contrast-agent 3.8.5 → 3.9.0

data/resources/inventory/policy.json

@@ -3,7 +3,7 @@
     {
       "name":"data_store",
       "applicator": "Contrast::CoreExtensions::Inventory::DataStores",
-      "applicator_method": "cs__patched_report_data_store",
+      "applicator_method": "patched_report_data_store",
       "required_properties": ["data_store"],
       "optional_properties": [],
       "triggers":[

data/resources/protect/policy.json

@@ -3,7 +3,7 @@
     {
       "name": "cmd-injection",
       "applicator": "Contrast::CoreExtensions::Protect::AppliesCommandInjectionRule",
-      "applicator_method": "cs__patched_apply_command_injection_rule",
+      "applicator_method": "apply_command_injection_rule",
       "required_properties": [],
       "optional_properties": [],
       "triggers": [
@@ -115,7 +115,7 @@
     {
       "name": "nosql-injection",
       "applicator": "Contrast::CoreExtensions::Protect::AppliesNoSqliRule",
-      "applicator_method": "cs__patched_apply_nosql_rule",
+      "applicator_method": "apply_nosql_rule",
       "required_properties": ["database"],
       "optional_properties": [],
       "triggers": [
@@ -157,7 +157,7 @@
     {
       "name":"path-traversal",
       "applicator": "Contrast::CoreExtensions::Protect::AppliesPathTraversalRule",
-      "applicator_method": "cs__patched_apply_path_traversal_rule",
+      "applicator_method": "apply_path_traversal_rule",
       "required_properties": ["action"],
       "optional_properties": [],
       "triggers":[
@@ -255,7 +255,7 @@
     {
       "name": "sql-injection",
       "applicator": "Contrast::CoreExtensions::Protect::AppliesSqliRule",
-      "applicator_method": "cs__patched_apply_sql_rule",
+      "applicator_method": "apply_sql_rule",
       "required_properties": ["index", "database"],
       "optional_properties": [],
       "triggers": [
@@ -337,7 +337,7 @@
     {
       "name": "untrusted-deserialization",
       "applicator": "Contrast::CoreExtensions::Protect::AppliesDeserializationRule",
-      "applicator_method": "cs__patched_apply_deserialization_rule",
+      "applicator_method": "apply_deserialization_rule",
       "required_properties": [],
       "optional_properties": [],
       "triggers": [
@@ -346,6 +346,7 @@
           "method_name": "load",
           "instance_method": false,
           "method_visibility": "public",
+          "scope": "deserialization",
           "properties": {}
         },
         {
@@ -353,6 +354,7 @@
           "method_name": "load",
           "instance_method": false,
           "method_visibility": "public",
+          "scope": "deserialization",
           "properties": {}
         }
       ]
@@ -360,7 +362,7 @@
     {
       "name": "xxe",
       "applicator": "Contrast::CoreExtensions::Protect::AppliesXxeRule",
-      "applicator_method": "cs__patched_apply_xxe_rule",
+      "applicator_method": "apply_xxe_rule",
       "required_properties": [],
       "optional_properties": [],
       "triggers": [
@@ -375,7 +377,7 @@
           "method_name": "read_io",
           "instance_method": false,
           "method_visibility": "public",
-          "applicator_method": "cs__patched_apply_xxe_rule__io",
+          "applicator_method": "apply_xxe_rule__io",
           "properties": {}
         },{
           "class_name": "Nokogiri::XML::SAX::Parser",
@@ -388,7 +390,7 @@
           "method_name": "parse_io",
           "instance_method": true,
           "method_visibility": "public",
-          "applicator_method": "cs__patched_apply_xxe_rule__io",
+          "applicator_method": "apply_xxe_rule__io",
           "properties": {}
         },{
           "class_name": "Ox",
@@ -407,7 +409,7 @@
           "method_name": "read_data",
           "instance_method": true,
           "method_visibility": "public",
-          "applicator_method": "cs__patched_apply_xxe_rule__lexer",
+          "applicator_method": "apply_xxe_rule__lexer",
           "properties": {}
         }
 

data/resources/rubocops/object/frozen_cop.rb

@@ -15,7 +15,7 @@ module RuboCop
         #   # good
         #   Object.cs__frozen?
         class Frozen < Cop
-          MSG = 'The use of `Object#is_a?` is a compatibility risk.'
+          MSG = 'The use of `Object#frozen?` is a compatibility risk.'
 
           def eligible_node? node
             node.method?(:frozen?)

