contrast-agent 3.8.5 → 3.9.0

data/lib/contrast/sinatra_extensions/assess/cookie.rb

@@ -1,26 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/components/interface'
-
-if defined?(Rack) && defined?(Rack::Session) && defined?(Rack::Session::Cookie)
-  module Rack
-    module Session
-      # Our patch into the Rack::Session::Cookie Class, allowing for the
-      # runtime detection of insecure configurations on individual cookies
-      # within the application
-      class Cookie
-        include Contrast::Utils::InvalidConfigurationUtil
-        include Contrast::Components::Interface
-
-        access_component :scope
-
-        alias_method :cs__patched_initialize, :initialize
-        def initialize app, options = {}
-          Contrast::Utils::RackAssessSessionCookie.analyze_cookie_initialization(options)
-          cs__patched_initialize(app, options)
-        end
-      end
-    end
-  end
-end

data/lib/contrast/sinatra_extensions/inventory/sinatra_base.rb

@@ -1,59 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-if defined?(Sinatra) && defined?(Sinatra::Base)
-  module Sinatra
-    # Our patch into the Sinatra::Base Class, allowing for the inventory of the
-    # routes called by the application
-    class Base
-      alias_method :cs__patched_call!, :call!
-
-      # publicly available method for Sinatra::Base things -- unfortunately,
-      # getting the routes appear to require a lookup every time
-      def call! *args
-        cs__patched_map_route(*args)
-        cs__patched_call!(*args)
-      end
-
-      private
-
-      # Use logic copied from Sinatra::Base#process_route to determine which
-      # pattern matches the request being invoked by Sinatra::Base#call!
-      #
-      # @param args [Array<Object>] we rely on the @settings object in
-      #   Sinatra::Base and the env variable passed in as args[0]
-      def cs__patched_map_route *args
-        context = Contrast::Agent::REQUEST_TRACKER.current
-        return unless context
-
-        env = args[0]
-        return unless env
-
-        # There isn't a Request object in the Sinatra::Base yet - it's made
-        # during the #call! method, which we're patching - so we need to
-        # access the env
-        method = env[Rack::REQUEST_METHOD]
-        route = env[Rack::PATH_INFO]
-        route = route.to_s
-
-        # get all potential routes for this request type
-        routes = settings.routes[method]
-        return unless routes
-
-        # Do some cleanup that matches Sinatra::Base#process_route
-        route = '/' if route.empty? && !settings.empty_path_info?
-        route = route[0..-2] if !settings.strict_paths? && route != '/' && route.end_with?('/')
-
-        # Find the route that matches this request. Since we're using
-        # settings, we should resolve in the same precedence as Sinatra
-        routes.each do |pattern, _, _| # Mustermann::Sinatra
-          next unless pattern.params(route)
-
-          dtm = Contrast::Utils::PathUtil.get_sinatra_route(cs__class, method, pattern)
-          context.append_route_coverage(dtm)
-          break
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/operating_environment.rb

@@ -1,38 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/components/interface'
-
-module Contrast
-  module Utils
-    # A utility class to detect the environment the agent is operating within
-    class OperatingEnvironment
-      include Contrast::Components::Interface
-      access_component :logging
-
-      def self.unsupported?
-        sidekiq? || rake?
-      end
-
-      def self.sidekiq?
-        return unless defined?(Sidekiq) && Sidekiq.cs__respond_to?(:server?) && Sidekiq.server?
-
-        logger.debug(nil, "Detected the spawn of a Sidekiq process. Disabling Contrast for process #{ Process.pid }")
-        true
-      end
-
-      def self.rake?
-        return unless defined?(Rake) &&
-            Rake.cs__respond_to?(:application) &&
-            Rake.application.cs__respond_to?(:top_level_tasks)
-
-        disabled_rake_tasks = Contrast::Agent::FeatureState.instance.disabled_agent_rake_tasks
-        disabled_task = Rake.application.top_level_tasks.any? { |task| disabled_rake_tasks.include?(task) }
-        return false unless disabled_task
-
-        logger.debug(nil, "Detected startup within the rake task #{ disabled_task }. Disabling Contrast for process #{ Process.pid }")
-        true
-      end
-    end
-  end
-end

