contrast-agent 3.8.5 → 3.9.0

data/lib/contrast/utils/duck_utils.rb

@@ -3,55 +3,75 @@
 
 module Contrast
   module Utils
-    # Utility methods for identifying instances that can be used interchangably
+    # Utility methods for identifying instances that can be used interchangeably
     class DuckUtils
-      def self.quacks_like_tracked_hash? obj
-        return false unless obj
-        return false if quacks_like_cs_patched?(obj)
+      class << self
+        # Determine if the given object, or the object to which it delegates,
+        # responds to the given method.
+        #
+        # @param object [Object]
+        # @param method [Symbol]
+        # @return [Boolean]
+        def quacks_to? object, method
+          return true if object.cs__respond_to?(method)
+          return false unless object.is_a?(Delegator)
 
-        obj.is_a?(Hash)
-      end
+          object.cs__delegator_respond_to?(method)
+        end
 
-      def self.quacks_like_tracked_enumerable? obj
-        return false unless obj
-        return false if obj.is_a?(IO)
-        # TODO: RUBY-606: temporary work around to avoid the agent treating OpenSSL::Buffering as a source,
-        # see https://contrast.atlassian.net/browse/RUBY-588
-        return false if defined?(OpenSSL::Buffering) && obj.is_a?(OpenSSL::Buffering)
-        return false if quacks_like_cs_patched?(obj)
+        # Most things that are closable IO's will in fact be of the IO type. That
+        # being said, some will also be extensions of DelegateClass with IO type,
+        # like Tempfile. We need to handle both cases.
+        #
+        # @param object [Object]
+        # @return [Boolean]
+        def closable_io? object
+          return false unless Contrast::Utils::IOUtil.io?(object)
 
-        obj.is_a?(Enumerable)
-      end
+          quacks_to?(object, :closed?)
+        end
 
-      # This method will return true if the object being checked has been patched
-      # to have the cs__properties field. We check the cs__tracked? method since it
-      # is side effect free (ie doesn't cause the properties object to be created).
-      def self.quacks_like_cs_patched? obj
-        obj && quacks_to?(obj, :cs__tracked?)
-      end
+        # Determine if the given Object is a Hash, or similar enough to a hash
+        # for us to iterate on it using the #each_pair method
+        #
+        # @param object [Object]
+        # @return [Boolean]
+        def iterable_hash? object
+          # do iterate on things believed to safely implement #each_pair
+          return true if object.cs__is_a?(Hash)
 
-      # All Objects respond to dup. Not all Objects respond nicely. Nil, True,
-      # False and Number types respond with TypeError. This check should handle
-      # those cases.
-      # https://stackoverflow.com/questions/20954789/how-do-i-check-if-a-variable-really-responds-to-dup
-      def self.quacks_like_duplicable? obj
-        obj.cs__class.methods.include? :new
-      end
+          # otherwise, don't risk it
+          false
+        end
 
-      # Most things that are closable IO's will in fact be of the IO type. That
-      # being said, some will also be extensions of DelegateClass with IO type,
-      # like Tempfile. We need to handle both cases.
-      def self.quacks_like_closable_io object
-        return false unless Contrast::Utils::IOUtil.io?(object)
+        # Determine if the given Object is a concrete implementation of
+        # Enumerable known to be safe to call #each on.
+        #
+        # @param object [Object]
+        # @return [Boolean]
+        def iterable_enumerable? object
+          # do iterate on things believed to safely implement #each. We're
+          # purposefully skipping Hash and Hash-like things here as
+          # #iterable_hash? should handle those.
+          return true if object.cs__is_a?(Array)
+          return true if object.cs__is_a?(Enumerator)
+          return true if object.cs__is_a?(Hash)
+          return true if object.cs__is_a?(Range)
+          return true if object.cs__is_a?(Set)
 
-        quacks_to?(object, :closed?)
-      end
+          # otherwise, don't risk it
+          false
+        end
 
-      def self.quacks_to? object, method
-        return true if object.cs__respond_to?(method)
-        return false unless object.is_a?(Delegator)
+        # This method will return true if the object being checked has been patched
+        # to have the cs__properties field. We check the cs__tracked? method since it
+        # is side effect free (ie doesn't cause the properties object to be created).
+        def trackable? object
+          return true if object.cs__respond_to?(:cs__tracked?)
+          return false unless object.is_a?(Delegator)
 