data/ruby-agent.gemspec

@@ -38,6 +38,7 @@ def self.add_dev_dependencies spec
   spec.add_development_dependency 'execjs'
   spec.add_development_dependency 'factory_bot'
   spec.add_development_dependency 'fake_ftp'
+  spec.add_development_dependency 'fasterer'
   spec.add_development_dependency 'openssl'
   spec.add_development_dependency 'parser', '~> 2.6'
   spec.add_development_dependency 'pry'
@@ -55,6 +56,7 @@ def self.add_dev_dependencies spec
   spec.add_development_dependency 'sqlite3', '1.3.9'
   spec.add_development_dependency 'therubyracer'
   spec.add_development_dependency 'tilt'
+  spec.add_development_dependency 'xpath'
   spec.add_development_dependency 'yarjuf', '~> 2.0'
 end
 

data/service_executables/VERSION

@@ -1 +1 @@
-2.5.3
+2.6.2

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 3.8.5
+  version: 3.9.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-04-22 00:00:00.000000000 Z
+date: 2020-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -84,6 +84,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: fasterer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -322,6 +336,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: xpath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: yarjuf
   requirement: !ruby/object:Gem::Requirement
@@ -392,21 +420,21 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
+- ext/cs__assess_regexp_track/extconf.rb
+- ext/cs__assess_regexp/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
 - ext/cs__assess_basic_object/extconf.rb
 - ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__scope/extconf.rb
-- ext/cs__assess_regexp/extconf.rb
 - ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__assess_array/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_regexp_track/extconf.rb
-- ext/cs__protect_kernel/extconf.rb
 - ext/cs__assess_string/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_array/extconf.rb
 - ext/cs__assess_module/extconf.rb
+- ext/cs__assess_fiber_track/extconf.rb
+- ext/cs__protect_kernel/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -456,6 +484,9 @@ files:
 - ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c
 - ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h
 - ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__assess_yield_track/cs__assess_yield_track.c
+- ext/cs__assess_yield_track/cs__assess_yield_track.h
+- ext/cs__assess_yield_track/extconf.rb
 - ext/cs__common/cs__common.c
 - ext/cs__common/cs__common.h
 - ext/cs__common/extconf.rb
@@ -465,9 +496,6 @@ files:
 - ext/cs__protect_kernel/cs__protect_kernel.c
 - ext/cs__protect_kernel/cs__protect_kernel.h
 - ext/cs__protect_kernel/extconf.rb
-- ext/cs__scope/cs__scope.c
-- ext/cs__scope/cs__scope.h
-- ext/cs__scope/extconf.rb
 - ext/extconf_common.rb
 - funchook/LICENSE
 - funchook/Makefile
@@ -638,7 +666,6 @@ files:
 - lib/contrast/agent.rb
 - lib/contrast/agent/assess.rb
 - lib/contrast/agent/assess/adjusted_span.rb
-- lib/contrast/agent/assess/class_reverter.rb
 - lib/contrast/agent/assess/contrast_event.rb
 - lib/contrast/agent/assess/frozen_properties.rb
 - lib/contrast/agent/assess/insulator.rb
@@ -671,6 +698,8 @@ files:
 - lib/contrast/agent/assess/policy/rewriter_patch.rb
 - lib/contrast/agent/assess/policy/source_method.rb
 - lib/contrast/agent/assess/policy/source_node.rb
+- lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb
+- lib/contrast/agent/assess/policy/source_validation/source_validation.rb
 - lib/contrast/agent/assess/policy/trigger_method.rb
 - lib/contrast/agent/assess/policy/trigger_node.rb
 - lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb
@@ -713,7 +742,6 @@ files:
 - lib/contrast/agent/patching/policy/patcher.rb
 - lib/contrast/agent/patching/policy/policy.rb
 - lib/contrast/agent/patching/policy/policy_node.rb
-- lib/contrast/agent/patching/policy/policy_unpatcher.rb
 - lib/contrast/agent/patching/policy/trigger_node.rb
 - lib/contrast/agent/protect/policy/policy.rb
 - lib/contrast/agent/protect/policy/trigger_node.rb
@@ -796,45 +824,56 @@ files:
 - lib/contrast/config/server_configuration.rb
 - lib/contrast/config/service_configuration.rb
 - lib/contrast/configuration.rb
-- lib/contrast/core_extensions/assess.rb
-- lib/contrast/core_extensions/assess/array.rb
-- lib/contrast/core_extensions/assess/assess_extension.rb
-- lib/contrast/core_extensions/assess/basic_object.rb
-- lib/contrast/core_extensions/assess/erb.rb
-- lib/contrast/core_extensions/assess/exec_trigger.rb
-- lib/contrast/core_extensions/assess/fiber.rb
-- lib/contrast/core_extensions/assess/hash.rb
-- lib/contrast/core_extensions/assess/kernel.rb
-- lib/contrast/core_extensions/assess/module.rb
-- lib/contrast/core_extensions/assess/regexp.rb
-- lib/contrast/core_extensions/assess/string.rb
-- lib/contrast/core_extensions/assess/tilt_template_trigger.rb
-- lib/contrast/core_extensions/delegator.rb
