contrast-agent 3.16.0 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2172066d6736b55c6754bb6913ec9fb9962ac1b818a85b4faa7ef822bb5df97
-  data.tar.gz: 209286f4ef6ce8b688e3849a502ece6cfc914f795fae25b5cb417b3fa3998b50
+  metadata.gz: 678a3040ff60cf9b6222cab4a57115dc1c9d0df11c5238da4a6eaae0406d72a0
+  data.tar.gz: 792a68efe04d8c44f518a6d326b7b1c4a5377fce03b203752348c73352dc4a5b
 SHA512:
-  metadata.gz: e6c19a309c1d7c7e2600d2f90d5da2664c315550be00475720165dde741d821d3ceb391282831aeb8ddcbe8e86b50b48d741d5c63d85c7a92c38ef0e54b7b0cd
-  data.tar.gz: f4c1a92e5272730285b467c63768e31b1d6d7cb4266cbd6133c6de312603fcabc9c3bc814bc7f20d48fa444651fb040713ed1438b70076e9be9be396dab6603b
+  metadata.gz: 2bfca960a571eb7b9df1ae5017938be4de75c4b337ab4d35c33101a719c68a66b90fdfc0f777cadcd1ce1861d4c7b4e48cbc56f3e6d9b81cb02728c2718011d6
+  data.tar.gz: 250cae84e05ea4ea686de38c72ed1760ecd8a2d1787fa33d62a929c9869ed31e4445ef6cd30fcc95b99a57adb9d70b229767f8c9ed337f8f2312f09d5584ec4a

data/Rakefile

@@ -18,6 +18,7 @@ Dir['ext/cs__*'].each do |extension|
   end
 end
 
+desc 'compile the protobuf files for the agent, translating them to .rb classes'
 task :contrast_pb_compile do
   # do some stuff before compile
 

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c

@@ -5,28 +5,39 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 
-static VALUE contrast_assess_marshal_module_load(const int argc,
+static VALUE contrast_marshal_module_load(const int argc,
                                                  const VALUE *argv) {
     VALUE result;
     VALUE source_string;
-    result = rb_call_super(argc, argv);
 
+    // Our patches only need only apply in the case where there was valid input.
     if (argc >= 1) {
         source_string = argv[0];
+    } else {
+        source_string = Qnil;
+    }
+
+    // Run our protect code ahead of the original method
+    if (source_string != Qnil) {
+        rb_funcall(marshal_propagator, rb_sym_protect_marshal_load, 1, source_string);
+    }
 
+    // Invoke the original method
+    result = rb_call_super(argc, argv);
+
+    // Run our assess code after the original method
+    if (source_string != Qnil) {
         VALUE tracked =
             rb_funcall(properties_hash, rb_sym_hash_tracked, 1, source_string);
 
+        // Assuming the source is tracked and needs assess checks
         if (tracked == Qtrue) {
             VALUE skip =
                 rb_funcall(contrast_patcher(), rb_sym_skip_assess_analysis, 0);
-
+            // And Assess is enabled and applies to this request
             if (skip == Qfalse) {
-                VALUE scope =
-                    rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
-                rb_funcall(marshal_module, rb_sym_assess_load_trigger_check, 2,
+                rb_funcall(marshal_propagator, rb_sym_assess_marshal_load, 2,
                            source_string, result);
-                rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
             }
         }
     }
@@ -37,10 +48,11 @@ void Init_cs__assess_marshal_module(void) {
     // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
     VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
     properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
-    marshal_module =
+    marshal_propagator =
         rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
-    rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
+    rb_sym_assess_marshal_load = rb_intern("cs__load_assess");
+    rb_sym_protect_marshal_load = rb_intern("cs__load_protect");
 
     contrast_register_singleton_prepend_patch(
-        "Marshal", "load", &contrast_assess_marshal_module_load);
+        "Marshal", "load", &contrast_marshal_module_load);
 }

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h

@@ -1,8 +1,9 @@
 #include <ruby.h>
 
-static VALUE marshal_module;
+static VALUE marshal_propagator;
 
-static VALUE rb_sym_assess_load_trigger_check;
+static VALUE rb_sym_assess_marshal_load;
+static VALUE rb_sym_protect_marshal_load;
 static VALUE properties_hash;
 