-        object.cs__delegator_respond_to?(method)
+          object.cs__delegator_respond_to?(:cs__tracked?)
+        end
       end
     end
   end

data/lib/contrast/utils/environment_util.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'socket'
-cs__scoped_require 'contrast/core_extensions/module'
+
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 cs__scoped_require 'contrast/components/interface'
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/string_utils'
@@ -12,16 +13,10 @@ module Contrast
     # Gather information about the application and server environment
     # that the agent is running in.
     class EnvironmentUtil
-      include Contrast::Components::Interface
-
-      access_component :analysis
-
-      DEFAULT_APP_NAME = 'rack'
-      DEFAULT_SERVER_NAME = 'localhost'
-
       CS_VERSION = 'VERSION'
 
       # Possible names of constants that would hold version info
+      # TODO - RUBY-770
       VERSION_CONSTANT_CANDIDATES = %w[
         VERSION
         ::VERSION
@@ -30,16 +25,6 @@ module Contrast
         ::Application::VERSION
       ].cs__freeze
 
-      # Common places where view-layer files can be found in a Rails application
-      RAILS_VIEWS = [
-        ['app/assets', '*.coffee', %w[CoffeeScript]],
-        ['app/assets', '*.scss', %w[SASS]],
-        ['app/views', '*.html', %w[HTML5]],
-        ['app/views', '*.html.erb', %w[HTML5 ERB]],
-        ['app/views', '*.html.haml', %w[HTML5 HAML]],
-        ['public', '*.html', %w[HTML5]]
-      ].cs__freeze
-
       class << self
         ######### These are helpers ####################
 
@@ -50,6 +35,7 @@ module Contrast
         ######### Actually env/framework dependent ####################
 
         # See CONTRAST-16380 for more details
+        # TODO RUBY-770
         def determine_application_version
           @_determine_application_version ||= begin
             candidates = VERSION_CONSTANT_CANDIDATES.map do |name|
@@ -80,20 +66,9 @@ module Contrast
           end
         end
 
-        def platform
-          version = Rails.version rescue Sinatra::VERSION rescue Rack.version rescue '' # rubocop:disable Style/RescueModifier
-          major, minor, patch = *version.split(Contrast::Utils::ObjectShare::PERIOD)
-          major ||= ''
-          minor ||= ''
-          patch ||= ''
-
-          [major, minor, patch]
-        rescue StandardError
-          Contrast::Utils::ObjectShare::EMPTY_TRIPLE
-        end
-
         # Read libraries from the gemfile and append to the given ApplicationUpdate message
         # or other class that has a libraries map association
+        # TODO - RUBY-770
         def add_library_to_app_update app_update_pb, library_tags = ''
           libraries = Contrast::Utils::GemfileReader.instance.library_pb_list
           libraries.each do |n|
@@ -101,51 +76,6 @@ module Contrast
             app_update_pb.libraries[n.hash_code] = n
           end
         end
-
-        # Iterate through known locations, looking for files
-        # that represent view or template files. If found, for each file in the directory
-        # append the technology and the view object to the application update instance
-        def scan_views app_update_msg
-          return unless INVENTORY.enabled?
-
-          scan_rails_views(app_update_msg)
-          scan_sinatra_views(app_update_msg)
-        end
-
-        # Find all the predefined routes for this application and append them to the
-        # provided inventory message
-        # msg should be a Contrast::Api::Dtm::ApplicationUpdate or some other msg
-        # that has a routes array consisting of Contrast::Api::Dtm::RouteCoverage
-        def scan_routes msg
-          return unless INVENTORY.enabled?
-
-          Contrast::Utils::PathUtil.find_routes.each do |route|
-            msg.routes << route
-          end
-        end
-
-        private
-
-        def scan_view_directories app_update_msg, view_location_data
-          view_location_data.each do |path, extension, tech_names|
-            next if Dir["#{ path }/**/*#{ extension }"].empty?
-
-            tech_names.each do |tech|
-              app_update_msg.technologies[tech] = true
-            end
-          end
-        end
-
-        def scan_rails_views app_update_msg
-          scan_view_directories(app_update_msg, RAILS_VIEWS)
-        end
-
-        def scan_sinatra_views app_update_msg
-          sinatra_app = Contrast::Utils::SinatraHelper.app_class
-          return unless sinatra_app
-
-          scan_view_directories(app_update_msg, Contrast::Utils::SinatraHelper.scannable_view_dirs)
-        end
       end
     end
   end

