_event(tags)
-          end
-
           # Remove all tags within the given ranges.
           # This does not delete an entire tag if part of that tag is
           # outside this range, meaning we may reduce sizes of tags
@@ -295,9 +297,19 @@ module Contrast
             end
           end
 
-          # Shift the tag ranges covering the given range
-          # We assume this is for a insertion, meaning we
-          # have to move tags to the right
+          # Shift the tag ranges covering the given range to account for new
+          # data being added. We assume this is for a insertion, meaning we
+          # have to move tags out of the range and to the right. For example,
+          # given current tags:     0-15
+          # when we insert a range: 5-10
+          # then the result is:     0-5, 10-20
+          #
+          # Note that we disable Lint/DuplicateBranch in this branch in order
+          # list out all tag range cases in the proper order to make this
+          # easier to understand
+          #
+          # @param range [Range] the range of new information that's been
+          #   inserted
           def shift_tags_for_insertion range
             return unless tracked?
 
@@ -319,13 +331,13 @@ module Contrast
                 when Contrast::Agent::Assess::Tag::WITHIN
                   tag.shift(length)
                   # the tag spans the range. leave the part below alone
-                when Contrast::Agent::Assess::Tag::WITHOUT
+                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
                   new_tag = tag.clone
                   new_tag.update_start(range.begin)
                   new_tag.shift(length)
                   add << new_tag
                   tag.update_end(range.begin)
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE
+                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE # rubocop:disable Lint/DuplicateBranch
                   tag.shift(length)
                 end
               end

data/lib/contrast/agent/assess/property/updated.rb

@@ -26,11 +26,6 @@ module Contrast
             return unless original
 
             adjust_duplicate(original)
-
-            original.events.each do |event|
-              events << event
-            end
-
             original.tag_keys.each do |key|
               next if skip_tags&.include?(key)
 

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -33,6 +33,64 @@ module Contrast
                   NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
+            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              # If it's a String being turned into bytes, then it matches key
+              # expectations
+              return true if bytes_call?(value_node)
+
+              type = value_node.type
+              return false unless BYTE_HOLDERS.include?(type)
+              return false unless value_node.children.any?
+
+              # Unless this is an array of literal numerics, we don't match.
+              # That array seems to always end in a nil value, so we allow
+              # those as well.
+              value_node.children.each do |child|
+                next unless child
+
+                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    child.type == :LIT &&
+                    child.children[0]&.cs__is_a?(Integer)
+              end
+
+              true
+            end
+
+            REDACTED_MARKER = ' = [**REDACTED**]'
+            def redacted_marker
+              REDACTED_MARKER
+            end
+
+            # A node is a bytes_call if it's the Node for String#bytes. We care
+            # about this specifically as it's likely to be a common way to
+            # generate a key constant, rather than directly declaring an
+            # integer array.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a node for String#bytes or not
+            def bytes_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              potential_string_node = children[0]
+              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                  potential_string_node.type == :STR
+
+              children[1] == :bytes
+            end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
             # If the value is a byte array, or at least an array of numbers, it
             # passes for this rule
             def value_type_passes? value
@@ -49,11 +107,6 @@ module Contrast
             def value_passes? _value
               true
             end
-
-            REDACTED_MARKER = ' = [**REDACTED**]'
-            def redacted_marker
-              REDACTED_MARKER
-            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -38,15 +38,18 @@ module Contrast
                   NON_PASSWORD_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
-            # If the value is a string, it passes for this rule
-            def value_type_passes? value
-              value.is_a?(String)
-            end
+            # Determine if the given value node violates the hardcode key rule
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean]
+            def value_node_passes? value_node
+              # If it's a freeze call, then evaluate the entity being frozen
+              value_node = value_node.children[0] if freeze_call?(value_node)
+              return false unless value_node.type == :STR
 
