contrast-agent 3.15.0 → 4.3.0

data/lib/contrast/agent/protect/rule/default_scanner.rb

@@ -123,10 +123,7 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     elsif start_block_comment?(char, index, query)
       boundaries << index
       :STATE_INSIDE_BLOCK_COMMENT
-    elsif operator?(char)
-      boundaries << index
-      :STATE_EXPECTING_TOKEN
-    elsif char.match?(Contrast::Utils::ObjectShare::WHITE_SPACE_REGEXP)
+    elsif operator?(char) || char.match?(Contrast::Utils::ObjectShare::WHITE_SPACE_REGEXP)
       boundaries << index
       :STATE_EXPECTING_TOKEN
     else

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -17,19 +17,22 @@ module Contrast
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
 
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %w[
+          ERB_GADGETS = %W[
             object:ERB
+            o:\bERB
           ].cs__freeze
 
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
             object:ActionDispatch::Routing::RouteSet::NamedRouteCollection
+            o:\bActionDispatch::Routing::RouteSet::NamedRouteCollection
           ].cs__freeze
 
           # Gadgets that map to Arel Modules
           AREL_GADGETS = %w[
             string:Arel::Nodes::SqlLiteral
             object:Arel::Nodes
+            o:\bArel::Nodes
           ].cs__freeze
 
           # Used to indicate to TeamServer the gadget is an ERB module

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -21,10 +21,10 @@ module Contrast
           end
 
           def infilter context, database, query_string
-            return nil unless infilter?(context)
+            return unless infilter?(context)
 
             result = find_attacker(context, query_string, database: database)
-            return nil unless result
+            return unless result
 
             append_to_activity(context, result)
 
@@ -36,7 +36,7 @@ module Contrast
 
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return nil unless query_string.match?(regexp)
+            return unless query_string.match?(regexp)
 
             scanner = select_scanner
             ss = StringScanner.new(query_string)

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb

@@ -16,6 +16,7 @@ module Contrast
             def start_line_comment? char, index, query
               if char == Contrast::Utils::ObjectShare::SLASH &&
                     query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+
                 return true
               end
 

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -22,10 +22,10 @@ module Contrast
           end
 
           def infilter context, database, query_string
-            return nil unless infilter?(context)
+            return unless infilter?(context)
 
             result = find_attacker(context, query_string, database: database)
-            return nil unless result
+            return unless result
 
             append_to_activity(context, result)
 
@@ -36,7 +36,7 @@ module Contrast
             attack_string = input_analysis_result.value
             regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
 
-            return nil unless query_string.match?(regexp)
+            return unless query_string.match?(regexp)
 
             database = kwargs[:database]
             scanner = select_scanner(database)

data/lib/contrast/agent/protect/rule/xxe.rb

@@ -19,7 +19,9 @@ module Contrast
             NAME
           end
 
-          # Given an xml, evaluate it for an XXE attack.
+          # Given an xml, evaluate it for an XXE attack. There's no return here
+          # as this method handles appending the evaluation to the request
+          # context, connecting it to the reporting mechanism at request end.
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
@@ -29,7 +31,7 @@ module Contrast
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
             result = find_attacker(context, xml, framework: framework)
-            return nil unless result
+            return unless result
 
             append_to_activity(context, result)
             return unless blocked?
@@ -39,16 +41,23 @@ module Contrast
 
           protected
 
+          # Given an XML, find any externally resolved entities and create an
+          # Attack Result for them
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param xml [String] the literal value of the XML being checked for
+          #   external entity resolution
+          # @param _kwargs [Hash]
+          # @return [Contrast::Api::Dtm::AttackResult, nil] the determination
+          #   as to whether or not this XML has an XXE attack in it.
           def find_attacker context, xml, **_kwargs
-            return nil unless xml
-            return nil if protect_excluded_by_code?
+            return unless xml
+            return if protect_excluded_by_code?
 
-            xxe_details, last_idx = build_details(xml)
-            return nil unless xxe_details
+            xxe_details = build_details(xml)
+            return unless xxe_details
 
-            # For our definition, the prolog goes from the start of the XML
-            # string to the end of the last entity declaration.
-            xxe_details.xml = Contrast::Utils::StringUtils.protobuf_safe_string(xml[0, last_idx])
             ia_result = build_evaluation(xxe_details.xml)
             build_attack_with_match(
                 context,
@@ -58,7 +67,15 @@ module Contrast
                 details: xxe_details)
           end
 
