contrast-agent 3.8.5 → 3.9.0

data/funchook/autom4te.cache/requests

@@ -14,64 +14,64 @@
                         'configure.ac'
                       ],
                       {
-                        'AC_PROG_LIBTOOL' => 1,
-                        'm4_sinclude' => 1,
-                        'AM_PROG_F77_C_O' => 1,
-                        'AM_GNU_GETTEXT_INTL_SUBDIR' => 1,
-                        'AM_POT_TOOLS' => 1,
-                        'AC_CONFIG_SUBDIRS' => 1,
-                        'AM_NLS' => 1,
-                        'AC_FC_SRCEXT' => 1,
-                        'LT_SUPPORTED_TAG' => 1,
-                        'AC_LIBSOURCE' => 1,
+                        'AC_CONFIG_LINKS' => 1,
+                        'AC_INIT' => 1,
+                        'AM_MAKEFILE_INCLUDE' => 1,
+                        '_AM_SUBST_NOTMAKE' => 1,
+                        'AM_SILENT_RULES' => 1,
                         'AC_CONFIG_LIBOBJ_DIR' => 1,
-                        'sinclude' => 1,
+                        'AC_DEFINE_TRACE_LITERAL' => 1,
+                        'AM_PROG_F77_C_O' => 1,
                         '_LT_AC_TAGCONFIG' => 1,
+                        'AC_FC_SRCEXT' => 1,
                         '_AM_COND_ELSE' => 1,
-                        'AM_PROG_LIBTOOL' => 1,
-                        'AC_SUBST' => 1,
-                        '_AM_COND_ENDIF' => 1,
-                        'AM_PROG_FC_C_O' => 1,
-                        '_AM_SUBST_NOTMAKE' => 1,
-                        'AC_CONFIG_FILES' => 1,
-                        'AC_REQUIRE_AUX_FILE' => 1,
-                        'AM_PROG_MOC' => 1,
-                        'AH_OUTPUT' => 1,
-                        'AC_FC_PP_SRCEXT' => 1,
-                        'AM_MAINTAINER_MODE' => 1,
-                        'AM_PROG_CC_C_O' => 1,
-                        'AC_CONFIG_LINKS' => 1,
-                        '_m4_warn' => 1,
-                        'AM_PROG_CXX_C_O' => 1,
-                        'LT_INIT' => 1,
-                        'AM_PATH_GUILE' => 1,
-                        'LT_CONFIG_LTDL_DIR' => 1,
+                        'm4_pattern_forbid' => 1,
+                        '_AM_MAKEFILE_INCLUDE' => 1,
+                        'AM_INIT_AUTOMAKE' => 1,
+                        'm4_pattern_allow' => 1,
+                        'include' => 1,
+                        'AM_ENABLE_MULTILIB' => 1,
+                        'AC_CANONICAL_TARGET' => 1,
                         'AC_FC_FREEFORM' => 1,
-                        'AM_XGETTEXT_OPTION' => 1,
                         'AM_AUTOMAKE_VERSION' => 1,
-                        'include' => 1,
+                        'AM_XGETTEXT_OPTION' => 1,
+                        'AM_PATH_GUILE' => 1,
+                        'm4_sinclude' => 1,
                         'AC_CANONICAL_SYSTEM' => 1,
-                        'AM_INIT_AUTOMAKE' => 1,
-                        'm4_pattern_forbid' => 1,
-                        'AC_CONFIG_AUX_DIR' => 1,
-                        'AM_SILENT_RULES' => 1,
-                        'AM_PROG_AR' => 1,
+                        'AM_GNU_GETTEXT_INTL_SUBDIR' => 1,
+                        'AC_SUBST' => 1,
+                        'LT_INIT' => 1,
+                        'AM_NLS' => 1,
+                        '_AM_COND_IF' => 1,
+                        'AM_GNU_GETTEXT' => 1,
                         'AC_FC_PP_DEFINE' => 1,
-                        'AC_CONFIG_HEADERS' => 1,
-                        '_AM_MAKEFILE_INCLUDE' => 1,
+                        'AM_PROG_LIBTOOL' => 1,
+                        'm4_include' => 1,
+                        'AM_PROG_AR' => 1,
+                        'AM_PROG_FC_C_O' => 1,
+                        'AM_PROG_CXX_C_O' => 1,
+                        'AM_PROG_CC_C_O' => 1,
+                        'AC_CONFIG_SUBDIRS' => 1,
+                        'AM_MAINTAINER_MODE' => 1,
+                        'AC_PROG_LIBTOOL' => 1,
                         'AC_CANONICAL_BUILD' => 1,
-                        'AM_MAKEFILE_INCLUDE' => 1,
+                        'AM_PROG_MOC' => 1,
+                        'AC_CANONICAL_HOST' => 1,
+                        'LT_SUPPORTED_TAG' => 1,
+                        'AC_CONFIG_HEADERS' => 1,
+                        'LT_CONFIG_LTDL_DIR' => 1,
+                        'AC_REQUIRE_AUX_FILE' => 1,
                         'AM_CONDITIONAL' => 1,
-                        'm4_include' => 1,
-                        'AC_INIT' => 1,
-                        'AC_DEFINE_TRACE_LITERAL' => 1,
+                        'AC_CONFIG_AUX_DIR' => 1,
+                        '_AM_COND_ENDIF' => 1,
+                        '_m4_warn' => 1,
+                        'AC_LIBSOURCE' => 1,
+                        'AC_CONFIG_FILES' => 1,
+                        'AH_OUTPUT' => 1,
+                        'AC_FC_PP_SRCEXT' => 1,
+                        'AM_POT_TOOLS' => 1,
                         'AC_SUBST_TRACE' => 1,
-                        '_AM_COND_IF' => 1,
-                        'AC_CANONICAL_HOST' => 1,
-                        'm4_pattern_allow' => 1,
-                        'AM_GNU_GETTEXT' => 1,
-                        'AC_CANONICAL_TARGET' => 1,
-                        'AM_ENABLE_MULTILIB' => 1
+                        'sinclude' => 1
                       }
                     ], 'Autom4te::Request' )
            );

