RubyGems - contrast-agent - Versions diffs - 3.8.5 → 3.9.0 - Mend

contrast-agent 3.8.5 → 3.9.0

Files changed (153) hide show

data/lib/contrast/extensions/ruby_core/module.rb ADDED

@@ -0,0 +1,17 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/utils/object_share'
+# Some developers override various methods on Module, which can often involve
+# changing expected method parity/behavior which in turn prevents us from being
+# able to reliably use affected methods. Let's alias these method so that we
+# always have access to them.
+class Module
+  alias_method :cs__name, :name
+  alias_method :cs__constants, :constants
+  alias_method :cs__const_defined?, :const_defined?
+  alias_method :cs__const_get, :const_get
+  alias_method :cs__const_set, :const_set
+  alias_method :cs__autoload?, :autoload?
+end

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/applies_command_injection_rule.rb RENAMED

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/core_extensions/protect/applies_deserialization_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_deserialization_rule'
 module Contrast
   module CoreExtensions
@@ -13,7 +13,7 @@ module Contrast
       # rule should be invoked.
       # In addition, b/c of the nature of Deserialization's sand boxing
       # function, this Module's apply methods call through to the
-      # {#cs__patched_apply_deserialization_command_check} method of the
+      # {#apply_deserialization_command_check} method of the
       # Deserialization applicator.
       module AppliesCommandInjectionRule
         CS__SEMICOLON = '; '
@@ -22,12 +22,12 @@ module Contrast
           include Contrast::Components::Interface
           access_component :logging, :analysis
-          def cs__patched_apply_command_injection_rule method, _exception, _properties, object, args
+          def apply_command_injection_rule method, _exception, _properties, object, args
             return unless valid_command?(args)
             command = build_command(args)
-            Contrast::CoreExtensions::Protect::AppliesDeserializationRule.cs__patched_apply_deserialization_command_check(command)
-            return if cs__skip_analysis?
+            Contrast::CoreExtensions::Protect::AppliesDeserializationRule.apply_deserialization_command_check(command)
+            return if skip_analysis?
             begin
               clazz = object.is_a?(Module) ? object : object.cs__class
@@ -41,11 +41,13 @@ module Contrast
             logger.error(e, msg)
           end
+          private
           def rule
             PROTECT.rule Contrast::Agent::Protect::Rule::CmdInjection::NAME
           end
-          def cs__skip_analysis?
+          def skip_analysis?
             context = Contrast::Agent::REQUEST_TRACKER.current
             return true unless context&.app_loaded?
             return true unless rule&.enabled?

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/applies_deserialization_rule.rb RENAMED

@@ -15,9 +15,9 @@ module Contrast
         access_component :logging, :analysis
         class << self
-          def cs__patched_apply_deserialization_rule method, _exception, _properties, object, args
+          def apply_deserialization_rule method, _exception, _properties, object, args
             return unless valid_input?(args)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
           rescue Contrast::SecurityException => e
@@ -26,13 +26,15 @@ module Contrast
             logger.error(e, "Error running untrusted-deserialization rule in #{ object }.#{ method }")
           end
-          def cs__patched_apply_deserialization_command_check command
+          def apply_deserialization_command_check command
             return unless command
-            return if cs__skip_analysis?
+            return if skip_analysis?
             rule.check_command_scope(command)
           end
+          private
           def rule
             PROTECT.rule Contrast::Agent::Protect::Rule::Deserialization::NAME
           end
@@ -44,7 +46,7 @@ module Contrast
             input.is_a?(String)
           end
-          def cs__skip_analysis?
+          def skip_analysis?
             context = Contrast::Agent::REQUEST_TRACKER.current
             return true unless context&.app_loaded?
             return true unless rule&.enabled?