data/lib/contrast/utils/path_util.rb

@@ -1,151 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/class_util'
-cs__scoped_require 'contrast/components/interface'
-
-module Contrast
-  module Utils
-    # Utility methods for finding routes within frameworks
-    class PathUtil
-      include Contrast::Components::Interface
-      access_component :logging
-
-      COVERAGE_LIMIT = 500 # CONTRAST-25730: Arbitrary coverage limit imposed by TeamServer
-
-      class << self
-        # find the routes in the application. since each framework maintains the
-        # routes slightly differently, we'll only support those that we've explicitly
-        # implemented (Rails & Sinatra currently)
-        #
-        # this method always returns an array, even if it's empty
-        def find_routes
-          if defined?(Rails)
-            find_rails_routes
-          elsif defined?(Sinatra)
-            find_sinatra_routes
-          else
-            Contrast::Utils::ObjectShare::EMPTY_ARRAY
-          end
-        rescue StandardError
-          Contrast::Utils::ObjectShare::EMPTY_ARRAY
-        end
-
-        # Given the Contrast Request object, determine the current Coverage route,
-        # returning a RouteCoverage object
-        def get_route request
-          get_rails_route(request) if defined?(Rails)
-        rescue StandardError => e
-          logger.error(e, 'Unable to generate route from request')
-          nil
-        end
-
-        def find_rails_routes
-          routes = []
-          count = 0
-          Rails.application.routes.routes.each do |route|
-            routes << rails_route_to_coverage(route)
-            count += 1
-            return routes if count > COVERAGE_LIMIT
-          end
-          routes
-        end
-
-        def get_rails_route request
-          return unless Rails.cs__respond_to?(:application)
-
-          # returns array of arrays [[match_data, path_parameters, route]], sorted by
-          # precedence
-          # match_data: ActionDispatch::Journey::Path::Pattern::MatchData
-          # path_parameters: hash of various things
-          # route: ActionDispatch::Journey::Route
-          full_routes = Rails.application.routes.router.send(:find_routes, request.rack_request)
-          return if full_routes.empty?
-
-          full_route = full_routes[0] # [match_data, path_parameters, route]
-          return unless full_route
-
-          route = full_route[2]       # route w/ highest precedence
-          return unless route
-
-          rails_route_to_coverage(route)
-        end
-
-        # Convert ActionDispatch::Journey::Route to Contrast::Api::Dtm::RouteCoverage
-        def rails_route_to_coverage route
-          route_coverage = Contrast::Api::Dtm::RouteCoverage.new
-          route_coverage.route = "#{ route.defaults[:controller] }##{ route.defaults[:action] }"
-
-          verb = source_or_string(route.verb)
-          route_coverage.verb = Contrast::Utils::StringUtils.force_utf8(verb)
-
-          url = source_or_string(route.path.spec)
-          route_coverage.url = Contrast::Utils::StringUtils.force_utf8(url)
-          route_coverage
-        end
-
-        def source_or_string obj
-          if obj.cs__is_a?(Regexp)
-            obj.source
-          elsif obj.cs__respond_to?(:safe_string)
-            obj.safe_string
-          else
-            obj.to_s
-          end
-        end
-
-        # Iterate over every class that extends Sinatra::Base, pull out its routes
-        # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-        # Contrast::Api::Dtm::RouteCoverage
-        def find_sinatra_routes
-          routes = []
-          controllers = sinatra_controllers
-          controllers.each do |clazz|
-            class_routes = sinatra_class_routes(clazz)
-            next unless class_routes
-
-            class_routes.each_pair do |method, list|
-              # item: [ Mustermann::Sinatra, [], Proc]
-              list.each do |item|
-                routes << sinatra_route_to_coverage(clazz, method, item[0])
-                return routes if routes.length > COVERAGE_LIMIT
-              end
-            end
-          end
-          routes
-        end
-
-        def sinatra_controllers
-          return [] unless defined?(Sinatra) && defined?(Sinatra::Base)
-
-          Contrast::Utils::ClassUtil.ancestors_of(Sinatra::Base)
-        end
-
-        def sinatra_class_routes controller
-          controller.instance_variable_get(:@routes)
-        rescue StandardError
-          logger.debug(nil, "#{ clazz } has no routes instance")
-          nil
-        end
-
-        # Invoked directly on Sinatra::Base#call!
-        def get_sinatra_route clazz, method, pattern
-          sinatra_route_to_coverage(clazz, method, pattern)
-        end
-
-        # given clazz, method, and Mustermann::Sinatra, build a
-        # Contrast::Api::Dtm::RouteCoverage
-        def sinatra_route_to_coverage clazz, method, pattern
-          safe_pattern = source_or_string(pattern)
-
-          route_coverage = Contrast::Api::Dtm::RouteCoverage.new
-          route_coverage.route = "#{ clazz }##{ method } #{ safe_pattern }"
-          route_coverage.verb = Contrast::Utils::StringUtils.force_utf8(method)
-          route_coverage.url = Contrast::Utils::StringUtils.force_utf8(safe_pattern)
-          route_coverage
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/scope_util.rb

