contrast-agent 3.16.0 → 4.3.1

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -36,14 +36,12 @@ module Contrast
                 end
 
                 splat_tags(tracked_inputs, target)
-                Contrast::Agent::Assess::Tracker.properties(target).cleanup_tags
+                Contrast::Agent::Assess::Tracker.properties(target)&.cleanup_tags
               end
 
               def splat_tags tracked_inputs, target
                 return if tracked_inputs.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 tracked_inputs.each do |input|
                   input_properties = Contrast::Agent::Assess::Tracker.properties(input)

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -15,13 +15,12 @@ module Contrast
           class Split < Contrast::Agent::Assess::Policy::Propagator::Base
             include Contrast::Components::Interface
 
-            access_component :agent, :logging
+            access_component :agent, :logging, :scope
 
             SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
+
             class << self
-              # Propagate taint from a source as it is split into composite
-              # sections. This method MUST return nil, otherwise it risks
-              # changing the result of of the propagation.
+              # Propagate taint from a source as it is split into composite sections.
               #
               # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
               #   the node that governs this propagation event.
@@ -29,171 +28,132 @@ module Contrast
               #   of the state of the code just prior to the invocation of the
               #   patched method.
               # @param target [Array, String] the target to which to propagate.
-              # @return [nil]
+              # @return [nil] so as not to risk changing the result of the propagation.
+
               def propagate propagation_node, preshift, target
                 logger.trace('Propagation detected',
                              node_id: propagation_node.id,
                              target_id: target.__id__)
-                unless target.is_a?(Array)
-                  Contrast::Agent::Assess::Policy::Propagator::Keep.propagate(propagation_node, preshift, target)
-                  properties = Contrast::Agent::Assess::Tracker.properties(target)
-                  properties.build_event(propagation_node, target, object, ret, args)
-                  return
-                end
 
                 source = find_source(propagation_node.sources[0], preshift)
+                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
 
+                # grapheme_clusters break the string apart based on each "user-perceived" character.
+                # Otherwise, the default for String#split is to use a single whitespace.
                 separator_length = if propagation_node.method_name == :grapheme_clusters
-                                     # grapheme_clusters break the string apart based on each "user-perceived" character
                                      0
                                    else
-                                     # The default for String#split is to use a single whitespace
                                      preshift&.args&.first&.to_s&.length || $FIELD_SEPARATOR&.to_s&.length || 1
                                    end
 
                 current_index = 0
-                target.each do |elem|
-                  elem_length = elem.length
-                  range = current_index...(current_index + elem_length)
-                  elem_properties = Contrast::Agent::Assess::Tracker.properties(elem)
-                  next unless elem_properties
+                target.each do |target_elem|
+                  next unless (elem_properties = Contrast::Agent::Assess::Tracker.properties!(target_elem))
 
-                  source_properties = Contrast::Agent::Assess::Tracker.properties(source)
+                  # Get tags for element from source by element range.
+                  range = current_index...(current_index + target_elem.length)
                   tags = source_properties.tags_at_range(range)
+
+                  # Set element properties accordingly.
                   elem_properties.clear_tags
-                  tags.each_pair do |key, value|
-                    elem_properties.set_tags(key, value)
-                  end
-                  elem_properties.build_event(propagation_node, elem, preshift.object, target, preshift.args, 0)
+                  tags.each_pair { |key, value| elem_properties.set_tags(key, value) }
+                  elem_properties.build_event(propagation_node, target_elem, preshift.object, target, preshift.args, 0)
                   elem_properties.add_properties(propagation_node.properties)
-                  current_index = current_index + elem_length + separator_length
+
+                  current_index = range.end + separator_length
                 end
                 nil
               end
 
-              # Marks the point in which the String#split method is called.
-              # Responsible for building the context required to propagate when
-              # the results of #split are yielded directly to a block
+              # Context for block split execution.
               #
-              # @param string [String] the String on which split is invoked
-              # @param args [Array<Object>] the arguments passed to the
-              #   original split call
-              def begin_split string, args
-                save_split_depth!
-                depth = SPLIT_TRACKER.get(:split_depth)
-                save_split_index!(depth)
-                save_split_value!(depth, string, args)
-              rescue Exception => e # rubocop:disable Lint/RescueException
-                # don't let our errors propagate and disable String#split for
-                # this since we're in an error state
-                logger.warn('Unable to record split context', e)
-                end_split
-              end
+              # @param string [String] the String on which split is invoked.
+              # @param args [Array<Object>] the arguments passed to the original split call.
+              def wrap_split string, args
+                # String#split start. Build context and yield.
+                begin
+                  enter_split_scope!
+                  save_split_index!
+                  save_split_value!(string, args)
+                rescue Exception => e # rubocop:disable Lint/RescueException
+                  logger.warn('Unable to record split context', e)
+                end
 
