contrast-agent 3.8.5 → 3.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b789de55c662b3c95a253bac0ab731c931c0d97dad6fe7c6f827c40a17d64ed7
-  data.tar.gz: b7589a20f7d89191ca3b1633a93204fb7195f802272f2701b8d17553104979ae
+  metadata.gz: cc76e7cc9a47ace8f43df83fca283ee52dc8f4eb48bee2bca660981616c43124
+  data.tar.gz: c07ab0d747605fa69730f4409543ccd9ce7be5624f5d959ec27bd1dd227551db
 SHA512:
-  metadata.gz: '00693f21684374256997ada3d2a40889c288e116931662126ab7305dd2504c5fbb5d6657acd03c215181fcc839950b5b7a3ceccb7f1a347d2b91e7ae8556cf3b'
-  data.tar.gz: d44389e25b56d8da40e9b9de424ac9189c5d5929d252e2e082d09643dcf79b9d65b5b2179524a09cc9ab0978c5158eea02bcb3d042df12dea2e09b4bdf99a7b2
+  metadata.gz: 609dd7c247d30d0ec1a7567736d3d5377a422c1ba7e52ae9c52409a192e2f90f5054ef4f34b35e39d78bf5d05197449e791f2af5dc333b4d164fa9ccbfc015c1
+  data.tar.gz: c5336c941c6aece474c548549587e93fe61561ce8d4ef0576d5aefe875b0895a9f8e5c26afe2b41912f638eab9976c9357e268eee84c7cd6d4145aa507deaa86

data/ext/cs__assess_array/cs__assess_array.c

@@ -30,7 +30,7 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
 
 void Init_cs__assess_array(void) {
     rb_sym_assess_array_join = rb_intern("cs__patched_join");
-    rb_sym_assess_track_array_join = rb_intern("__cs_track_join");
+    rb_sym_assess_track_array_join = rb_intern("cs__track_join");
 
     VALUE array_class = rb_define_class("Array", rb_cObject);
     contrast_alias_method(array_class, "cs__patched_join", "join");

data/ext/cs__assess_module/cs__assess_module.c

@@ -61,7 +61,6 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
 void Init_cs__assess_module(void) {
     rb_sym_assess_patch_eval = rb_intern("patch_assess_on_eval");
 
-    VALUE assess_policy = rb_define_module_under(assess, "Policy");
     assess_patcher = rb_define_module_under(assess_policy, "Patcher");
 
     trigger_check_method = rb_intern("eval_trigger_check");

data/ext/cs__assess_yield_track/cs__assess_yield_track.c

@@ -0,0 +1,34 @@
+/* Copyright (c) 2020 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__assess_yield_track.h"
+#include "../cs__common/cs__common.h"
+#include <funchook.h>
+#include <ruby.h>
+
+static VALUE rb_yield_hook(VALUE val, const VALUE self) {
+    VALUE method = rb_funcall(rb_mKernel, rb_sym_method, 0);
+
+    if(method == split_method && RB_TYPE_P(val, T_STRING)) {
+        rb_funcall(split_class, propagate_yield, 1, val);
+    }
+    VALUE result = rb_yield_original(val);
+    return result;
+}
+
+static int install_yield_hooks() {
+    funchook_t *funchook = funchook_create();
+    rb_yield_original = rb_yield;
+    funchook_prepare(funchook, (void **)&rb_yield_original,
+                     rb_yield_hook);
+    funchook_install(funchook, 0);
+    return 0;
+}
+
+void Init_cs__assess_yield_track(void) {
+    VALUE base = rb_define_class_under(assess_propagator, "Base", rb_cObject);
+    split_class = rb_define_class_under(assess_propagator, "Split", base);
+    propagate_yield = rb_intern("propagate_yield");
+    split_method =  ID2SYM(rb_intern("split"));
+    install_yield_hooks();
+}