 /*
@@ -13,7 +14,7 @@ static VALUE properties_hash;
  * special case this for now.
  * -HM (shamelessly commenting on DP's work)
  */
-static VALUE contrast_assess_marshal_module_load(const int argc,
+static VALUE contrast_marshal_module_load(const int argc,
                                                  const VALUE *argv);
 
 void Init_cs__assess_marshal_module(void);

data/lib/contrast/agent.rb

@@ -23,7 +23,6 @@ require 'contrast/extension/protect'
 require 'contrast/extension/protect/kernel'
 
 require 'contrast/utils/object_share'
-require 'contrast/utils/boolean_util'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/io_util'
 require 'contrast/utils/os'
@@ -88,8 +87,8 @@ require 'contrast/agent/assess'
 # protect rules
 require 'contrast/agent/protect/rule'
 
-# application libraries
-require 'contrast/utils/gemfile_reader'
+# application libraries and technologies
+require 'contrast/agent/inventory'
 
 # rack event monitoring
 require 'contrast/agent/middleware'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -9,6 +9,8 @@ require 'contrast/utils/prevent_serialization'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/timer'
+require 'contrast/components/interface'
+require 'contrast/agent/assess/contrast_object'
 
 module Contrast
   module Agent
@@ -26,63 +28,22 @@ module Contrast
       #   created
       # @attr_reader thread [Integer] the object id of the thread on which this
       #   event was generated
-      # @attr_reader object [String] the safe representation of the Object on
-      #   which the method was invoked
-      # @attr_reader ret [String] the safe representation of the Return of the
-      #   invoked method
-      # @attr_reader args [Array<Object>] the safe representation of the
-      #   Arguments with which the method was invoked
+      # @attr_reader object [Contrast::Agent::Assess::ContrastObject] the safe
+      #   representation of the Object on which the method was invoked
+      # @attr_reader ret [Contrast::Agent::Assess::ContrastObject] the safe
+      #   representation of the Return of the invoked method
+      # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the
+      #   safe representation of the Arguments with which the method was invoked
       class ContrastEvent
         include Contrast::Utils::PreventSerialization
+        include Contrast::Components::Interface
+        access_component :analysis
 
-        class << self
-          # Given an array of arguments, copy them into a safe, meaning String,
-          # format that we can use to send to SR and TS for rendering.
-          #
-          # @param args [Array<Object>] the arguments to translate
-          # @return [Array<String>] the String forms of those Objects, as
-          #   determined by Contrast::Utils::ClassUtil.to_contrast_string
-          def safe_args_representation args
-            return nil unless args
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
-
-            rep = []
-            args.each do |arg|
-              # We have to handle named args
-              rep <<  if arg.is_a?(Hash)
-                        safe_arg_hash_representation(arg)
-                      else
-                        Contrast::Utils::ClassUtil.to_contrast_string(arg)
-                      end
-            end
-            rep
-          end
-
-          # if given an object that can be duped, duplicate it. otherwise just
-          # return the original object. swallow all exceptions from
-          # non-duplicable things.
-          #
-          # we can't just check respond_to? though b/c dup exists on the
-          # base Object class
-          #
-          # @param original [Object, nil] the thing to duplicate
-          # @return [Object, nil] a copy of that thing
-          def safe_dup original
-            return nil unless original
-
-            Contrast::Agent::Assess::Tracker.duplicate(original)
-          end
-
-          private
-
-          def safe_arg_hash_representation hash
-            # since this is the named hash for arguments, only the value is
-            # suspect here
-            hash.transform_values { |v| Contrast::Utils::ClassUtil.to_contrast_string(v) }
-          end
-        end
-
-        attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args
+        attr_reader :event_id, :policy_node, :stack_trace, :time, :thread,
+                    :object,
+                    :ret,
+                    :args,
+                    :tags
 
         # We need this to track the parent id's of events to build up a flow
         # chart of the finding
@@ -106,16 +67,25 @@ module Contrast
         #   was invoked
         def initialize policy_node, tagged, object, ret, args
           @policy_node = policy_node
-          # so long as this event is built in a factory, we know Contrast Code
+
+          # Capture stacktraces only as configured.
+          #
+          # So long as this event is built in a factory, we know Contrast Code
           # will be the first three events
-          @stack_trace = caller(3, 20)
+          @stack_trace = if ASSESS.capture_stacktrace?(policy_node)
+                           caller(3, 20)
+                         else
+                           Contrast::Utils::ObjectShare::EMPTY_ARRAY
+                         end
+
           @time = Contrast::Utils::Timer.now_ms
           @thread = Thread.current.object_id
 