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/applies_no_sqli_rule.rb RENAMED

@@ -21,9 +21,9 @@ module Contrast
           include Contrast::Components::Interface
           access_component :logging, :analysis
-          def cs__patched_apply_nosql_rule method, _exception, properties, _object, args
+          def apply_nosql_rule method, _exception, properties, _object, args
             return unless valid_input?(args)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             database = properties['database']
             operations = args[0]
@@ -41,6 +41,8 @@ module Contrast
             logger.error(e, "Error running NoSQLi rule in #{ properties['database'] }")
           end
+          private
           def rule
             PROTECT.rule Contrast::Agent::Protect::Rule::NoSqli::NAME
           end
@@ -51,7 +53,7 @@ module Contrast
             args[0]
           end
-          def cs__skip_analysis?
+          def skip_analysis?
             context = Contrast::Agent::REQUEST_TRACKER.current
             return true unless context&.app_loaded?
             return true unless rule&.enabled?

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/applies_path_traversal_rule.rb RENAMED

@@ -17,32 +17,17 @@ module Contrast
         access_component :logging, :analysis
         class << self
-          def cs__possible_write input
-            input.cs__respond_to?(:to_s) &&
-                input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
-          end
-          def rule
-            PROTECT.rule Contrast::Agent::Protect::Rule::PathTraversal::NAME
-          end
-          def cs__skip_analysis?
-            context = Contrast::Agent::REQUEST_TRACKER.current
-            return true unless context&.app_loaded?
-            return true unless rule&.enabled?
-          end
-          def cs__patched_apply_path_traversal_rule method, _exception, properties, _object, args
+          def apply_path_traversal_rule method, _exception, properties, _object, args
             return unless args&.any?
             path = args[0]
             return unless path.is_a?(String)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             action = properties['action']
             write_marker = write?(action, *args)
-            possible_write = write_marker && cs__possible_write(write_marker)
-            cs__patched_path_traversal_rule(path, possible_write, method)
+            possible_write = write_marker && possible_write(write_marker)
+            path_traversal_rule(path, possible_write, method)
             # If the action was copy, we need to handle the write half of it.
             # We handled read in line above.
@@ -52,7 +37,26 @@ module Contrast
             dst = args[1]
             return unless dst.is_a?(String)
-            cs__patched_path_traversal_rule(dst, true, method)
+            path_traversal_rule(dst, true, method)
+          end
+          private
+          def rule
+            PROTECT.rule Contrast::Agent::Protect::Rule::PathTraversal::NAME
+          end
+          def possible_write input
+            input.cs__respond_to?(:to_s) &&
+                input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
+          end
+          def skip_analysis?
+            context = Contrast::Agent::REQUEST_TRACKER.current
+            return true unless context&.app_loaded?
+            return true unless rule&.enabled?
+            false
           end
           READ = 'read'
@@ -64,11 +68,11 @@ module Contrast
             return true if action == WRITE
             write_marker = args.length > 1 ? args[1] : nil
-            write_marker && cs__possible_write(write_marker)
+            write_marker && possible_write(write_marker)
           end
-          def cs__patched_path_traversal_rule path, possible_write, method
-            return unless cs__patched_applies_to?(path, possible_write)
+          def path_traversal_rule path, possible_write, method
+            return unless applies_to?(path, possible_write)
             logger.debug(nil, "checking path traversal: write=true path=#{ path }")
             rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
@@ -79,8 +83,8 @@ module Contrast
           end
           CS__SAFER_REL_PATHS = %w[public app log tmp].cs__freeze
-          def cs__patched_safer_abs_paths
-            @_cs__patched_safer_abs_paths ||= begin
+          def safer_abs_paths
+            @_safer_abs_paths ||= begin
               pwd = ENV['PWD']
               if pwd
                 tmp = CS__SAFER_REL_PATHS.map { |r| "#{ pwd }/#{ r }" }
@@ -93,7 +97,7 @@ module Contrast
             end
           end
-          def cs__patched_applies_to? path, possible_write = false
+          def applies_to? path, possible_write = false
             # any possible write is a potential risk
             return true if possible_write
@@ -102,7 +106,7 @@ module Contrast
             path = path.downcase
             if path.start_with?(Contrast::Utils::ObjectShare::SLASH)
-              cs__patched_safer_abs_paths.each do |prefix|
+              safer_abs_paths.each do |prefix|
                 return false if path.start_with?(prefix)
               end
             else