data/ext/cs__assess_yield_track/cs__assess_yield_track.h

@@ -0,0 +1,12 @@
+#include <funchook.h>
+#include <ruby.h>
+
+static VALUE split_class;
+static VALUE propagate_yield, split_method;
+
+static VALUE *(*rb_yield_original)(VALUE val);
+static VALUE rb_yield_hook(VALUE val, const VALUE self);
+
+static int install_yield_hooks();
+
+void Init_cs__assess_yield_track(void);

data/ext/cs__common/cs__common.c

@@ -6,7 +6,9 @@
 
 /* Globals */
 /* These are defined w/ `extern` in the header */
-VALUE contrast, agent, patching, policy, assess, core_extensions, core_assess;
+VALUE contrast, agent, patching, policy, assess;
+VALUE core_extensions, core_assess;
+VALUE assess_policy, assess_propagator;
 
 VALUE rb_sym_enter_scope;
 VALUE rb_sym_exit_scope;
@@ -50,11 +52,9 @@ void Init_cs__common(void) {
     policy = rb_define_module_under(patching, "Policy");
     patcher = rb_define_module_under(policy, "Patch");
 
+    assess_policy = rb_define_module_under(assess, "Policy");
+    assess_propagator = rb_define_module_under(assess_policy, "Propagator");
+
     core_extensions = rb_define_module_under(contrast, "CoreExtensions");
     core_assess = rb_define_module_under(core_extensions, "Assess");
-
-    /* Ensure ScopeUtil is set on the Contrast patcher */
-    VALUE utils = rb_define_module_under(contrast, "Utils");
-    VALUE scopeUtil = rb_define_module_under(utils, "ScopeUtil");
-    rb_extend_object(patcher, scopeUtil);
 }

data/ext/cs__common/cs__common.h

@@ -6,7 +6,9 @@
 static VALUE cs__send_method;
 static VALUE cs__alias_method_sym;
 
-extern VALUE contrast, agent, patching, policy, assess, core_extensions, core_assess;
+extern VALUE contrast, agent, patching, policy, assess;
+extern VALUE core_extensions, core_assess;
+extern VALUE assess_policy, assess_propagator;
 
 extern VALUE rb_sym_enter_scope;
 extern VALUE rb_sym_exit_scope;

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -28,11 +28,12 @@ VALUE contrast_patch_call_original(const VALUE *args) {
     int argc;
     VALUE method, method_id, object;
     VALUE *params;
-    object = args[0];
-    method = args[1];
+    argc = NUM2INT(args[0]);
+    params = (VALUE *)args[1];
+    object = args[2];
+    method = args[3];
     method_id = SYM2ID(method);
-    argc = NUM2INT(args[2]);
-    params = (VALUE *)args[3];
+
 
     /* It looks like we can find the last Ruby block given so long as we don't
      * change Ruby method scope (always call this function from C, not Ruby),
@@ -94,9 +95,6 @@ VALUE contrast_patch_call_rescue(const VALUE *args) {
 
     contrast_call_post_patch(method_policy, preshift, object, Qnil, argc, argv);
 
-    /* exit scope */
-    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
-
     /* reraise the exception that got us here */
     rb_exc_raise(exception);
 
@@ -104,19 +102,119 @@ VALUE contrast_patch_call_rescue(const VALUE *args) {
 }
 
 VALUE contrast_call_super(const VALUE *args) {
-    int argc = NUM2INT(args[0]);
-    VALUE *argv = (VALUE *)args[1];
+    int argc;
+    VALUE *argv;
+    argc = NUM2INT(args[0]);
+    argv = (VALUE *)args[1];
 
