RubyGems - contrast-agent - Versions diffs - 3.8.5 → 3.9.0 - Mend

contrast-agent 3.8.5 → 3.9.0

Files changed (153) hide show

@@ -1,33 +0,0 @@
-#include <ruby.h>
-VALUE rbzero = INT2NUM(0);
-VALUE scope_class;
-VALUE rb_sym_new;
-const char *ivar_contrast_scope;
-VALUE CONTRAST_SCOPE;
-VALUE in_given_scope(const VALUE object, const char *scope);
-void enter_given_scope(const VALUE object, const char *scope);
-void exit_given_scope(const VALUE object, const char *scope);
-VALUE in_contrast_scope(const VALUE self);
-VALUE enter_contrast_scope(const VALUE self);
-VALUE exit_contrast_scope(const VALUE self);
-VALUE run_in_scope(const VALUE self);
-VALUE enter_scope_for(const VALUE self, const VALUE scope_symbol);
-VALUE exit_scope_for(const VALUE self, const VALUE scope_symbol);
-VALUE initialize(const VALUE self);
-VALUE deep_clone(const VALUE self);
-void Init_cs__scope(void);

data/lib/contrast/agent/assess/class_reverter.rb DELETED

@@ -1,82 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/core_extensions/module'
-cs__scoped_require 'contrast/utils/object_share'
-module Contrast
-  module Agent
-    module Assess
-      # This is used to revert, or undo, the patches that we've placed into
-      # modules. This is necessary for those cases where the original method
-      # was supposed to be removed, but wasn't b/c we had renamed it -- looking
-      # at you, FactoryBot
-      class ClassReverter
-        include Contrast::Components::Interface
-        access_component :logging, :scope
-        class << self
-          def unpatch!
-            Contrast::Agent::FeatureState.instance.uninstrument_namespaces.
-                each { |mod_sym| revert_module mod_sym }
-          end
-          private
-          def revert_module mod
-            with_contrast_scope do
-              revert_child_modules(mod, [])
-            end
-          rescue StandardError => e
-            logger.error(e, "Unable to remove patches from the module #{ mod }")
-          end
-          def revert_child_modules mod, reverted_modules, parent_mod = nil
-            return if parent_mod == mod
-            return if reverted_modules.include?(mod)
-            reverted_modules << mod
-            immediate_constants = mod.cs__constants(false).collect! { |k| mod.cs__const_get(k) }
-            immediate_constants.select! { |k| k.is_a?(Module) }
-            immediate_constants.flatten!
-            if immediate_constants.any?
-              immediate_constants.each do |const|
-                revert_aliases(const)
-                revert_child_modules(const, reverted_modules, mod)
-              end
-            else
-              revert_aliases(mod)
-            end
-          end
-          # in order to fully uninstrument classes we must use true when getting the singleton/instance methods
-          # that way if a class makes use of instance_eval for instance(defined on Kernel) we are able to revert this
-          # specific instance of that method to use the default behavior while leaving the remainder of
-          # objects using the patched behavior
-          def revert_aliases clazz
-            marker = Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START
-            instance_methods = (clazz.instance_methods(true) + clazz.private_instance_methods(true)).select { |method| method.to_s.start_with?(marker) }
-            singleton_methods = clazz.cs__singleton_class.instance_methods(true).select { |method| method.to_s.start_with?(marker) }
-            instance_methods.each { |i_method| revert_alias(clazz, i_method, instance_methods) }
-            singleton_methods.each { |s_method| revert_alias(clazz.cs__singleton_class, s_method, singleton_methods) }
-          end
-          def revert_alias clazz, current_method_name, methods
-            original_method_name = clazz.instance_method(current_method_name).original_name
-            is_private = clazz.private_method_defined?(original_method_name)
-            # revert aliasing only for those methods currently defined on the original
-            if is_private || clazz.method_defined?(original_method_name)
-              clazz.send(:alias_method, original_method_name, current_method_name)
-              clazz.send(:private, original_method_name) if is_private
-            end
-            clazz.send(:undef_method, current_method_name) if methods.include?(current_method_name)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/patching/policy/policy_unpatcher.rb DELETED

@@ -1,28 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/agent/assess/class_reverter'
-cs__scoped_require 'contrast/components/interface'
-module Contrast
-  module Agent
-    module Patching
-      module Policy
-        # This is how we unpatch out of our customer's code. It provides a way
-        # to remove ourselves from those modules which have since had their
-        # definition of the patched method revoked, such as when running with
-        # FactoryBot
-        module PolicyUnpatcher
-          include Contrast::Components::Interface
-          access_component :logging
-          def self.revert_conflicting_patches
-            logger.debug_with_time("\t\tRunning reversions") do
-              Contrast::Agent::Assess::ClassReverter.unpatch!
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/core_extensions/module.rb DELETED