-          def build_details xml, _evaluation = nil
+          # Given an XML determined to be unsafe, build out the details of the
+          # attack. The details will include a substring of the given XML up to
+          # the end of the prolog, where the external entities are declared.
+          #
+          # @param xml [String] the literal value of the XML being checked for
+          #   external entity resolution
+          # @return [Contrast::Api::Dtm::XxeDetails] The details of
+          #   the XXE attack and the index of the last entity discovered
+          def build_details xml
             last_idx = 0
             ss = StringScanner.new(xml)
             while ss.scan_until(EXTERNAL_ENTITY_PATTERN)
@@ -70,7 +87,11 @@ module Contrast
               xxe_details.declared_entities << build_match(ss)
               xxe_details.entities_resolved << build_wrapper(entity_wrapper)
             end
-            [xxe_details, last_idx]
+            # For our definition, the prolog goes from the start of the XML
+            # string to the end of the last entity declaration.
+            xxe_details.xml = Contrast::Utils::StringUtils.protobuf_safe_string(xml[0, last_idx]) if xxe_details
+
+            xxe_details
           end
 
           def build_sample context, ia_result, _url, **kwargs

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb

@@ -18,12 +18,16 @@ module Contrast
             end
 
             def external_entity?
-              @_external_entity ||= begin
-                return external_id?(@system_id) if @system_id
-                return external_id?(@public_id) if @public_id
-
-                false
+              if @_external_entity.nil?
+                @_external_entity ||= if @system_id
+                                        external_id?(@system_id)
+                                      elsif @public_id
+                                        external_id?(@public_id)
+                                      else
+                                        false
+                                      end
               end
+              @_external_entity
             end
 
             # <!ENTITY name SYSTEM "URI">
@@ -48,7 +52,7 @@ module Contrast
             UP_DIR_LINUX = '../'
             UP_DIR_WIN =   '..\\'
             # we only use this against lowercase strings, removed A-Z for speed
-            FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/.cs__freeze
+            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def external_id? entity_id
               return false unless entity_id
 

data/lib/contrast/agent/reaction_processor.rb

@@ -22,7 +22,7 @@ module Contrast
       # @param application_settings [Contrast::Api::Settings::ApplicationSettings]
       #   those settings which the Service has relayed from TeamServer.
       def self.process application_settings
-        return nil unless application_settings&.reactions&.any?
+        return unless application_settings&.reactions&.any?
 
         application_settings.reactions.each do |reaction|
           # the enums are all uppercase, we need to downcase them before attempting to log

data/lib/contrast/agent/request.rb

@@ -46,42 +46,42 @@ module Contrast
       # Should also handle the ;jsessionid.
       def normalized_uri
         @_normalized_uri ||= begin
-                               path = rack_request.path
-                               uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
-                               uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
-                               uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
-                               uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
-                             end
+          path = rack_request.path
+          uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
+          uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
+          uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
+          uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
+        end
       end
 
       def document_type
         @_document_type ||= begin
-                              if /xml/i.match?(content_type) || body&.start_with?('<?xml')
-                                :XML
-                              elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
-                                :JSON
-                              else
-                                :NORMAL
-                              end
-                            end
+          if /xml/i.match?(content_type) || body&.start_with?('<?xml')
+            :XML
+          elsif /json/i.match?(content_type) || body&.match?(/\s*[{\[]/)
+            :JSON
+          else
+            :NORMAL
+          end
+        end
       end
 
       # Header keys upcased and any underscores replaced with dashes
       def headers
         @_headers ||= begin
-                        with_contrast_scope do
-                          hash = {}
-                          env.each do |key, value|
-                            next unless key
-
-                            name = key.to_s
-                            next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
-
-                            hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
-                          end
-                          hash
-                        end
-                      end
+          with_contrast_scope do
+            hash = {}
+            env.each do |key, value|
+              next unless key
+
+              name = key.to_s
+              next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)
+
+              hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
+            end
+            hash
+          end
+        end
       end
 
       def body
@@ -121,13 +121,13 @@ module Contrast
 
       def file_names
         @_file_names ||= begin
-                           names = {}
-                           parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
-                           traverse_parsed_multipart(parsed_data, names)
-                         rescue StandardError => _e
-                           logger.warn('Unable to parse multipart request!')
-                           {}
-                         end
+          names = {}
+          parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
+          traverse_parsed_multipart(parsed_data, names)
+        rescue StandardError => _e
+          logger.warn('Unable to parse multipart request!')
+          {}
+        end
       end
 
       def hash_id

data/lib/contrast/agent/request_handler.rb

@@ -18,7 +18,7 @@ module Contrast
       end
 
       def send_activity_messages
-        Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
+        Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage(context.activity)
         [context.server_activity, context.activity, context.observed_route].each do |message|
           Contrast::Agent.messaging_queue.send_event_eventually(message)
         end

data/lib/contrast/agent/response.rb

@@ -118,16 +118,16 @@ module Contrast
       #   holds, wraps, or is the body of the Response
       # @return [nil, String] the content of the body
       def extract_body body
-        return nil unless body
+        return unless body
 