           # These methods rely on the above being set. Don't move them!
           @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
+          @tags = Contrast::Agent::Assess::Tracker.properties(tagged)&.tags
           find_parent_events!(policy_node, object, ret, args)
-          snapshot!(tagged, object, ret, args)
+          snapshot!(object, ret, args)
         end
 
         def parent_events
@@ -128,22 +98,17 @@ module Contrast
         #    Per TS law, each policy_node must have at least a source or a target.
         #    The only type of policy_node w/o targets is a Trigger, but that may
         #    change.
-        # 2) If I have a highlight, it means that I have a P target that is
-        #    not in integer form (it was a named / keyword type for which I had
-        #    to find the index). I need to address this so that TS can process
-        #    it.
-        # 3) I'll set the event's source and target to TS values.
-        # 4) Return the highlight or the first source/target as the taint
-        #    target.
+        # 2) I'll set the event's source and target to TS values.
+        # 3) Return the first source/target as the taint target.
         def determine_taint_target event_dtm
           if @policy_node&.targets&.any?
             event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
-            @highlight || @policy_node.targets[0]
+            event_dtm.target = @policy_node.target_string
+            @policy_node.targets[0]
           elsif policy_node&.sources&.any?
-            event_dtm.source = @highlight ? "P#{ @highlight }" : @policy_node.source_string
+            event_dtm.source = @policy_node.source_string
             event_dtm.target = @policy_node.target_string if @policy_node.target_string
-            @highlight || @policy_node.sources[0]
+            @policy_node.sources[0]
           end
         end
 
@@ -193,16 +158,7 @@ module Contrast
           when Contrast::Utils::ObjectShare::RETURN_KEY
             ret
           else
-            if source.is_a?(Integer)
-              args[source]
-            else
-              args.each do |search|
-                next unless search.is_a?(Hash)
-
-                s = search[source]
-                return s if s
-              end
-            end
+            args[source]
           end
         end
 
@@ -212,65 +168,28 @@ module Contrast
         # them for our later use. We set those safe values to this event's
         # instance variables.
         #
-        # @param tagged [Object] the Target to which this event pertains.
         # @param object [Object] the Object on which the method was invoked
         # @param ret [Object] the Return of the invoked method
         # @param args [Array<Object>] the Arguments with which the method
         #   was invoked
-        def snapshot! tagged, object, ret, args
-          target = @policy_node.target
-          case target
-            # If the target is nil, this rule was violated simply by a method
-            # being called. We'll save all the information, but nothing will be
-            # marked up, as nothing need be tracked
-          when nil
-            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
-            @args = cs__class.safe_args_representation(args)
-            @ret = Contrast::Utils::ClassUtil.to_contrast_string(ret)
-            # If the target is O, then we dup the O and safely represent the rest
-          when Contrast::Utils::ObjectShare::OBJECT_KEY
-            @object = cs__class.safe_dup(tagged)
-            @args = cs__class.safe_args_representation(args)
-            @ret = Contrast::Utils::ClassUtil.to_contrast_string(ret)
-            # If the target is R, then we dup the R and safely represent the rest
-          when Contrast::Utils::ObjectShare::RETURN_KEY
-            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
-            @args = cs__class.safe_args_representation(args)
-            @ret = cs__class.safe_dup(tagged)
-            # If the target is P*, then we need to dup things a differently. We
-            # need to find the true target inside so that we can mark it up
-            # later, but the other args should be represented as their safe form.
-          else
-            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
-            @args = cs__class.safe_args_representation(args)
-            @ret = Contrast::Utils::ClassUtil.to_contrast_string(ret)
-            save_target_arg(target, tagged)
-          end
+        def snapshot! object, ret, args
+          @object = Contrast::Agent::Assess::ContrastObject.new(object) if object
+          @ret = Contrast::Agent::Assess::ContrastObject.new(ret) if ret
+          @args = safe_args_representation(args)
+          self
         end
 