data/lib/contrast/utils/freeze_util.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/core_extensions/object'
 cs__scoped_require 'contrast/utils/duck_utils'
 
 module Contrast
@@ -11,21 +10,18 @@ module Contrast
     class FreezeUtil
       class << self
         # Make every attempt to duplicate the frozen object so that it can
-        # be tracked. Some things, like Nil, True, and False, respond to dup
-        # but throw a TypeError. This catches that case and returns the
-        # original. We luck out as these three cases do not get propagated to
+        # be tracked.
         #
         # @param original [Object] something frozen, usually a String
         # @return [Object] the original or an unfrozen copy
         def unfreeze_dup original
           return original unless original.cs__frozen?
-          return original unless Contrast::Utils::DuckUtils.quacks_like_duplicable?(original)
 
           copy = original.dup
-          if Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(copy)
+          if Contrast::Utils::DuckUtils.iterable_hash?(copy)
             copy.each_key do |key|
               value = original[key]
-              copy[key] = Contrast::Utils::DuckUtils.quacks_like_duplicable?(original) ? value.dup : value
+              copy[key] = value.dup
             end
           end
           copy

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 cs__scoped_require 'contrast/components/interface'
 
@@ -11,9 +11,9 @@ module Contrast
       include Contrast::Components::Interface
       access_component :agent, :analysis, :contrast_service, :logging
 
-      CS__PATH = 'path'.cs__freeze
-      CS__SESSION_ID = 'sessionId'.cs__freeze
-      CS__SNIPPET = 'snippet'.cs__freeze
+      CS__PATH = 'path'
+      CS__SESSION_ID = 'sessionId'
+      CS__SNIPPET = 'snippet'
 
       # Build and report a finding for the given rule
       #
@@ -71,7 +71,7 @@ module Contrast
         idx = call_location&.lineno
         if file_path && idx && File.exist?(file_path)
           idx = idx > 5 ? idx - 5 : 0
-          snippet = ''
+          snippet = +''
           File.foreach(file_path).with_index do |line, line_num|
             next unless line_num >= idx
             break if line_num > idx + 10

data/lib/contrast/utils/job_servers_running.rb

@@ -0,0 +1,39 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # A module that detects whether any job servers attached to
+    # the application are running
+    module JobServersRunning
+      include Contrast::Components::Interface
+      access_component :logging
+
+      class << self
+        def job_servers_running?
+          sidekiq_running? || rake_running?
+        end
+
+        def sidekiq_running?
+          return unless defined?(Sidekiq) && Sidekiq.cs__respond_to?(:server?) && Sidekiq.server?
+
+          logger.debug(nil, 'Detected the spawn of a Sidekiq process')
+          true
+        end
+
+        def rake_running?
+          return unless defined?(Rake) &&
+              Rake.cs__respond_to?(:application) &&
+              Rake.application.cs__respond_to?(:top_level_tasks)
+
+          disabled_rake_tasks = Contrast::Agent::FeatureState.instance.disabled_agent_rake_tasks
+          has_disabled_task = Rake.application.top_level_tasks.any? { |top_level_task| disabled_rake_tasks.include?(top_level_task) }
+          return false unless has_disabled_task
+
+          logger.debug(nil, 'Detected startup within Rake task')
+          true
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/ruby_ast_rewriter.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 cs__scoped_require 'parser/current'
 
@@ -32,7 +32,7 @@ module Contrast
       def on_dstr node
         return if node.children.all? { |child_node| child_node.type == :str }
 
-        new_content = '('
+        new_content = +'('
         node.children.each_with_index do |child_node, index|
           # A begin node looks like #{some_code} in ruby, we do a substring
           # from [2...-1] to get rid of the #{ & trailing }.

data/lib/contrast/utils/service_response_util.rb

@@ -100,12 +100,6 @@ module Contrast
             end
           end
 
-          if (dynamic_sources_map_pb = server_features&.assess&.dynamic_sources_map)
-            dynamic_sources_map = dynamic_sources_map_pb.keys.inject({}) do |hsh, key|
-              hsh[key] = dynamic_sources_map_pb[key]
-            end
-            Contrast::Agent::Assess::Policy::Policy.instance.update_dynamic_sources dynamic_sources_map
-          end
           # This is for assess
           # PERF, we could avoid here with dirty-tracking.
           Contrast::Utils::Assess::SamplingUtil.instance.update