     return rb_call_super(argc, argv);
 }
 
+VALUE contrast_run_patches(const VALUE *wrapped_args) {
+    VALUE impl, method, method_policy, object, original_args, original_ret, preshift, transformed_ret;
+    int argc;
+    VALUE *argv;
+    VALUE rescue_args[6];
+
+    impl = wrapped_args[0];
+    original_args = wrapped_args[1];
+    method = wrapped_args[2];
+    method_policy = wrapped_args[3];
+    object = wrapped_args[4];
+    argc = NUM2INT(wrapped_args[5]);
+    argv = (VALUE *)wrapped_args[6];
+
+    rescue_args[0] = object;
+    rescue_args[1] = method;
+    rescue_args[2] = INT2NUM(argc);
+    rescue_args[3] = (VALUE)argv;
+    rescue_args[4] = method_policy;
+
+    /* Tracking, triggering, and propagation here. */
+    contrast_call_pre_patch(method_policy, method, object, argc, argv, Qnil);
+
+    /* Capture pre-call state */
+    preshift = build_preshift(method_policy, object, argc, argv);
+    rescue_args[5] = preshift;
+
+    /* We wrap a call to the original method with a rescue block, and we use
+     * rb_rescue2 to capture all Exception-inheriting exceptions (and if your
+     * software is well-behaved, all exceptions should inherit from Exception.)
+     *
+     * The rescue block is responsible for doing Contrast post-call analysis
+     * in the event the original method has thrown an exception.
+     *
+     * EDGE CASES:
+     * Given how extensively we patch and instrument, this code is
+     * prone to some esoteric edge cases that are not well-documented or
+     * easy to research.
+     *
+     * There is an esoteric edge case in core Ruby, upon Thread#kill, where
+     * it raises Fixnum 8 (Qnil==8).  This is an intentional choice on the
+     * part of the core Ruby devs, as blindly rescuing Thread#kill would be
+     * disastrous.
+     * A consequence of this is that Thread#kill will leak scope, if you
+     * happen to ever instrument it.
+     *
+     * If you are within a catch block, and the original function results
+     * in a throw, you will leak scope.  We handle this by not instrumenting
+     * methods that do that.  (Tracked in RUBY-552.)
+     *
+     * If you're thinking of cleaning this up by using rb_protect,
+     * you will catch ALL exceptions, as well as ANYTHING
+     * else that unwinds the stack.  This includes fiber context switches
+     * (which are used to implement Enumerator#next) and catch/throw blocks.
+     * I spent a week debugging that so you don't have to.  -ajm
+     */
+
+    switch (impl) {
+        case IMPL_ALIAS_INSTANCE:
+        case IMPL_ALIAS_SINGLETON:
+            original_ret = rb_rescue2(
+                contrast_patch_call_original, original_args,
+                contrast_patch_call_rescue, (VALUE)rescue_args, rb_eException, 0);
+            break;
+        case IMPL_PREPEND:
+            original_ret = rb_rescue2(contrast_call_super, original_args,
+                                      contrast_patch_call_rescue,
+                                      (VALUE)rescue_args, rb_eException, 0);
+            break;
+    };
+
+    /* If you're here, the original method did not throw an exception
+     * (or unwind the stack otherwise).
+     * If the original method threw an exception, contrast_patch_call_rescue
+     * re-raises the original exception, which unwinds the stack back to the
+     * call site.  This means the rest of this function is not executed.
+     */
+
+    /* Invoke Contrast post-call patching.
+     * Post-call patching may transform the return value,
+     * hence the assignment.
+     */
+    transformed_ret = contrast_call_post_patch(method_policy, preshift, object,
+                                               original_ret, argc, argv);
+
+    /* Special case for tracking frozen sources */
+    if (transformed_ret != Qnil) {
+        return transformed_ret;
+    } else {
+        return original_ret;
+    }
+}
+
+VALUE contrast_ensure_function(const VALUE method_policy) {
+    /* exit scope */
+    rb_funcall(contrast_patcher(), rb_sym_exit_method_scope, 1, method_policy);
+    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
+
+    return Qnil;
+}
+
 VALUE contrast_patch_dispatch(const int argc, const VALUE *argv,
                               const patch_impl impl, const VALUE object) {
-    VALUE cs__method, known, method, ret, transformed_ret, original_ret,
-        method_policy, preshift;
+    VALUE cs__method, known, method, method_policy;
     VALUE original_args[4];
-    VALUE rescue_args[7];
-
     int do_contrast, nested_scope;
 