@@ -1,99 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-cs__scoped_require 'contrast/components/interface'
-
-module Kernel # :nodoc:
-  include Contrast::Components::Interface
-
-  access_component :scope
-
-  alias_method :cs__catch, :catch
-
-  # In the event of a `throw`, we need to override `catch`
-  # to save & restore scope state:
-  #
-  #   scope_level == 0
-  #
-  #   catch(:abc) do
-  #     with_contrast_scope do
-  #       throw :abc # will leak
-  #     end
-  #   end
-  #
-  #   scope_level == 1
-  #
-  # While this will fix /all/ scope leaks, not just ones caused by `throw`,
-  # it shouldn't be relied upon as a catch-all (lmao) solution.
-
-  private
-
-  def catch *args, &block
-    # Save current scope level
-    scope_level = SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
-
-    # Run original catch with block.
-    retval = cs__catch(*args, &block)
-
-    # Restore scope.
-    SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
-
-    retval
-  end
-end
-
-# ScopeUtil should probably be merged into Scope component.
-module Contrast
-  module Utils
-    module ScopeUtil # :nodoc:
-      include Contrast::Components::Interface
-
-      access_component :analysis, :scope
-
-      # @return [Boolean]
-      def skip_contrast_analysis?
-        return true if in_contrast_scope?
-        return true unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
-
-        false
-      end
-
-      # Skip if we should skip_contrast_analysis?, sampling says to ignore this
-      # request, or assess has been disabled.
-      #
-      # @return [Boolean]
-      def skip_assess_analysis?
-        return true if skip_contrast_analysis?
-
-        current_context = Contrast::Agent::REQUEST_TRACKER.current
-        return true unless current_context.analyze_request?
-
-        !ASSESS.enabled?
-      end
-
-      def cs__enter_scope
-        enter_contrast_scope!
-      end
-
-      def cs__leave_scope
-        exit_contrast_scope!
-      end
-
-      def cs__enter_assess_scope
-        # If we shouldn't be doing assess things, don't propagate or whatever
-        disable_contrast = skip_assess_analysis?
-        return nil if disable_contrast
-
-        enter_contrast_scope!
-      end
-
-      def cs__enter_scope_contrast_patch
-        # If we're already in Contrast scope, don't propagate or whatever
-        disable_contrast = skip_contrast_analysis?
-        return nil if disable_contrast
-
-        enter_contrast_scope!
-      end
-    end
-  end
-end