data/lib/contrast/utils/sinatra_helper.rb

@@ -33,6 +33,12 @@ module Contrast
         end
       end
 
+      def self.settings_instance
+        @_settings_instance ||= begin
+                                  app_class&.settings
+                                end
+      end
+
       def self.view_directory
         @_view_directory ||= begin
           app_class&.settings&.views

data/lib/contrast/utils/stack_trace_utils.rb

@@ -8,7 +8,7 @@ module Contrast
   module Utils
     # Utilities for converting ruby stack trace into DTMs
     class StackTraceUtils
-      CONTRAST_MARKER = 'contrast/core_extensions'
+      CONTRAST_MARKER = 'contrast/extensions/ruby_core'
       MONKEYPATCH_MARKER = 'cs__'
 
       # TODO: RUBY-532

data/resources/assess/policy.json

@@ -23,15 +23,17 @@
       "method_visibility": "public",
       "method_name":"body",
       "target":"R",
-      "type":"BODY"
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request::Env",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"get_header",
+      "source": "P0",
       "target":"R",
       "type":"HEADER",
-      "tags":["NO_NEWLINES"]
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
     }, {
       "class_name":"ActionDispatch::Request",
       "instance_method": true,
@@ -39,28 +41,30 @@
       "method_name": "raw_post",
       "target": "R",
       "type": "BODY",
-      "tags":["NO_NEWLINES"]
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
     }, {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"POST",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"GET",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"cookies",
       "target":"R",
-      "type":"PARAMETER",
+      "type":"COOKIE",
       "tags":["NO_NEWLINES"]
     }, {
       "class_name":"Rack::Request::Helpers",
@@ -68,71 +72,72 @@
       "method_visibility": "public",
       "method_name":"url",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"query_string",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"body",
       "target":"R",
-      "type":"BODY"
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"query_string",
       "target":"R",
-      "type":"BODY"
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"GET",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"POST",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"Rack::Request",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"cookies",
       "target":"R",
-      "type":"PARAMETER",
+      "type":"COOKIE",
       "tags":["NO_NEWLINES"]
-    }, {
-      "class_name":"Rack::Request",
-      "instance_method": true,
-      "method_visibility": "public",
-      "method_name":"url",
-      "target":"R",
-      "type":"BODY"
     }, {
       "class_name":"ActionController::Metal",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"params",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }, {
       "class_name":"ActionController::StrongParameters",
       "instance_method": true,
       "method_visibility": "public",
       "method_name":"params",
       "target":"R",
-      "type":"PARAMETER"
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }
   ],
   "propagators":[
@@ -1213,6 +1218,7 @@
       ]
     }, {
       "name":"reflected-xss",
+      "required_tags": ["CROSS_SITE"],
       "disallowed_tags":["BASE64_ENCODED", "CSS_ENCODED", "CSV_ENCODED", "HTML_ENCODED", "JAVASCRIPT_ENCODED", "JAVA_ENCODED", "LDAP_ENCODED", "OS_ENCODED", "SQL_ENCODED", "URL_ENCODED", "VBSCRIPT_ENCODED", "XML_ENCODED", "XPATH_ENCODED"],
       "triggers":[
         {
@@ -1565,7 +1571,6 @@
     },
     {
       "name": "xxe",
-      "dataflow": "true",
       "triggers": [
         {
           "class_name": "Ox",
@@ -1668,6 +1673,52 @@
           "source": "P0"
         }
       ]
+    }, {
+      "name": "xpath-injection",
+      "disallowed_tags":["XPATH_ENCODED"],
+      "triggers": [
+        {
+          "class_name": "XPath::Expression",
+          "instance_method": true,
+          "method_visibility": "private",
+          "method_name": "initialize",
+          "source": "P1",
+          "trigger_class": "XPathLibraryTrigger",
+          "trigger_method": "xpath_trigger_check"
+        }, {
+          "class_name": "Oga::XML::CharacterNode",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "initialize",
+          "source": "P0",
+          "trigger_class": "XPathLibraryTrigger",
+          "trigger_method": "xpath_trigger_check"
+        }, {
+          "class_name": "XPather",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "get",
+          "source": "P0"
+        }, {
+          "class_name": "XPather",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "search",
+          "source": "P0"
+        }, {
+          "class_name": "Ox::HasAttrs",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "[]=",
+          "source": "P1"
+        }, {
+          "class_name": "Nokogiri::XML::Node",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "[]=",
+          "source": "P1"
+        }
+      ]
     }
   ]
 }