contrast-agent 3.16.0 → 4.3.1

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -19,8 +19,8 @@ module Contrast
             @source_string = policy_hash[JSON_SOURCE]
             @target_string = policy_hash[JSON_TARGET]
             @tags = Set.new(policy_hash[JSON_TAGS])
-            generate_sources
-            generate_targets
+            @sources = convert_policy_markers(source_string)
+            @targets = convert_policy_markers(target_string)
           end
 
           def feature
@@ -47,7 +47,7 @@ module Contrast
 
           def target_string= value
             @target_string = value
-            generate_targets
+            @targets = convert_policy_markers(value)
           end
 
           # Sometimes we need to tie information to an event. We'll add a
@@ -66,62 +66,6 @@ module Contrast
             @properties[name]
           end
 
-          # Given a source in the format A,B,C, populate the sources of this node
-          # 1) Split on ','
-          # 2) If 'O', add the source, else it's P (we don't have R sources) and
-          #    needs to be converted. P type will either be P:name or P# where #
-          #    is the index of the parameter. Drop the P and store the int as int
-          #    or name as symbol
-          def generate_sources
-            if source_string
-              @sources = []
-              source_string.split(Contrast::Utils::ObjectShare::COMMA).each do |s|
-                is_object = (s == Contrast::Utils::ObjectShare::OBJECT_KEY)
-                if is_object
-                  @sources << s
-                else
-                  parameter_source = s[1..-1]
-                  @sources << if parameter_source.start_with?(Contrast::Utils::ObjectShare::COLON)
-                                parameter_source[1..-1].to_sym
-                              else
-                                parameter_source.to_i
-                              end
-                end
-              end
-            else
-              @sources = Contrast::Utils::ObjectShare::EMPTY_ARRAY
-            end
-          end
-
-          # Given a target in the format A,B,C, populate the targets of this node
-          # 1) Split on ','
-          # 2) If 'O' or 'R', add the target, else it's P and needs to be
-          #    converted. P type will either be P:name or P# where # is the index
-          #    of the paramter. Drop the P and store the int as int or name as
-          #    symbol
-          def generate_targets
-            if target_string
-              @targets = []
-              target_string.split(Contrast::Utils::ObjectShare::COMMA).each do |t|
-                case t
-                when Contrast::Utils::ObjectShare::OBJECT_KEY
-                  @targets << t
-                when Contrast::Utils::ObjectShare::RETURN_KEY
-                  @targets << t
-                else
-                  parameter_target = t[1..-1]
-                  @targets << if parameter_target.start_with?(Contrast::Utils::ObjectShare::COLON)
-                                parameter_target[1..-1].to_sym
-                              else
-                                parameter_target.to_i
-                              end
-                end
-              end
-            else
-              @targets = Contrast::Utils::ObjectShare::EMPTY_ARRAY
-            end
-          end
-
           # Don't let nodes be created that will be missing things we need
           # later on. Really, if they don't have these things, they couldn't have
           # done their jobs anyway.
@@ -186,6 +130,34 @@ module Contrast
           JSON_TARGET = 'target'
           JSON_TAGS = 'tags'
           JSON_DATAFLOW = 'dataflow'
+
+          private
+
+          # Given a policy string in the format A,B,C, populate the given array
+          # 1) Split on ','
+          # 2) If 'O' or 'R', add the array, else it's P and needs to be
+          #    converted. P type will either be P# where # is the index
+          #    of the parameter. Drop the P and store the # as an int.
+          #
+          # @param markers [String] the String from the policy to parse
+          # @return [Array] the array generated by converting the marker string
+          def convert_policy_markers markers
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless markers
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if markers.empty?
+
+            converted = []
+            markers.split(Contrast::Utils::ObjectShare::COMMA).each do |t|
+              case t
+              when Contrast::Utils::ObjectShare::OBJECT_KEY,
+                   Contrast::Utils::ObjectShare::RETURN_KEY
+
+                converted << t
+              else
+                converted << Integer(t[1..-1])
+              end
+            end
+            converted
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -17,22 +17,33 @@ module Contrast
           access_component :analysis
 
           class << self
+            # Use the given trace_point, built from an :end event, to determine
+            # where the loaded code lives and scan that code for policy
+            # violations.
+            #
+            # @param trace_point [TracePoint] the TracePoint generated by an
+            #   :end event at the end of a Module definition.
             def scan trace_point
               return unless ASSESS.enabled?
               return unless ASSESS.require_scan?
 