-- lib/contrast/core_extensions/eval_trigger.rb
-- lib/contrast/core_extensions/inventory.rb
-- lib/contrast/core_extensions/inventory/datastores.rb
-- lib/contrast/core_extensions/module.rb
-- lib/contrast/core_extensions/object.rb
-- lib/contrast/core_extensions/protect.rb
-- lib/contrast/core_extensions/protect/applies_command_injection_rule.rb
-- lib/contrast/core_extensions/protect/applies_deserialization_rule.rb
-- lib/contrast/core_extensions/protect/applies_no_sqli_rule.rb
-- lib/contrast/core_extensions/protect/applies_path_traversal_rule.rb
-- lib/contrast/core_extensions/protect/applies_sqli_rule.rb
-- lib/contrast/core_extensions/protect/applies_xxe_rule.rb
-- lib/contrast/core_extensions/protect/kernel.rb
-- lib/contrast/core_extensions/protect/psych.rb
-- lib/contrast/core_extensions/thread.rb
+- lib/contrast/delegators.rb
+- lib/contrast/delegators/application_update.rb
+- lib/contrast/extensions/framework/rack/cookie.rb
+- lib/contrast/extensions/framework/rack/request.rb
+- lib/contrast/extensions/framework/rack/response.rb
+- lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb
+- lib/contrast/extensions/framework/rails/active_record.rb
+- lib/contrast/extensions/framework/rails/active_record_named.rb
+- lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb
+- lib/contrast/extensions/framework/rails/buffer.rb
+- lib/contrast/extensions/framework/rails/configuration.rb
+- lib/contrast/extensions/framework/sinatra/base.rb
+- lib/contrast/extensions/ruby_core/assess.rb
+- lib/contrast/extensions/ruby_core/assess/array.rb
+- lib/contrast/extensions/ruby_core/assess/assess_extension.rb
+- lib/contrast/extensions/ruby_core/assess/basic_object.rb
+- lib/contrast/extensions/ruby_core/assess/erb.rb
+- lib/contrast/extensions/ruby_core/assess/exec_trigger.rb
+- lib/contrast/extensions/ruby_core/assess/fiber.rb
+- lib/contrast/extensions/ruby_core/assess/hash.rb
+- lib/contrast/extensions/ruby_core/assess/kernel.rb
+- lib/contrast/extensions/ruby_core/assess/module.rb
+- lib/contrast/extensions/ruby_core/assess/regexp.rb
+- lib/contrast/extensions/ruby_core/assess/string.rb
+- lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb
+- lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb
+- lib/contrast/extensions/ruby_core/delegator.rb
+- lib/contrast/extensions/ruby_core/eval_trigger.rb
+- lib/contrast/extensions/ruby_core/inventory.rb
+- lib/contrast/extensions/ruby_core/inventory/datastores.rb
+- lib/contrast/extensions/ruby_core/module.rb
+- lib/contrast/extensions/ruby_core/protect.rb
+- lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb
+- lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb
+- lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb
+- lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb
+- lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb
+- lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb
+- lib/contrast/extensions/ruby_core/protect/kernel.rb
+- lib/contrast/extensions/ruby_core/protect/psych.rb
+- lib/contrast/extensions/ruby_core/thread.rb
+- lib/contrast/framework/base_support.rb
+- lib/contrast/framework/manager.rb
+- lib/contrast/framework/platform_version.rb
+- lib/contrast/framework/rails_support.rb
+- lib/contrast/framework/sinatra_application_helper.rb
+- lib/contrast/framework/sinatra_support.rb
+- lib/contrast/framework/view_technologies_descriptor.rb
 - lib/contrast/internal_exception.rb
-- lib/contrast/rails_extensions/assess/action_controller_inheritance.rb
-- lib/contrast/rails_extensions/assess/active_record.rb
-- lib/contrast/rails_extensions/assess/active_record_named.rb
-- lib/contrast/rails_extensions/assess/configuration.rb
-- lib/contrast/rails_extensions/buffer.rb
-- lib/contrast/rails_extensions/rack.rb
 - lib/contrast/security_exception.rb
-- lib/contrast/sinatra_extensions/assess/cookie.rb
-- lib/contrast/sinatra_extensions/inventory/sinatra_base.rb
 - lib/contrast/tasks/service.rb
 - lib/contrast/utils/assess/sampling_util.rb
 - lib/contrast/utils/assess/tracking_util.rb
@@ -853,10 +892,9 @@ files:
 - lib/contrast/utils/invalid_configuration_util.rb
 - lib/contrast/utils/inventory_util.rb
 - lib/contrast/utils/io_util.rb
+- lib/contrast/utils/job_servers_running.rb
 - lib/contrast/utils/object_share.rb
-- lib/contrast/utils/operating_environment.rb
 - lib/contrast/utils/os.rb
-- lib/contrast/utils/path_util.rb
 - lib/contrast/utils/performs_logging.rb
 - lib/contrast/utils/preflight_util.rb
 - lib/contrast/utils/prevent_serialization.rb
@@ -865,7 +903,6 @@ files:
 - lib/contrast/utils/random_util.rb
 - lib/contrast/utils/resource_loader.rb
 - lib/contrast/utils/ruby_ast_rewriter.rb
-- lib/contrast/utils/scope_util.rb
 - lib/contrast/utils/service_response_util.rb
 - lib/contrast/utils/service_sender_util.rb
 - lib/contrast/utils/sha256_builder.rb

