contrast-agent 3.16.0 → 4.3.1

data/lib/contrast/framework/manager.rb

@@ -128,9 +128,10 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        @_frameworks.flat_map do |framework|
+        data = @_frameworks.flat_map do |framework|
           framework.send(method_name)
-        end.compact
+        end
+        data.compact
       end
 
       # This returns a single object from the first framework to successfully respond

data/lib/contrast/framework/rack/patch/session_cookie.rb

@@ -26,7 +26,7 @@ module Contrast
               @_instrument ||= begin
                 ::Rack::Session::Cookie.class_eval do
                   alias_method :cs__patched_initialize, :initialize
-                  def initialize app, options = {}
+                  def initialize app, options = {} # rubocop:disable Style/OptionHash
                     Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
                     cs__patched_initialize(app, options)
                   end
@@ -37,7 +37,7 @@ module Contrast
 
             def analyze options
               return unless AGENT.enabled?
-              return if PROTECT.enabled?
+              return if ASSESS.forcibly_disabled?
 
               apply_session_timeout(options)
               apply_httponly(options)

data/lib/contrast/framework/rack/support.rb

@@ -9,7 +9,8 @@ module Contrast
     module Rack
       # Used when Rack is present to define framework specific behavior. For
       # now, the only part of this implemented is the Patch Support.
-      class Support < BaseSupport
+      module Support
+        extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rack::Patch::Support
         class << self
           def detection_class

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -7,7 +7,7 @@ module Contrast
       module Patch
         # This class acts as our patch into the ActionController::Live::Buffer
         # class, allowing us to track the close event on streamed responses.
-        class ActionControllerLiveBuffer
+        module ActionControllerLiveBuffer
           class << self
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -23,7 +23,7 @@ module Contrast
             include Contrast::Utils::InvalidConfigurationUtil
 
             def analyze_session_store *args
-              return if PROTECT.enabled?
+              return if ASSESS.forcibly_disabled?
 
               apply_httponly_disabled(*args)
               apply_secure_cookie_disabled(*args)

data/lib/contrast/framework/rails/patch/rails_application_configuration.rb

@@ -10,7 +10,7 @@ module Contrast
         # for the runtime detection of insecure configurations on individual
         # ActionDispatch::Session::AbstractStore instances within the
         # application.
-        class RailsApplicationConfiguration
+        module RailsApplicationConfiguration
           def self.instrument
             @_instrument ||= begin
               ::Rails::Application::Configuration.class_eval do

data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb

@@ -12,7 +12,7 @@ module Contrast
         # TODO: RUBY-714 remove w/ EOL of 2.5
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
-        class ActionControllerRailtiesHelperInherited
+        module ActionControllerRailtiesHelperInherited
           def self.instrument
             @_instrument ||= begin
               ::ActionController::Railties::Helpers.class_eval do

data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb

@@ -14,7 +14,7 @@ module Contrast
         # TODO: RUBY-714 remove w/ EOL of 2.5
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
-        class ActiveRecordAttributeMethodsRead
+        module ActiveRecordAttributeMethodsRead
           def self.instrument
             @_instrument ||= begin
               ::ActiveRecord::AttributeMethods::Read::ClassMethods.class_eval do

data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb

@@ -9,7 +9,7 @@ module Contrast
         # TODO: RUBY-714 remove w/ EOL of 2.5
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
-        class ActiveRecordTimeZoneInherited
+        module ActiveRecordTimeZoneInherited
           def self.instrument
             @_instrument ||= begin
               ::ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods.class_eval do

data/lib/contrast/framework/rails/support.rb

@@ -10,7 +10,8 @@ module Contrast
   module Framework
     module Rails
       # Used when Rails is present to define framework specific behavior
-      class Support < BaseSupport
+      class Support
+        extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rails::Patch::Support
 
         class << self
@@ -45,6 +46,9 @@ module Contrast
             find_all_routes(::Rails.application, [])
           end
 
+          # Find the current route, based on the provided Request wrapper
+          # @param request[Contrast::Agent::Request]
+          # @return [Contrast::Api::Dtm::RouteCoverage]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
 

data/lib/contrast/framework/sinatra/support.rb

@@ -8,7 +8,8 @@ module Contrast
   module Framework
     module Sinatra
       # Used when Sinatra is present to define framework specific behavior
-      class Support < BaseSupport
+      class Support
+        extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Sinatra::Patch::Support
         class << self
           def detection_class
@@ -67,7 +68,7 @@ module Contrast
           private
 
           def app_class
-            return nil unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
 
             @_app_class ||= begin
               sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a

data/lib/contrast/logger/application.rb

@@ -33,7 +33,7 @@ module Contrast
       def application_configuration
         return unless info?
 