+              provider_values = policy.providers.values
+              return if provider_values.all?(&:disabled?)
+
               return unless trace_point.path
               return if trace_point.path.start_with?(Gem.dir)
 
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              # TODO: RUBY-1013 - get AST here instead of TP, so we only need
-              #   to make one per provider, instead of one per rule
-              policy.providers.each_value do |provider|
-                if RUBY_VERSION >= '2.6.0'
-                  provider.parse(trace_point)
-                else # TODO: RUBY-1014 - remove alternative
+              # TODO: RUBY-1014 - remove non-AST approach
+              if RUBY_VERSION >= '2.6.0'
+                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+                provider_values.each do |provider|
+                  provider.parse(trace_point, ast)
+                end
+              else
+                provider_values.each do |provider|
                   provider.analyze(mod)
                 end
               end

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -36,11 +36,11 @@ module Contrast
           #   the state of the object and arguments just prior to the method
           #   being called or nil if one is not required.
           def build_preshift propagation_node, object, args
-            return nil unless propagation_node
-            return nil unless ASSESS.enabled?
+            return unless propagation_node
+            return unless ASSESS.enabled?
 
             initializing = propagation_node.method_name == :initialize
-            return nil if unsafe_io_object?(object, initializing)
+            return if unsafe_io_object?(object, initializing)
 
             needs_object = propagation_node.needs_object?
             needs_args = propagation_node.needs_args?

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -37,20 +37,15 @@ module Contrast
 
           class << self
             def determine_target propagation_node, ret, object, args
-              target_key = propagation_node.targets[0]
-              return ret if target_key == Contrast::Utils::ObjectShare::RETURN_KEY
-              return object if target_key == Contrast::Utils::ObjectShare::OBJECT_KEY
-
-              return args[target_key] if target_key.is_a?(Integer)
-
-              arg = nil
-              args.each do |search|
-                next unless search.is_a?(Hash)
-
-                arg = search[target_key]
-                break if arg
+              target = propagation_node.targets[0]
+              case target
+              when Contrast::Utils::ObjectShare::OBJECT_KEY
+                object
+              when Contrast::Utils::ObjectShare::RETURN_KEY
+                ret
+              else
+                args[target]
               end
-              arg
             end
 
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
@@ -208,8 +203,8 @@ module Contrast
             # If this patcher has tags, apply them to the entire target
             def apply_tags propagation_node, target
               return unless propagation_node.tags
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
 
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
               length = Contrast::Utils::StringUtils.ret_length(target)
               propagation_node.tags.each do |tag|
                 properties.add_tag(tag, 0...length)
@@ -219,9 +214,7 @@ module Contrast
             # If this patcher has tags, remove them from the entire target
             def apply_untags propagation_node, target
               return unless propagation_node.untags
-
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
-              return unless properties
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
 
               propagation_node.untags.each do |tag|
                 properties.delete_tags(tag)
@@ -256,7 +249,7 @@ module Contrast
 
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
-                next if target == value # Some Enumerable#each are overriden to return self the first time which leads to infinite propagation
+                next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
 
                 apply_propagator(propagation_node, preshift, value, object, ret, args, block)
               end
@@ -300,7 +293,8 @@ module Contrast
               # both and there should never be a propagator that has a tag in
               # its untag.
               apply_untags(propagation_node, target)
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
+
               properties.add_properties(propagation_node.properties)
               properties.build_event(propagation_node, target, object, ret, args)
               logger.trace('Propagation detected',

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -83,35 +83,23 @@ module Contrast
           end
 
           def needs_object?
-            @_needs_object ||= begin
-              if action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION
-                true
-              elsif action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION
-                true
-              elsif sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY }
-                true
-              elsif targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
-                true
-              else
-                false
-              end
+            if @_needs_object.nil?
+              @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
+                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+                  sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
+                  targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
             end
+            @_needs_object
           end
 
           def needs_args?
-            @_needs_args ||= begin
-              if action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION
-                true
-              elsif action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION
-                true
-              elsif sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) }
-                true
-              elsif targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
-                true
-              else
-                false
-              end
+            if @_needs_args.nil?
+              @_needs_args = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
+                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+                  sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
+                  targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
             end
+            @_needs_args
           end
 