-              # Marks the point in which the String#split method is exited.
-              # Responsible for removing the context required to propagate when
-              # the results of #split are yielded directly to a block
-              def end_split
-                depth = SPLIT_TRACKER.get(:split_depth)
-                return unless depth
-
-                depth -= 1
-                if depth.negative?
-                  SPLIT_TRACKER.delete(:split_depth)
-                  SPLIT_TRACKER.delete(:split_index)
-                  SPLIT_TRACKER.delete(:split_value)
-                else
-                  SPLIT_TRACKER.set(:split_depth, depth)
+                yield
+              ensure
+                # String#split exit. Remove propagation context.
+                begin
+                  exit_split_scope!
+                  unless in_split_scope?
+                    SPLIT_TRACKER.delete(:split_index)
+                    SPLIT_TRACKER.delete(:split_value)
+                  end
+                rescue StandardError => e
+                  logger.warn('Unable to remove split context', e)
                 end
-              rescue StandardError => e
-                logger.warn('Unable to remove split context', e)
               end
 
-              # This method is called whenever an rb_yield is called. We need
-              # to leave it as soon as possible with as little work as
-              # possible.
+              # This method is called whenever an rb_yield is called.
+              # We need to leave it as soon as possible with as little work as possible.
               #
-              # @param target [String] the entity being passed to the yield
-              #   block
+              # @param target [String] the entity being passed to the yield block
               def propagate_yield target
-                depth, index = nil
-
-                depth = SPLIT_TRACKER.get(:split_depth)
-                return unless depth
-
-                source = SPLIT_TRACKER.get(:split_value)&.fetch(depth)
-                return unless source
-
-                index = SPLIT_TRACKER.get(:split_index)&.fetch(depth)
-                return unless index
-
-                properties = Contrast::Agent::Assess::Tracker.properties(target)
-                return unless properties
+                return unless (source = SPLIT_TRACKER.get(:split_value)&.fetch(split_scope_depth))
+                return unless (index = SPLIT_TRACKER.get(:split_index)&.fetch(split_scope_depth))
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 true_source = source[index]
                 properties.copy_from(true_source, target)
               rescue StandardError => e
                 logger.warn('Unable to track within split context', e)
               ensure
-                if depth && index
+                if in_split_scope? && index
                   idx = SPLIT_TRACKER.get(:split_index)
-                  idx[depth] = index + 1 if defined?(idx) && idx.is_a?(Array)
+                  idx[split_scope_depth] = index + 1 if defined?(idx) && idx.is_a?(Array)
                 end
               end
 
+              # Load patch.
               def instrument_string_split
-                if @_instrument_string_split.nil?
-                  @_instrument_string_split = begin
-                    require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield? && Funchook.available?
-                    true
-                  rescue StandardError => e
-                    logger.error('Error loading split rb_yield patch', e)
-                    false
-                  end
+                @_instrument_string_split ||= begin
+                  require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield? && Funchook.available?
+                  true
+                rescue StandardError => e
+                  logger.error('Error loading split rb_yield patch', e)
+                  false
                 end
-                @_instrument_string_split
               end
 
               private
 
-              def save_split_depth!
-                depth = SPLIT_TRACKER.get(:split_depth)
-                if depth
-                  depth += 1
-                  SPLIT_TRACKER.set(:split_depth, depth)
-                else
-                  SPLIT_TRACKER.set(:split_depth, 0)
-                end
-              end
-
-              def save_split_index! depth
-                split_index = SPLIT_TRACKER.get(:split_index)
-                unless split_index
+              # Save index of the current split object.
+              # Create index tracking array as needed.
+              def save_split_index!
+                unless (split_index = SPLIT_TRACKER.get(:split_index))
                   split_index = []
                   SPLIT_TRACKER.set(:split_index, split_index)
                 end
-                # save the index to the ThreadLocal; not useless
-                split_index[depth] = 0 # rubocop:disable Lint/UselessSetterCall
+                # save the index to the ThreadLocal; not useless.
+                split_index[split_scope_depth] = 0 # rubocop:disable Lint/UselessSetterCall
               end
 
-              def save_split_value! depth, string, args
+              # Save value of the current split object.
+              # Create value tracking array as needed.
+              def save_split_value! string, args
                 preshift = Contrast::Agent::Assess::PreShift.build_preshift(split_node, string, args)
                 target = string.split
                 propagate(split_node, preshift, target)
-                split_value = SPLIT_TRACKER.get(:split_value)
-                unless split_value
+                unless (split_value = SPLIT_TRACKER.get(:split_value))
                   split_value = []
                   SPLIT_TRACKER.set(:split_value, split_value)
                 end
-                # save the target to the ThreadLocal; not useless
-                split_value[depth] = target # rubocop:disable Lint/UselessSetterCall
+                # Save the target to the ThreadLocal; not useless.
+                split_value[split_scope_depth] = target # rubocop:disable Lint/UselessSetterCall
               end
 