-        loggable = CONFIG.raw.loggable
+        loggable = CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
@@ -41,9 +41,6 @@ module Contrast
           hash[conversion.key] = conversion.dot_path_array.join('.')
         end
         info('Set by environment', overrides: env_translations)
-      rescue StandardError => e
-        puts e
-        sleep(5)
       end
 
       def application_libraries

data/lib/contrast/utils/duck_utils.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # Utility methods for identifying instances that can be used interchangeably
-    class DuckUtils
+    module DuckUtils
       class << self
         # Determine if the given object, or the object to which it delegates,
         # responds to the given method.

data/lib/contrast/utils/heap_dump_util.rb

@@ -106,7 +106,7 @@ module Contrast
           logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
           logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
           logger.info('*****************************************************')
-          exit # We weren't kidding!
+          exit # rubocop:disable Rails/Exit We weren't kidding!
         end
       end
     end

data/lib/contrast/utils/inventory_util.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/utils/timer'
 require 'contrast/utils/object_share'
-require 'contrast/utils/gemfile_reader'
 require 'contrast/components/interface'
 
 module Contrast
@@ -25,12 +24,6 @@ module Contrast
       DEFAULT = 'default'
       LOCALHOST = 'localhost'
 
-      def self.inventory_class class_path
-        Contrast::Utils::GemfileReader.instance.map_class(class_path)
-      rescue StandardError => e
-        logger.error('Unable to inventory module', e, path: class_path)
-      end
-
       def self.active_record_config
         return @_active_record_config if instance_variable_defined?(:@_active_record_config)
 

data/lib/contrast/utils/object_share.rb

@@ -1,13 +1,13 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# rubocop:disable  Object/Freeze
+# rubocop:disable Security/Object/Freeze
 module Contrast
   module Utils
     # A utility class where a series of commonly used Strings and other
     # commonly used objects can be store and frozen to prevent unnecessary
     # duplication.
-    class ObjectShare
+    module ObjectShare
       # Strings
       ASTERISK =      '*'
       BACK_SLASH =    '\\'
@@ -76,4 +76,4 @@ module Contrast
     end
   end
 end
-# rubocop:enable  Object/Freeze
+# rubocop:enable Security/Object/Freeze

data/lib/contrast/utils/preflight_util.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # Utility for generating preflight message token
-    class PreflightUtil
+    module PreflightUtil
       def self.create_preflight finding
         "#{ finding.rule_id },#{ finding.hash_code }"
       end

data/lib/contrast/utils/prevent_serialization.rb

@@ -7,7 +7,7 @@ module Contrast
     #
     # Marshal is pretty cool. It does a lot of things well. What it doesn't
     # mess around with though is StringIO. And what we don't want to do is
-    # serialize ourselves out with Marshal#dump.
+    # serialize ourselves out with Marshal.dump.
     #
     # Unfortunately, we have to mess around w/ that. To isolate our things from
     # user dumped Strings (and so that we can marshal findings), we have

data/lib/contrast/utils/resource_loader.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # ResourceLoader can attempt to read a file from a predefined resource directory
-    class ResourceLoader
+    module ResourceLoader
       RESOURCES = 'resources'
 
       # __FILE__/../../../resources

data/lib/contrast/utils/sha256_builder.rb

@@ -29,8 +29,8 @@ module Contrast
 
       # Generate a SHA256 hash of the combined source code of this Gem
       def sha256 path
-        return nil unless path
-        return nil unless File.exist?(path) && !File.directory?(path)
+        return unless path
+        return unless File.exist?(path) && !File.directory?(path)
 