-            # If the value probably isn't a property name, it passes for this
-            # rule
-            def value_passes? value
-              !probably_property_name?(value)
+              # https://www.rubydoc.info/gems/ruby-internal/Node/STR
+              string = value_node.children[0]
+              !probably_property_name?(string)
             end
 
             # If a field name matches an expected password field, we'll check it's
@@ -65,6 +68,18 @@ module Contrast
             def redacted_marker
               REDACTED_MARKER
             end
+
+            # TODO: RUBY-1014 remove `#value_type_passes?` and `#value_passes?`
+            # If the value is a string, it passes for this rule
+            def value_type_passes? value
+              value.is_a?(String)
+            end
+
+            # If the value probably isn't a property name, it passes for this
+            # rule
+            def value_passes? value
+              !probably_property_name?(value)
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/policy/trigger_method'
 require 'contrast/components/interface'
 require 'contrast/extension/module'
 
@@ -9,14 +10,13 @@ module Contrast
     module Assess
       module Rule
         module Provider
-          # Hardcoded rules detect if any secret value has been written directly into the
-          # sourcecode of the application. To use this base class, a provider must
-          # implement four methods
+          # Hardcoded rules detect if any secret value has been written
+          # directly into the sourcecode of the application. To use this base
+          # class, a provider must implement three methods:
           # 1) name_passes? : does the constant name match a given value set
-          # 2) value_type_passes? : does the type of the value of the constant match the
-          #    type given
-          # 3) value_passes? : does the value of the constant match a given value set
-          # 4) redacted_marker : the value to plug in for the obfuscated value
+          # 2) value_node_passes? : does the value of the constant match a
+          #    given value set
+          # 3) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
             include Contrast::Components::Interface
             access_component :analysis, :app_context, :logging
@@ -25,6 +25,7 @@ module Contrast
               !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
             end
 
+            # TODO: RUBY-1014 - remove `#analyze`
             COMMON_CONSTANTS = %i[
               CONTRAST_ASSESS_POLICY_STATUS
               VERSION
@@ -69,10 +70,31 @@ module Contrast
                 # if it looks like a placeholder / pointer to a config, skip it
                 next unless value_passes?(value)
 
-                report_finding(clazz, constant_string)
+                build_finding(clazz, constant_string)
               end
             end
 
+            # Parse the file pertaining to the given TracePoint to walk its AST
+            # to determine if a Constant is hardcoded. For our purposes, this
+            # hard coding means directly set rather than as an interpolated
+            # String or through a method call.
+            #
+            # Note: This is a top layer check, we make no assertions about what
+            # the methods or interpolations do. Their presence, even if only
+            # calling a hardcoded thing, causes this check to not report.
+            #
+            # @param trace_point [TracePoint] the TracePoint event created on
+            #   the :end of a Module being loaded
+            # @param ast [RubyVM::AbstractSyntaxTree::Node] the abstract syntax
+            #   tree of the Module defined in the TracePoint end event
+            def parse trace_point, ast
+              return if disabled?
+
+              parse_ast(trace_point.self, ast)
+            rescue StandardError => e
+              logger.error('Unable to parse AST for hardcoded keys', e, module: trace_point.self)
+            end
+
             # Constants can be variable or classes defined in the given
             # class. We ONLY want the variables, which should be defined in
             # the MACRO_CASE (upper case & underscore format)
@@ -90,7 +112,57 @@ module Contrast
 