@@ -1,42 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/utils/object_share'
-# Some developers override various methods on Module, which can often involve
-# changing expected method parity/behavior which in turn prevents us from being
-# able to reliably use affected methods. Let's alias these method so that we
-# always have access to them.
-class Module
-  alias_method :cs__name, :name
-  alias_method :cs__constants, :constants
-  alias_method :cs__const_defined?, :const_defined?
-  alias_method :cs__const_get, :const_get
-  alias_method :cs__const_set, :const_set
-  alias_method :cs__autoload?, :autoload?
-  # The method const_defined? can cause autoload, which is bad for us. The
-  # method autoload? doesn't traverse namespaces. This method lets us provide a
-  # constant, as a String, and parse it to determine if it has been truly
-  # truly defined, meaning it existed before this method was invoked, not as a
-  # result of it.
-  #
-  # @param name [String] the name of the constant to look up
-  # @return [Boolean]
-  def cs__truly_defined? name
-    return false unless name
-    segments = name.split(Contrast::Utils::ObjectShare::DOUBLE_COLON)
-    previous_module = Module
-    segments.each do |segment|
-      return false if previous_module.cs__autoload?(segment)
-      return false unless previous_module.cs__const_defined?(segment)
-      previous_module = previous_module.cs__const_get(segment)
-    end
-    true
-  rescue NameError # account for nonsense / poorly formatted constants
-    false
-  end
-end

data/lib/contrast/core_extensions/object.rb DELETED

@@ -1,27 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/utils/object_share'
-# Some aliases within Object have to happen especially early, because they're
-# core to class definitions.  See lib/contrast.rb.
-# ONLY very core aliasing should go there.  All the routine extension should
-# happen here, where you'd expect it.
-class Object
-  # Return a String representing the self invoking this method.
-  def cs__inspect
-    if cs__is_a?(String)
-      return Contrast::Utils::ObjectShare::EMPTY_STRING if empty?
-      dup
-    elsif cs__is_a?(Symbol)
-      ":#{ self }"
-    elsif cs__is_a?(Numeric)
-      to_s
-    elsif cs__is_a?(Module)
-      "#{ cs__name }@#{ __id__ }"
-    else
-      "#{ cs__class.cs__name }@#{ __id__ }"
-    end
-  end
-end

data/lib/contrast/rails_extensions/assess/action_controller_inheritance.rb DELETED

@@ -1,48 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-if defined?(ActionController) &&
-      defined?(ActionController::Railties) &&
-      defined?(ActionController::Railties::Helpers)
-  module ActionController
-    module Railties
-      # Used to monkey patch all the inherited calls in action_pack
-      #
-      # This is the usual entry point for Rails inheritance work, so it should
-      # catch most of the calls to inherited.
-      module Helpers
-        alias_method :cs__patched_inherited, :inherited
-        def inherited klass
-          klass&.instance_variable_set(:@cs__defining_class, true)
-          cs__patched_inherited(klass)
-        ensure
-          klass&.instance_variable_set(:@cs__defining_class, false)
-        end
-      end
-    end
-  end
-end
-if defined?(ActiveRecord) &&
-      defined?(ActiveRecord::AttributeMethods) &&
-      defined?(ActiveRecord::AttributeMethods::TimeZoneConversion) &&
-      defined?(ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods)
-  module ActiveRecord
-    module AttributeMethods
-      # Used to monkey patch all the inherited calls in action_pack
-      module TimeZoneConversion
-        module ClassMethods #:nodoc:
-          private
-          alias_method :cs__patched_inherited, :inherited
-          def inherited klass
-            klass&.instance_variable_set(:@cs__defining_class, true)
-            cs__patched_inherited(klass)
-          ensure
-            klass&.instance_variable_set(:@cs__defining_class, false)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/rails_extensions/assess/active_record.rb DELETED

@@ -1,32 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-if defined?(ActiveRecord) &&
-      defined?(ActiveRecord::AttributeMethods) &&
-      defined?(ActiveRecord::AttributeMethods::Read) &&
-      defined?(ActiveRecord::AttributeMethods::Read::ClassMethods)
-  module ActiveRecord
-    module AttributeMethods
-      module Read
-        # Rails / ActiveRecord are sneaky a.f. They define attributes of a
-        # class in one method, then monkey patch allocate in another and
-        # finally invoke module_eval in this method... but of course they use a
-        # '_tmp_' header for the method name and then alias it in this module
-        # to name it what we expect
-        module ClassMethods
-          alias_method :cs__patched_define_method_attribute, :define_method_attribute
-          def define_method_attribute *args, &block
-            ret = cs__patched_define_method_attribute(*args, &block)
-            method_name = args[0]
-            Contrast::Agent::Assess::Policy::Patcher.patch_assess_method(self, method_name)
-            ret
-          end
-          protected :cs__patched_define_method_attribute, :define_method_attribute
-        end
-      end
-    end
-  end
-end