-        # I know we're creating an extra string here since we replace the safe
-        # one w/ a dup, but good enough for now. Trying not to make this too
-        # complicated. - HM 8/8/19
+        # Given an array of arguments, copy them into a safe, meaning String,
+        # format that we can use to send to SR and TS for rendering.
         #
-        # @param target [String,Integer] the marker for the target index
-        # @param tagged [Object] the actual Object that we're acting on which
-        #   has tags
-        def save_target_arg target, tagged
-          return if @args.cs__frozen?
-
-          if target.is_a?(Integer)
-            @args[target] = cs__class.safe_dup(tagged)
-            return
-          end
-
-          @args.each_with_index do |search, index|
-            next unless search.is_a?(Hash)
-            next unless search[target]
-
-            search[target] = cs__class.safe_dup(tagged)
-            @highlight = index
-            break
-          end
+        # @param args [Array<Object>] the arguments to translate
+        # @return [Array<Contrast::Agent::Assess::ContrastObject>] the String forms of those Objects, as
+        #   determined by Contrast::Utils::ClassUtil.to_contrast_string
+        def safe_args_representation args
+          return unless args
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
+
+          args.map { |arg| arg ? Contrast::Agent::Assess::ContrastObject.new(arg) : nil }
         end
       end
     end

data/lib/contrast/agent/assess/contrast_object.rb

@@ -0,0 +1,51 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/class_util'
+
+module Contrast
+  module Agent
+    module Assess
+      # This class is a convenient holder of our version of an Object. It
+      # creates a String version of the Object from the original provided
+      # and keeps reference to the original's Tags, letting us determine if it
+      # was tracked when we try to report to TeamServer.
+      #
+      # @attr_reader object [String, nil] the Contrast string representing the
+      #   object.
+      # @attr_reader object_type [String] the name of the object's module.
+      # @attr_reader tags [Hash{String => Contrast::Agent::Assess::Tag}, nil]
+      #   the tags on the object before it was captured.
+      #
+      # TODO: RUBY-1083 determine if this is expensive and/or worth not storing
+      #   these values directly on ContrastEvent and passing them around. Args
+      #   probably make the argument for wrapping them b/c otherwise we'll have
+      #   to keep two arrays in synch or make an array of arrays, at which
+      #   point, we may as well make this.
+      class ContrastObject
+        attr_reader :object, :object_type, :tags
+
+        # Capture the details about the object which we need to render it in
+        # TeamServer.
+        #
+        # @param object [Object] the thing to keep a Contrast String of
+        def initialize object
+          if object
+            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
+            @object_type = object.cs__class.name
+            # TODO: RUBY-1084 determine if we need to copy these tags to
+            #   restore immutability. For instance, if these tags were on a
+            #   String that was then #reverse!'d, would our tags be wrong?
+            @tags = Contrast::Agent::Assess::Tracker.properties(object)&.tags
+          else
+            @object_type = Contrast::Utils::ObjectShare::NIL_STRING
+          end
+        end
+
+        def tracked?
+          tags&.any?
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/events/source_event.rb

@@ -58,19 +58,14 @@ module Contrast
 
           # We have to do a little work to figure out what our TS appropriate
           # target is. To break this down, the logic is as follows:
-          # 1) If I have a highlight, it means that I have a P target that is
-          #    not in integer form (it was a named / keyword type for which I had
-          #    to find the index). I need to address this so that TS can process
-          #    it.
-          # 2) I'll set the event's source and target to TS values.
-          # 3) Return the highlight or the first source/target as the taint
-          #    target.
+          # 1) I'll set the event's source and target to TS values.
+          # 2) Return the first source/target as the taint target.
           def determine_taint_target event_dtm
             return unless @policy_node&.targets&.any?
 
             event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
-            @highlight || @policy_node.targets[0]
+            event_dtm.target = @policy_node.target_string
+            @policy_node.targets[0]
           end
         end
       end

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -52,12 +52,13 @@ module Contrast
               Contrast::Utils::ObjectShare::CLASS,
               Contrast::Utils::ObjectShare::MODULE
             ].cs__freeze
-            def patch_assess_method clazz, method_name
+            def patch_assess_method mod, method_name
               # Module.define_method is called a lot in Class and Module. We
               # currently do not expect these define_methods to result in methods
               # that require patching, so for the sake of performance, we're going
               # to skip evaluating them
-              class_name = clazz.cs__name
+              mod = mod.cs__class unless mod.cs__is_a?(Module)
+              class_name = mod.cs__class
               return if CLASS_TYPES.include?(class_name)
               return unless ASSESS.enabled?
 
@@ -73,7 +74,7 @@ module Contrast
                                                                                     method_name: source_node.method_name,
                                                                                     method_visibility: source_node.method_visibility,
                                                                                     instance_method: true)
-                patcher.patch_method(clazz, method_array, method_policy)
+                patcher.patch_method(mod, method_array, method_policy)
               end
             rescue StandardError => e
               logger.warn(