     /* Do Contrast analysis, unless our subsequent checks tell us no. */
@@ -158,18 +256,6 @@ VALUE contrast_patch_dispatch(const int argc, const VALUE *argv,
         method_policy = Qnil;
     }
 
-    if (impl == IMPL_ALIAS_INSTANCE || impl == IMPL_ALIAS_SINGLETON) {
-        /* Alias patching moves the original method to "cs__#{method}" */
-        cs__method = rb_funcall(known, rb_sym_brackets, 1, INT2NUM(1));
-
-        /* We may not have built the alias yet */
-        if (!RTEST(cs__method)) {
-            cs__method =
-                rb_funcall(contrast_patcher(), rb_sym_build_method_name, 2,
-                           object, method);
-        }
-    }
-
     /* Check conditions for not doing Contrast analysis */
     if (nested_scope) {
         /* if we were in scope */
@@ -190,112 +276,47 @@ VALUE contrast_patch_dispatch(const int argc, const VALUE *argv,
         do_contrast = 0;
     }
 
-    switch (impl) {
-    case IMPL_ALIAS_INSTANCE:
-    case IMPL_ALIAS_SINGLETON:
-        original_args[0] = object;
-        original_args[1] = cs__method;
-        original_args[2] = INT2NUM(argc);
-        original_args[3] = (VALUE)argv;
-        break;
-    case IMPL_PREPEND:
-        original_args[0] = INT2NUM(argc);
-        original_args[1] = (VALUE)argv;
-        break;
+    original_args[0] = INT2NUM(argc);
+    original_args[1] = (VALUE)argv;
+    original_args[2] = object;
+
+    if (impl == IMPL_ALIAS_INSTANCE || impl == IMPL_ALIAS_SINGLETON) {
+        /* Alias patching moves the original method to "cs__#{method}" */
+        cs__method = rb_funcall(known, rb_sym_brackets, 1, INT2NUM(1));
+
+        /* We may not have built the alias yet */
+        if (!RTEST(cs__method)) {
+            cs__method =
+                rb_funcall(contrast_patcher(), rb_sym_build_method_name, 2,
+                           object, method);
+        }
+        original_args[3] = cs__method;
     }
 
+    /* Enter any scopes specific to method policy */
+    rb_funcall(contrast_patcher(), rb_sym_enter_method_scope, 1, method_policy);
+
     /* If we're not doing Contrast analysis, exit scope and treat as normal. */
     if (!do_contrast) {
         goto call_original;
     }
 
-    rescue_args[0] = object;
-    rescue_args[1] = method;
-    rescue_args[2] = INT2NUM(argc);
-    rescue_args[3] = (VALUE)argv;
-    rescue_args[4] = method_policy;
-
-    /* Tracking, triggering, and propagation here. */
-    contrast_call_pre_patch(method_policy, method, object, argc, argv, Qnil);
+    /* Otherwise, invoke Contrast analysis. */
+     VALUE wrapped_args[7];
+     wrapped_args[0] = impl;
+     wrapped_args[1] = (VALUE)original_args;
+     wrapped_args[2] = method;
+     wrapped_args[3] = method_policy;
+     wrapped_args[4] = object;
+     wrapped_args[5] = INT2NUM(argc);
+     wrapped_args[6] = (VALUE)argv;
 