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/applies_sqli_rule.rb RENAMED

@@ -21,13 +21,13 @@ module Contrast
           access_component :logging, :analysis
-          def cs__patched_apply_sql_rule method, _exception, properties, object, args
+          def apply_sql_rule method, _exception, properties, object, args
             database = properties['database']
             return unless database
             index = properties[Contrast::Utils::ObjectShare::INDEX]
             return unless valid_input?(index, args)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             sql = args[index]
             logger.debug(nil, "applying sqli rule on #{ object } for #{ method }")
@@ -38,6 +38,8 @@ module Contrast
             logger.error(e, "Error running SQLi rule in #{ object }")
           end
+          private
           def rule
             PROTECT.rule Contrast::Agent::Protect::Rule::Sqli::NAME
           end
@@ -49,7 +51,7 @@ module Contrast
             sql && !sql.empty?
           end
-          def cs__skip_analysis?
+          def skip_analysis?
             context = Contrast::Agent::REQUEST_TRACKER.current
             return true unless context&.app_loaded?
             return true unless rule&.enabled?

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/applies_xxe_rule.rb RENAMED

@@ -16,9 +16,9 @@ module Contrast
         access_component :logging, :analysis
         class << self
-          def cs__patched_apply_xxe_rule _method, _exception, _properties, object, args
+          def apply_xxe_rule _method, _exception, _properties, object, args
             return unless valid_input?(args)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             xml = args.first
             parser = determine_parser(object)
@@ -34,10 +34,10 @@ module Contrast
           # IO is tricky. If we can't rewind it, we can't fix it back to the
           # original state. To be safe, we'll skip non-rewindable IO objects.
-          def cs__patched_apply_xxe_rule__io _method, _exception, _properties, object, args
+          def apply_xxe_rule__io _method, _exception, _properties, object, args
             need_rewind = false
             return unless valid_io_input?(args)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             need_rewind = true
             xml = args.first.read
@@ -56,9 +56,9 @@ module Contrast
           # Oga's Lexer is a special case b/c the information we need is on the
           # object itself -- specifically in the @data instance variable
-          def cs__patched_apply_xxe_rule__lexer _method, _exception, _properties, object, _args
+          def apply_xxe_rule__lexer _method, _exception, _properties, object, _args
             return unless valid_data_input?(object)
-            return if cs__skip_analysis?
+            return if skip_analysis?
             parser = determine_parser(object)
             return unless parser
@@ -85,6 +85,8 @@ module Contrast
             logger.error(e, "Error running XXE rule in #{ parser }")
           end
+          private
           def rule
             PROTECT.rule Contrast::Agent::Protect::Rule::Xxe::NAME
           end
@@ -108,7 +110,7 @@ module Contrast
                 object.instance_variable_get(DATA_KEY)
           end
-          def cs__skip_analysis?
+          def skip_analysis?
             context = Contrast::Agent::REQUEST_TRACKER.current
             return true unless context&.app_loaded?
             return true unless rule&.enabled?

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/kernel.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/protect/psych.rb RENAMED

@@ -2,6 +2,6 @@
 # frozen_string_literal: true
 if defined?(Psych)
-  cs__scoped_require 'contrast/core_extensions/protect/applies_deserialization_rule'
+  cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_deserialization_rule'
   cs__scoped_require 'cs__patched_psych/cs__patched_psych'
 end