-              # Quick hook to the String#split propagation node in our Assess
-              # policy
+              # Quick hook to the String#split propagation node in our Assess policy
               #
-              # @return [Contrast::Agent::Assess::Policy::PropagationNode]
-              #   String#split node
+              # @return [Contrast::Agent::Assess::Policy::PropagationNode] String#split node
               def split_node
                 @_split_node ||= begin
                   Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
@@ -215,19 +175,15 @@ if RUBY_VERSION >= '2.6.0'
   class String
     alias_method :cs__patched_string_split_special, :split
 
-    # override of the the standard split method to handle the 2.6 direct
-    # yield case.
+    # Override of the the standard split method to handle the 2.6 direct yield case.
     #
     # Note: because this patch is applied before our standard propagation, this
-    # call wrapped in it. As such, any call here happens in scope, so there is
+    # call is wrapped in it. As such, any call here happens in scope, so there is
     # no need to manage it on our own.
     def split *args, &block
       if block
-        Contrast::Agent::Assess::Policy::Propagator::Split.begin_split(self, args)
-        begin
+        Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
           cs__patched_string_split_special(*args, &block)
-        ensure
-          Contrast::Agent::Assess::Policy::Propagator::Split.end_split
         end
       else
         cs__patched_string_split_special(*args, &block)

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -92,8 +92,7 @@ module Contrast
               end
 
               def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
                 parent_event = incoming_properties&.event
@@ -141,22 +140,23 @@ module Contrast
               end
 
               def block_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def hash_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def pattern_gsub parent_events, preshift, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
-
                 source = preshift.object
-                source_properties = Contrast::Agent::Assess::Tracker.properties(source)
-                return unless source_properties
+                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source_properties.tag_keys.each do |key|
                   properties.add_tag(key, 0...1)

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -11,13 +11,11 @@ module Contrast
           # Disclaimer: there may be a better way, but we're
           # in a 'get it work' state. hopefully, we'll be in
           # a 'get it right' state soon.
-          class Trim
+          module Trim
             class << self
               def tr_tagger patcher, preshift, ret, _block
                 return ret unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return ret unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args
@@ -59,9 +57,7 @@ module Contrast
 
               def tr_s_tagger patcher, preshift, ret, _block
                 return unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -178,8 +178,8 @@ module Contrast
               # don't apply second source -- probably needs tuning later if we
               # use more than 'UNTRUSTED' in our sources
               return if Contrast::Agent::Assess::Tracker.tracked?(target)
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
               # otherwise for each tag this source_node applies, create a tag range
               # on the target object
               # I realize this looping is counter-intuitive from the above
@@ -243,19 +243,7 @@ module Contrast
               when Contrast::Utils::ObjectShare::OBJECT_KEY
                 object
               else
-                if source_target.is_a?(Integer)
-                  args[source_target]
-                  # If this isn't an index param, it's a named one. R.I.P.
-                else
-                  arg = nil
-                  args.each do |search|
-                    next unless search.is_a?(Hash)
-
-                    arg = search[source_target]
-                    break if arg
-                  end
-                  arg
-                end
+                args[source_target]
               end
             end
 

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -25,14 +25,13 @@ module Contrast
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
               def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 scope = args[0]
                 erb_template_prerender = object.instance_variable_get(:@data)
                 interpolated_inputs = []
-                handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
-                handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
+                handle_binding_variables(scope, erb_template_prerender, ret, properties, interpolated_inputs)
+                handle_local_variables(args, erb_template_prerender, ret, properties, interpolated_inputs)
                 properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 unless interpolated_inputs.empty?
                   current_event = properties.event
@@ -53,8 +52,7 @@ module Contrast
 
               private
 
-              def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_binding_variables scope, erb_template_prerender, ret, properties, interpolated_inputs
                 binding_variables = scope.instance_variables
 
                 binding_variables.each do |bound_variable_sym|
@@ -71,8 +69,7 @@ module Contrast
                 end
               end
 
-              def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_local_variables args, erb_template_prerender, ret, properties, interpolated_inputs
                 locals = args[1]
                 locals.each do |local_name, local_value|
                   next unless Contrast::Agent::Assess::Tracker.tracked?(local_value)

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -43,7 +43,7 @@ module Contrast
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, args)
+                      context, trigger_node, arg, object, ret, *args)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -39,7 +39,7 @@ module Contrast
               finish ||= url.length
 
               properties = Contrast::Agent::Assess::Tracker.properties(args[0])
-              properties.any_tags_between?(start, finish)
+              properties&.any_tags_between?(start, finish)
             end
           end
         end