-    /* Capture pre-call state */
-    preshift = build_preshift(method_policy, object, argc, argv);
-    rescue_args[5] = preshift;
-
-    /* We wrap a call to the original method with a rescue block, and we use
-     * rb_rescue2 to capture all Exception-inheriting exceptions (and if your
-     * software is well-behaved, all exceptions should inherit from Exception.)
-     *
-     * The rescue block is responsible for doing Contrast post-call analysis
-     * in the event the original method has thrown an exception.
-     *
-     * EDGE CASES:
-     * Given how extensively we patch and instrument, this code is
-     * prone to some esoteric edge cases that are not well-documented or
-     * easy to research.
-     *
-     * There is an esoteric edge case in core Ruby, upon Thread#kill, where
-     * it raises Fixnum 8 (Qnil==8).  This is an intentional choice on the
-     * part of the core Ruby devs, as blindly rescuing Thread#kill would be
-     * disastrous.
-     * A consequence of this is that Thread#kill will leak scope, if you
-     * happen to ever instrument it.
-     *
-     * If you are within a catch block, and the original function results
-     * in a throw, you will leak scope.  We handle this by not instrumenting
-     * methods that do that.  (Tracked in RUBY-552.)
-     *
-     * If you're thinking of cleaning this up by using rb_protect,
-     * you will catch ALL exceptions, as well as ANYTHING
-     * else that unwinds the stack.  This includes fiber context switches
-     * (which are used to implement Enumerator#next) and catch/throw blocks.
-     * I spent a week debugging that so you don't have to.  -ajm
-     */
-
-    switch (impl) {
-    case IMPL_ALIAS_INSTANCE:
-    case IMPL_ALIAS_SINGLETON:
-        original_ret = rb_rescue2(
-            contrast_patch_call_original, (VALUE)original_args,
-            contrast_patch_call_rescue, (VALUE)rescue_args, rb_eException, 0);
-        break;
-    case IMPL_PREPEND:
-        original_ret = rb_rescue2(contrast_call_super, (VALUE)original_args,
-                                  contrast_patch_call_rescue,
-                                  (VALUE)rescue_args, rb_eException, 0);
-        break;
-    };
-
-    /* If you're here, the original method did not throw an exception
-     * (or unwind the stack otherwise).
-     * If the original method threw an exception, contrast_patch_call_rescue
-     * re-raises the original exception, which unwinds the stack back to the
-     * call site.  This means the rest of this function is not executed.
-     */
-
-    /* Invoke Contrast post-call patching.
-     * Post-call patching may transform the return value,
-     * hence the assignment.
-     */
-    transformed_ret = contrast_call_post_patch(method_policy, preshift, object,
-                                               original_ret, argc, argv);
-
-    /* Special case for tracking frozen sources */
-    if (transformed_ret != Qnil) {
-        ret = transformed_ret;
-    } else {
-        ret = original_ret;
-    }
-
-    /* exit scope */
-    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
-
-    return ret;
+    return rb_ensure(contrast_run_patches, (VALUE)wrapped_args, contrast_ensure_function, method_policy);
 
 call_original:
 
     /* exit scope */
-    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
+    contrast_ensure_function(method_policy);
 
     switch (impl) {
     case IMPL_ALIAS_INSTANCE:
@@ -430,6 +451,8 @@ void Init_cs__contrast_patch(void) {
     rb_sym_instance_method = rb_intern("instance_method");
     rb_sym_cs_singleton_class = rb_intern("cs__singleton_class");
 
+    rb_sym_enter_method_scope = rb_intern("enter_method_scope!");
+    rb_sym_exit_method_scope = rb_intern("exit_method_scope!");
 
     rb_define_module_function(contrast_patcher(), "contrast_define_method",
                               contrast_patch_define_method, 3);

data/ext/cs__contrast_patch/cs__contrast_patch.h

@@ -23,6 +23,9 @@ static VALUE rb_sym_cs_to_s;
 
 static VALUE rb_sym_in_request_context;
 
+static VALUE rb_sym_enter_method_scope;
+static VALUE rb_sym_exit_method_scope;
+
 static VALUE rb_sym_build_method_name;
 static VALUE rb_sym_info_for;
 static VALUE rb_sym_propagation_node;