data/ext/cs__scope/cs__scope.c

@@ -1,96 +0,0 @@
-/* Copyright (c) 2020 Contrast Security, Inc.  See
- * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
-
-#include "cs__scope.h"
-#include <ruby.h>
-
-VALUE in_given_scope(const VALUE object, const char *scope) {
-    VALUE level;
-    level = rb_iv_get(object, scope);
-    if (NUM2INT(level) > 0) {
-        return Qtrue;
-    }
-    return Qfalse;
-}
-
-void enter_given_scope(const VALUE object, const char *scope) {
-    int level = NUM2INT(rb_iv_get(object, scope));
-    rb_iv_set(object, scope, INT2NUM(level + 1));
-}
-
-void exit_given_scope(const VALUE object, const char *scope) {
-    int level = NUM2INT(rb_iv_get(object, scope));
-    rb_iv_set(object, scope, INT2NUM(level - 1));
-}
-
-VALUE in_contrast_scope(const VALUE self) {
-    return in_given_scope(self, ivar_contrast_scope);
-}
-
-VALUE enter_contrast_scope(const VALUE self) {
-    enter_given_scope(self, ivar_contrast_scope);
-    return Qnil;
-}
-
-VALUE exit_contrast_scope(const VALUE self) {
-    exit_given_scope(self, ivar_contrast_scope);
-    return Qnil;
-}
-
-VALUE run_in_scope(const VALUE self) {
-    enter_contrast_scope(self);
-    rb_ensure(rb_yield, Qundef, exit_contrast_scope, self);
-    return Qnil;
-}
-
-VALUE enter_scope_for(const VALUE self, const VALUE scope_symbol) {
-    enter_contrast_scope(self);
-
-    return Qnil;
-}
-
-VALUE exit_scope_for(const VALUE self, const VALUE scope_symbol) {
-    exit_contrast_scope(self);
-
-    return Qnil;
-}
-
-VALUE initialize(const VALUE self) {
-    rb_iv_set(self, ivar_contrast_scope, rbzero);
-
-    return self;
-}
-
-VALUE deep_clone(const VALUE self) {
-    VALUE new_scope = rb_funcall(scope_class, rb_sym_new, 0);
-    rb_iv_set(new_scope, ivar_contrast_scope,
-              rb_iv_get(self, ivar_contrast_scope));
-    return new_scope;
-}
-
-void Init_cs__scope(void) {
-    rb_sym_new = rb_intern("new");
-    VALUE contrast = rb_define_module("Contrast");
-    VALUE agent = rb_define_module_under(contrast, "Agent");
-    scope_class = rb_define_class_under(agent, "Scope", rb_cObject);
-    rb_define_method(scope_class, "initialize", initialize, 0);
-
-    ivar_contrast_scope = "@contrast_scope";
-
-    rb_define_const(scope_class, "CONTRAST_SCOPE",
-                    ID2SYM(rb_intern("contrast")));
-    CONTRAST_SCOPE = rb_const_get(scope_class, rb_intern("CONTRAST_SCOPE"));
-
-    rb_define_method(scope_class, "in_contrast_scope?", in_contrast_scope, 0);
-
-    rb_define_method(scope_class, "enter_contrast_scope", enter_contrast_scope,
-                     0);
-    rb_define_method(scope_class, "exit_contrast_scope", exit_contrast_scope,
-                     0);
-
-    rb_define_method(scope_class, "run_in_scope", run_in_scope, 0);
-    rb_define_method(scope_class, "enter_scope_for", enter_scope_for, 1);
-    rb_define_method(scope_class, "exit_scope_for", exit_scope_for, 1);
-
-    rb_define_method(scope_class, "deep_clone", deep_clone, 0);
-}