             private
 
-            def report_finding clazz, constant_string
+            # @param mod [Module] the module to which this AST pertains
+            # @param ast [RubyVM::AbstractSyntaxTree::Node, Object] a node
+            #   within the AST, which may be a leaf, so any Object
+            def parse_ast mod, ast
+              return unless ast.cs__is_a?(RubyVM::AbstractSyntaxTree::Node)
+              return unless ast.cs__respond_to?(:children)
+
+              children = ast.children
+              return unless children.any?
+
+              ast.children.each do |child|
+                parse_ast(mod, child)
+              end
+
+              # https://www.rubydoc.info/gems/ruby-internal/Node/CDECL
+              return unless ast.type == :CDECL
+
+              # The CDECL Node has two children, the first being the Constant
+              # name as a symbol, the second as the value to assign to that
+              # constant
+              children = ast.children
+              name = children[0].to_s
+              # If that constant name doesn't pass our checks, move on.
+              return unless name_passes?(name)
+
+              value = children[1]
+              # The assignment node could be a direct value or a call of some
+              # sort. We leave it to each rule to properly handle these nodes.
+              return unless value_node_passes?(value)
+
+              build_finding(mod, name)
+            end
+
+            # Constants can be set as frozen directly. We need to account for
+            # this change as it means the Node given to the :CDECL call will be
+            # a :CALL, not a constant.
+            #
+            # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
+            #   evaluate
+            # @return [Boolean] is this a freeze call or not
+            def freeze_call? value_node
+              return false unless value_node.type == :CALL
+
+              children = value_node.children
+              return false unless children
+              return false unless children.length >= 2
+
+              children[1] == :freeze
+            end
+
+            def build_finding clazz, constant_string
               class_name = clazz.cs__name
 
               finding = Contrast::Api::Dtm::Finding.new
@@ -104,13 +176,10 @@ module Contrast
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
-
-              activity = Contrast::Api::Dtm::Activity.new
-              activity.findings << finding
-
-              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
+              nil
             end
           end
         end

data/lib/contrast/agent/assess/rule/redos.rb

@@ -33,7 +33,7 @@ module Contrast
               # (2) regexp must evaluate against user input
               return unless trigger_node.violated?(string)
 
-              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, args)
+              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, *args)
             end
 
             protected

data/lib/contrast/agent/assess/tag.rb

@@ -14,7 +14,7 @@ module Contrast
 
         # Initialize a new tag
         #
-        # @param label [String] the lable of the tag
+        # @param label [String] the label of the tag
         # @param length [Integer] the length of the string described with this
         #   tag
         # @param start_idx [Integer] (0) the starting position in the string for

data/lib/contrast/agent/assess/tracker.rb

@@ -14,7 +14,20 @@ module Contrast
         PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
 
         class << self
+          # Retrieve the properties of the given Object, iff they exist.
+          #
+          # @param source [Object] the thing for which to look up properties.
+          # @return [Contrast::Agent::Assess::Properties, nil]
           def properties source
+            PROPERTIES_HASH[source]
+          end
+
+          # Retrieve the properties of the given Object, returning a new
+          # instance if one does not already exist and the source is trackable.
+          #
+          # @param source [Object] the thing for which to look up properties.
+          # @return [Contrast::Agent::Assess::Properties, nil]
+          def properties! source
             return unless trackable?(source)
 
             PROPERTIES_HASH[source] ||= Contrast::Agent::Assess::Properties.new
@@ -33,30 +46,15 @@ module Contrast
           end
 
           # Copy the properties from one object to the next, assuming the
-          # target does not already have its own properties.
+          # target does not already have its own properties. This should only
+          # ever be called when building PreShift for those objects sources
+          # which are already tracked.
           #
           # @param source [Object] the instance from which to copy properties
           # @param target [Object] the instance to which to copy properties
           def copy source, target
             PROPERTIES_HASH[target] ||= properties(source).dup
           end
-
-          # Duplicate the given object, returning the duplicate after copying
-          # the properties of the original and storing them as the properties
-          # of the duplicate.
-          #
-          # @param source [Object] the thing to duplicate
-          # @return [Object] the duplicate of the original, or the original if
-          #   it does not respond to duplication
-          def duplicate source
-            return source unless source
-
-            duplicate = source.dup
-            PROPERTIES_HASH[duplicate] ||= PROPERTIES_HASH[source].dup
-            duplicate
-          rescue StandardError
-            source
-          end
         end
       end
     end