         if defined?(Rack::File) && body.is_a?(Rack::File)
           # not sure what to do in this situation, so don't do anything.
           nil
         elsif body.is_a?(Rack::BodyProxy)
           handle_rack_body_proxy(body)
-        elsif defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)
-          extract_body(body.body)
-        elsif body.is_a?(Rack::Response)
+        elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
+              body.is_a?(Rack::Response)
+
           extract_body(body.body)
         elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
           acc = []
@@ -152,7 +152,7 @@ module Contrast
       end
 
       def read_or_string obj
-        return nil unless obj
+        return unless obj
 
         if Contrast::Utils::DuckUtils.quacks_to?(obj, :read)
           tmp = obj.read

data/lib/contrast/agent/rewriter.rb

@@ -96,11 +96,11 @@ module Contrast
           return unless method_exists?(clazz, method_name, type)
 
           method_instance = method_instance(clazz, method_name, type)
-          return nil if method_instance.nil?
+          return if method_instance.nil?
 
           location = method_instance.source_location
-          return nil unless location_available?(location)
-          return nil if opener.written_from_location?(location)
+          return unless location_available?(location)
+          return if opener.written_from_location?(location)
 
           opener.written_from_location!(location)
           opener.source_code(location, method_name)

data/lib/contrast/agent/scope.rb

@@ -15,67 +15,93 @@ module Contrast
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
     class Scope
-      # The following %i[] list is the authoritative list
-      # of scopes.  If you define a new symbol here, you'll
-      # get scope methods:
-      #   %i[monkey] ->
-      #     enter_monkey_scope!
-      #     exit_monkey_scope!
-      #     in_monkey_scope?
-      #     with_monkey_scope { special_monkey_function }
-      SCOPE_LIST = %i[contrast deserialization].cs__freeze
-
-      iv_list = SCOPE_LIST.map { |name| :"@#{ name }_scope" }
-      define_method 'initialize' do
-        iv_list.each do |iv_sym|
-          instance_variable_set(iv_sym, 0)
-        end
+      SCOPE_LIST = %i[contrast deserialization split].cs__freeze
+
+      def initialize
+        @contrast_scope = 0
+        @deserialization_scope = 0
+        @split_scope = 0
       end
 
-      SCOPE_LIST.each do |name|
-        iv_sym = :"@#{ name }_scope"
+      def in_contrast_scope?
+        @contrast_scope.positive?
+      end
 
-        define_method "in_#{ name }_scope?" do
-          instance_variable_get(iv_sym).positive?
-        end
+      def in_deserialization_scope?
+        @deserialization_scope.positive?
+      end
 
-        enter_method_sym = :"enter_#{ name }_scope!"
-        define_method enter_method_sym do
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level + 1)
-        end
+      def in_split_scope?
+        @split_scope.positive?
+      end
 
-        exit_method_sym = :"exit_#{ name }_scope!"
-        define_method exit_method_sym do
-          # by design, can go below zero.
-          # every exit/enter pair (regardless of series)
-          # should cancel each other out.
-          #
-          # so we prefer this sequence:
-          #   scope =  0
-          #   exit  = -1
-          #   enter =  0
-          #   enter =  1
-          #   exit  =  0
-          #   scope =  0
-          #
-          # over this sequence:
-          #   scope =  0
-          #   exit  =  0
-          #   enter =  1
-          #   enter =  2
-          #   exit  =  1
-          #   scope =  1
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level - 1)
-        end
+      def enter_contrast_scope!
+        @contrast_scope += 1
+      end
 
-        define_method "with_#{ name }_scope" do |*_args, &block|
-          send enter_method_sym
-          block.call
-        ensure
-          send exit_method_sym
-        end
+      def enter_deserialization_scope!
+        @deserialization_scope += 1
+      end
+
+      def enter_split_scope!
+        @split_scope += 1
+      end
+
+      def split_scope_depth
+        @split_scope
+      end
+
+      # Scope Exits...
+      # by design, can go below zero.
+      # every exit/enter pair (regardless of series)
+      # should cancel each other out.
+      #
+      # so we prefer this sequence:
+      #   scope =  0
+      #   exit  = -1
+      #   enter =  0
+      #   enter =  1
+      #   exit  =  0
+      #   scope =  0
+      #
+      # over this sequence:
+      #   scope =  0
+      #   exit  =  0
+      #   enter =  1
+      #   enter =  2
+      #   exit  =  1
+      #   scope =  1
+      def exit_contrast_scope!
+        @contrast_scope -= 1
+      end
+
+      def exit_deserialization_scope!
+        @deserialization_scope -= 1
+      end
+
+      def exit_split_scope!
+        @split_scope -= 1
+      end
+
+      def with_contrast_scope
+        enter_contrast_scope!
+        yield
+      ensure
+        exit_contrast_scope!
+      end
+
+      def with_deserialization_scope
+        enter_deserialization_scope!
+        yield
+      ensure
+        exit_deserialization_scope!
+      end
+
+      def with_split_scope
+        enter_split_scope!
+        yield
+      ensure
+        exit_split_scope!
       end
 
       # Dynamic versions of the above.