data/lib/contrast/{core_extensions → extensions/ruby_core}/thread.rb RENAMED

File without changes

data/lib/contrast/framework/base_support.rb ADDED

@@ -0,0 +1,63 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Contrast
+  module Framework
+    # The API for all subclasses to implement to correctly support a given framework
+    class BaseSupport
+      class << self
+        # The top level module name used by the framework
+        def detection_class
+          raise NoMethodError('Subclasses of BaseSupport should implement this method')
+        end
+        def version
+          raise NoMethodError('Subclasses of BaseSupport should implement this method')
+        end
+        def application_name
+          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+        end
+        def server_type
+          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+        end
+        # Iterate through known locations, looking for files
+        # that represent view or template files. If found, for each file in the directory
+        # append the technology and the view object to the application update instance
+        def scan_views
+          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+        end
+        # Find all the predefined routes for this application and append them to the
+        # provided inventory message
+        # msg should be a Contrast::Api::Dtm::ApplicationUpdate or some other msg
+        # that has a routes array consisting of Contrast::Api::Dtm::RouteCoverage
+        def collect_routes
+          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+        end
+        def current_route
+          raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
+        end
+        protected
+        def source_or_string obj
+          if obj.cs__is_a?(Regexp)
+            obj.source
+          elsif obj.cs__respond_to?(:safe_string)
+            obj.safe_string
+          else
+            obj.to_s
+          end
+        end
+        def scan_view_directories view_technology_descriptors
+          view_technology_descriptors.reject(&:empty?)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/manager.rb ADDED

@@ -0,0 +1,109 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/framework/view_technologies_descriptor'
+cs__scoped_require 'contrast/framework/platform_version'
+cs__scoped_require 'contrast/framework/base_support'
+cs__scoped_require 'contrast/framework/rails_support'
+cs__scoped_require 'contrast/framework/sinatra_support'
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/class_util'
+module Contrast
+  module Framework
+    # Allows access to framework specific information
+    class Manager
+      include Contrast::Components::Interface
+      access_component :logging, :analysis
+      # Order here does matter as the first framework listed will be the first one we pull information from
+      # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
+      # do not exist
+      SUPPORTED_FRAMEWORKS = [
+        Contrast::Framework::RailsSupport,
+        Contrast::Framework::SinatraSupport
+      ].cs__freeze
+      def initialize
+        @_frameworks = SUPPORTED_FRAMEWORKS.map do |framework_klass|
+          next unless enable_framework_support?(framework_klass.detection_class)
+          logger.debug("Detected framework #{ framework_klass.detection_class } - enabling support")
+          framework_klass
+        end
+        @_frameworks.compact!
+      end
+      def find_applicable_view_technologies
+        scan_views_for_all_frameworks
+      end
+      def find_route_discovery_data
+        routes_for_all_frameworks
+      end
+      def platform_version
+        framework_version = first_framework_result :version, ''
+        Contrast::Framework::PlatformVersion.from_string(framework_version)
+      end
+      def server_type
+        first_framework_result :server_type, 'rack'
+      end
+      def app_name
+        first_framework_result :application_name, 'root'
+      end
+      def get_route_dtm request
+        result = nil
+        @_frameworks.find do |framework_klass|
+          # TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
+          next if framework_klass == Contrast::Framework::SinatraSupport
+          result = framework_klass.current_route(request)
+        end
+        result
+      end
+      private
+      def enable_framework_support? klass
+        Contrast::Utils::ClassUtil.truly_defined?(klass)
+      end
+      def scan_views_for_all_frameworks
+        data_for_all_frameworks :scan_views
+      end
+      def routes_for_all_frameworks
+        data_for_all_frameworks :collect_routes
+      end
+      # This returns an array of all data from each framework in a flat, no-nil values array
+      #
+      # @param method_name [Symbol] the method to call on each FrameworkSupport class
+      # @return [Array]
+      def data_for_all_frameworks method_name
+        data = @_frameworks.flat_map do |framework|
+          framework.send(method_name)
+        end.compact
+        data
+      end
+      # This returns a single object from the first framework to successfully respond
+      #
+      # @param method_name [Symbol] the method to call on each FrameworkSupport class
+      # @return [Object] - Determined by method to be invoked
+      def first_framework_result method_name, default_value
+        result = nil
+        @_frameworks.each do |framework|
+          result = framework.send(method_name)
+          break if result
+        end
+        result || default_value
+      end
+    end
+  end
+end