data/lib/contrast/rails_extensions/assess/active_record_named.rb DELETED

@@ -1,61 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-if defined?(ActiveRecord) &&
-      defined?(ActiveRecord::Scoping) &&
-      defined?(ActiveRecord::Scoping::Named) &&
-      defined?(ActiveRecord::Scoping::Named::ClassMethods) &&
-      ActiveRecord::Scoping::Named::ClassMethods.
-            instance_methods(false).
-            include?(:scope)
-  module ActiveRecord
-    module Scoping
-      module Named
-        # Our patch into the ActiveRecord::Scoping::Named::ClassMethods Module,
-        # allowing for the runtime rewrite of interpolation calls defined in
-        # methods defined dynamically during application execution.
-        #
-        # TODO: RUBY-534
-        module ClassMethods
-          include Contrast::Components::Interface
-          access_component :logging, :agent
-          def _cs__rewrite method_name, body
-            return body unless AGENT.rewrite_interpolation?
-            return body unless body.is_a?(Proc)
-            location = body.source_location
-            return body if location.nil?
-            # Good news, once we patch the body once, the source location
-            # becomes eval. We may need to fix this later though (so it may
-            # be bad news)
-            return body if location.empty? || location[0].empty? || location[0].include?('eval')
-            opener = Contrast::Agent::ClassReopener.new(Contrast::Agent::ModuleData.new(self))
-            original_source_code = opener.source_code(location, method_name)
-            return body unless original_source_code
-            return body if Contrast::Agent::Rewriter.send(:unrepeatable?, original_source_code)
-            return body unless Contrast::Agent::Rewriter.send(:interpolations?, original_source_code)
-            # the code looks like 'source :some_method_name, ->lambda_literal'
-            # we just need the lambda
-            body_start = original_source_code.index(',') + 1
-            original_source_code = original_source_code[body_start..-1]
-            new_method_source = Contrast::Agent::Rewriter.send(:rewrite_method, original_source_code)
-            return body unless Contrast::Agent::Rewriter.send(:valid_code?, new_method_source)
-            unbound_eval(cs__name, new_method_source)
-          rescue SyntaxError, StandardError => e
-            logger.debug(e, "Can't parse method source in scoped method #{ method_name }: #{ e.message }")
-            body
-          end
-        end
-      end
-    end
-  end
-  cs__scoped_require 'cs__assess_active_record_named/cs__assess_active_record_named'
-end

data/lib/contrast/rails_extensions/assess/configuration.rb DELETED

@@ -1,26 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: false
-if defined?(Rails) && defined?(Rails::Application) && defined?(Rails::Application::Configuration)
-  module Rails
-    class Application
-      # Our patch into the Rails::Application::Configuration Class, allowing
-      # for the runtime detection of insecure configurations on individual
-      # ActionDispatch::Session::AbstractStore instances within the
-      # application.
-      class Configuration
-        include Contrast::Utils::InvalidConfigurationUtil
-        include Contrast::Components::Interface
-        access_component :analysis, :scope
-        alias_method :cs__patched_session_store, :session_store
-        def session_store *args
-          ret = cs__patched_session_store(*args)
-          Contrast::Utils::RailsAssessConfiguration.analyze_session_store(*args)
-          ret
-        end
-      end
-    end
-  end
-end

data/lib/contrast/rails_extensions/buffer.rb DELETED

@@ -1,30 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-cs__scoped_require 'contrast/components/interface'
-if defined?(ActionController) && defined?(ActionController::Live) && defined?(ActionController::Live::Buffer)
-  module ActionController
-    module Live
-      # This class acts as our patch into the ActionController::Live::Buffer
-      # class, allowing us to track the close event on streamed responses.
-      class Buffer
-        include Contrast::Components::Interface
-        access_component :contrast_service
-        # normally pre->in->post filters are applied however, in a streamed response
-        # we can run into a case where it's pre -> in -> post -> more infilters
-        # in order to submit anything found during the infilters after the response has been written we need to explicity send them
-        alias_method :cs__close, :close
-        def close
-          if (context = Contrast::Agent::REQUEST_TRACKER.current)
-            [context.server_activity, context.activity, context.observed_route].each do |msg|
-              CONTRAST_SERVICE.send_message msg
-            end
-          end
-          cs__close
-        end
-      end
-    end
-  end
-end

data/lib/contrast/rails_extensions/rack.rb DELETED

@@ -1,45 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-if defined?(Rack)
-  # In earlier versions of rack < 2.0.0 the Rack::Response and Rack::Request do
-  # not have get_header or set_header methods. This is our way of working
-  # around that.
-  module Rack
-    if defined?(Rack::Request)
-      # Our patch into the Rack::Request class, allowing us to call set_header
-      # and get_header in our code without worrying about older versions of
-      # Rack not implementing these methods.
-      class Request
-        unless Rack::Request.instance_methods(true).include?(:set_header)
-          def set_header name, value
-            @env[name] = value
-          end
-        end
-        unless Rack::Request.instance_methods(true).include?(:get_header)
-          def get_header name
-            @env[name]
-          end
-        end
-      end
-    end
-    if defined?(Rack::Response)
-      # Our patch into the Rack::Response Class, allowing us to call set_header
-      # and get_header in our code without worrying about older versions of
-      # Rack not implementing these methods.
-      class Response
-        unless Rack::Response.instance_methods(true).include?(:set_header)
-          def set_header key, value
-            headers[key] = value
-          end
-        end
-        unless Rack::Response.instance_methods(true).include?(:get_header)
-          def get_header key
-            headers[key]
-          end
-        end
-      end
-    end
-  end
-end