         @sha256_cache[path] ||= Digest::SHA256.file(path).to_s
       end
@@ -52,18 +52,6 @@ module Contrast
         parent_dir = File.dirname(gems_dir)
         File.join(parent_dir, Contrast::Utils::ObjectShare::CACHE)
       end
-
-      def self.files path
-        instance.files(path)
-      end
-
-      def self.sha256 path
-        instance.sha256(path)
-      end
-
-      def self.build_from_spec spec
-        instance.build_from_spec(spec)
-      end
     end
   end
 end

data/lib/contrast/utils/string_utils.rb

@@ -74,7 +74,7 @@ module Contrast
       # @return [String] a copy of the given String, upper cased, trimmed,
       #   dashes replaced with underscore, and HTTP trimmed
       def self.normalized_key str
-        return nil unless str
+        return unless str
 
         str = str.to_s
         @_normalized_keys ||= {}

data/lib/contrast/utils/tag_util.rb

@@ -19,16 +19,15 @@ module Contrast
 
             relationship = tag.compare_range(range.start_idx, range.end_idx)
             case relationship
-            when Contrast::Agent::Assess::Tag::BELOW
               # since the tags are ordered, if we're below, nope out
-              return false
-            when Contrast::Agent::Assess::Tag::LOW_SPAN
-              # if we ever get a low span, that means a low part
-              # won't be covered. there's no need to continue
-              return false
-            when Contrast::Agent::Assess::Tag::WITHOUT
-              # if we ever get a without, that means a low part won't
-              # be covered. there's no need to continue
+            when Contrast::Agent::Assess::Tag::BELOW,
+                # if we ever get a low span, that means a low part
+                # won't be covered. there's no need to continue
+                Contrast::Agent::Assess::Tag::LOW_SPAN,
+                # if we ever get a without, that means a low part won't
+                # be covered. there's no need to continue
+                Contrast::Agent::Assess::Tag::WITHOUT
+
               return false
             when Contrast::Agent::Assess::Tag::WITHIN
               # if we're within, then 0 out this tag since it is
@@ -131,10 +130,7 @@ module Contrast
           smallered = []
           curr = nil
           tags.each do |tag|
-            if curr.nil?
-              curr = tag
-              smallered << curr
-            elsif tag.start_idx <= curr.end_idx
+            if curr && tag.start_idx <= curr.end_idx
               curr.update_end(tag.end_idx) if tag.end_idx > curr.end_idx
             else
               curr = tag

data/resources/assess/policy.json

@@ -640,7 +640,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "gsub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -650,7 +650,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "gsub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -660,7 +660,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "sub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -670,7 +670,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "sub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -680,7 +680,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -690,7 +690,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -700,7 +700,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_s_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -710,7 +710,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_s_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -984,7 +984,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Extension::Assess::KernelPropagator",
       "patch_method": "sprintf_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name":"ActiveRecord::ConnectionAdapters::Quoting",

data/resources/deadzone/policy.json

@@ -55,6 +55,156 @@
       "instance_method":true,
       "method_visibility": "public",
       "method_name":"commit_session"
+    }, {
+      "class_name":"Rack::Session::Abstract::Persisted",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"session_exists?",
+      "code": "https://github.com/rack/rack/blob/master/lib/rack/session/abstract/id.rb#L334"
+    }, {
+      "class_name":"ActionDispatch::Http::MimeNegotiation",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"formats",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/mime_negotiation.rb#L63"
+    }, {
+      "class_name":"ActionDispatch::FileHandler",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"match?",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/static.rb#L30"
+    }, {
+      "class_name":"ActionDispatch::Journey::Router",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"find_routes",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/journey/router.rb#L107"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"controler_class_for",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/request.rb#L84"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"engine_script_name=",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/request.rb#L158"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"remote_ip",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/request.rb#L286"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"request_id",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/request.rb#L302"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"local?",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/http/request.rb#L409"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"cookie_jar",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L11"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"have_cookie_jar?",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L24"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"key_generator",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L32"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"signed_cookie_salt",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L36"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"encrypted_cookie_salt",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L40"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"encrypted_signed_cookie_salt",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L44"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"authenticated_encrypted_cookie_salt",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L48"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"use_authenticated_cookie_encryption",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L52"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"encrypted_cookie_cipher",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L56"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"signed_cookie_digest",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L60"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"secret_key_base",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L64"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"cookies_serializer",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L68"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"cookies_digest",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L72"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"cookies_rotations",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L76"
+    }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"use_cookies_with_metadata",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/middleware/cookies.rb#L80"
+    }, {
+      "class_name":"ActionDispatch::Request::Session",
+      "instance_method":true,
+      "method_visibility": "public",
+      "method_name":"exists?",
+      "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/request/session.rb#L201"
     }
   ]
 }