           # This is a tagger if it has a tag or an untag.

data/lib/contrast/agent/assess/policy/propagator/append.rb

@@ -16,8 +16,7 @@ module Contrast
               # copy tags from the param to the target in chunks of param size or less
               # if param is appended in space less than param length
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 sources = propagation_node.sources
                 source1 = find_source(sources[0], preshift)

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -12,8 +12,7 @@ module Contrast
           class Center < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 sources = propagation_node.sources
                 source1 = find_source(sources[0], preshift)

data/lib/contrast/agent/assess/policy/propagator/custom.rb

@@ -12,7 +12,7 @@ module Contrast
           # of tags from the source to the target. Each node with the CUSTOM
           # action knows the class and method it should call to preform this
           # action.
-          class Custom
+          module Custom
             class << self
               def propagate propagation_node, preshift, ret, block
                 clazz = propagation_node.patch_class

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -30,9 +30,7 @@ module Contrast
                   arg.each_pair do |key, value|
                     next unless value
                     next if known_tainted&.include?(key)
-
-                    properties = Contrast::Agent::Assess::Tracker.properties(value)
-                    next unless properties
+                    next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
 
                     # TODO: RUBY-540 handle sanitization, handle nested objects
                     Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)

data/lib/contrast/agent/assess/policy/propagator/insert.rb

@@ -16,8 +16,7 @@ module Contrast
               # Unlike additive propagation, this currently only supports one source
               # We assume that insert changes the preshift target
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[1], preshift)
 

data/lib/contrast/agent/assess/policy/propagator/keep.rb

@@ -14,8 +14,7 @@ module Contrast
               # Keep means the tags just pass from the source to the target
               # as is.
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.copy_from(source, target, 0, propagation_node.untags)

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -67,11 +67,12 @@ module Contrast
               def square_bracket_single argument_index, preshift, return_value, propagation_node
                 original_start_index = preshift.object.begin(argument_index)
                 original_end_index = preshift.object.end(argument_index)
-                original_properties = Contrast::Agent::Assess::Tracker.properties(preshift.object)
+                return unless (original_properties = Contrast::Agent::Assess::Tracker.properties(preshift.object))
+
                 applicable_tags = original_properties.tags_at_range(original_start_index...original_end_index)
                 return if applicable_tags.empty?
+                return unless (return_properties = Contrast::Agent::Assess::Tracker.properties!(return_value))
 
-                return_properties = Contrast::Agent::Assess::Tracker.properties(return_value)
                 applicable_tags.each do |tag_name, tag_ranges|
                   return_properties.set_tags(tag_name, tag_ranges)
                 end

data/lib/contrast/agent/assess/policy/propagator/next.rb

@@ -15,8 +15,7 @@ module Contrast
               # String has some silly methods like next. Basically, this flips a
               # character in a predictable manner
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.copy_from(source, target, 0, propagation_node.untags)

data/lib/contrast/agent/assess/policy/propagator/prepend.rb

@@ -14,8 +14,7 @@ module Contrast
               # For the source, prepend its tags to the target. It's basically the
               # opposite of append. :-P
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 sources = propagation_node.sources
                 # source1 is the copy of the thing being prepended to

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -17,8 +17,7 @@ module Contrast
               # Once the tag is applied, remove the section that was removed by the delete.
               # Unlike additive propagation, this currently only supports one source
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.copy_from(source, target, 0, propagation_node.untags)
@@ -27,8 +26,7 @@ module Contrast
               end
 
               def handle_removal source_chars, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source_idx = 0
 

data/lib/contrast/agent/assess/policy/propagator/replace.rb

@@ -14,8 +14,7 @@ module Contrast
               # Replace means we're replacing the target w/ the source. Anything
               # on the source should be passed to the target.
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.clear_tags

data/lib/contrast/agent/assess/policy/propagator/reverse.rb

@@ -13,8 +13,7 @@ module Contrast
           class Reverse < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
               def propagate propagation_node, preshift, target
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.copy_from(source, target, 0, propagation_node.untags)

data/lib/contrast/agent/assess/policy/propagator/select.rb

@@ -14,9 +14,6 @@ module Contrast
           class Select
             class << self
               def select_tagger patcher, preshift, ret, _block
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
-
                 source = preshift.object
                 args = preshift.args
 
@@ -31,7 +28,9 @@ module Contrast
                   return
                 end
 
-                source_properties = Contrast::Agent::Assess::Tracker.properties(source)
+                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
+
                 properties.build_event(
                     patcher,
                     ret,