data/funchook/config.log

@@ -10,7 +10,7 @@ generated by GNU Autoconf 2.69.  Invocation command line was
 ## Platform. ##
 ## --------- ##
 
-hostname = 190fbedb-dc16-42d3-8ff7-6ac407e6f5f6-sf5wp
+hostname = b8012d0f-931d-4789-bc7a-4c5ac30dcded-9cnnv
 uname -m = x86_64
 uname -r = 4.19.95-flatcar
 uname -s = Linux
@@ -326,7 +326,7 @@ generated by GNU Autoconf 2.69.  Invocation command line was
   CONFIG_COMMANDS = 
   $ ./config.status 
 
-on 190fbedb-dc16-42d3-8ff7-6ac407e6f5f6-sf5wp
+on b8012d0f-931d-4789-bc7a-4c5ac30dcded-9cnnv
 
 config.status:822: creating Makefile
 config.status:822: creating src/Makefile

data/lib/contrast/agent.rb

@@ -6,9 +6,8 @@ cs__scoped_require 'English'
 # This must precede other Contrast C extensions
 cs__scoped_require 'cs__common/cs__common'
 
-cs__scoped_require 'contrast/core_extensions/object'
-cs__scoped_require 'contrast/core_extensions/delegator'
-cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/extensions/ruby_core/delegator'
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/boolean_util'
@@ -32,16 +31,22 @@ cs__scoped_require 'contrast/api'
 
 cs__scoped_require 'contrast/utils/resource_loader'
 cs__scoped_require 'contrast/utils/duck_utils'
-cs__scoped_require 'contrast/utils/scope_util'
 cs__scoped_require 'contrast/agent/tracepoint_hook'
 cs__scoped_require 'contrast/agent/at_exit_hook'
 
+# Framework support
+cs__scoped_require 'contrast/framework/manager'
+
 module Contrast
   # Top namespace of the Agent section. Holds tracking contexts that will be
   # accessed throughout the Agent.
   module Agent
     # build a map for tracking the context of the current request
     REQUEST_TRACKER = Contrast::Utils::ThreadTracker.new
+
+    def self.framework_manager
+      @_framework_manager ||= Contrast::Framework::Manager.new
+    end
   end
 end
 
@@ -67,7 +72,12 @@ cs__scoped_require 'contrast/agent/assess'
 # These happen regardless of analysis mode, & should be lightweight.
 cs__scoped_require 'contrast/utils/rack_assess_session_cookie'
 cs__scoped_require 'contrast/utils/rails_assess_configuration'
-cs__scoped_require 'contrast/rails_extensions/assess/configuration'
+# Also: should document the necessity of patching this ASAP.
+# In Rails, session configuration occurs extremely early & only once.
+# If we defer our patching of the rails session configuration too long
+# (i.e., where we normally patch) we will miss the configuration
+# and will never be able to report session misconfiguration rules.
+cs__scoped_require 'contrast/extensions/framework/rails/configuration' if defined?(Rails)
 
 # protect rules
 cs__scoped_require 'contrast/agent/protect/rule'

data/lib/contrast/agent/assess.rb

@@ -8,7 +8,6 @@ module Contrast
     # class under this namespace should be required here, providing a single
     # point of require for this functionality.
     module Assess
-      cs__scoped_require 'contrast/agent/assess/class_reverter'
       cs__scoped_require 'contrast/agent/module_data'
       cs__scoped_require 'contrast/agent/rewriter'
       cs__scoped_require 'contrast/agent/assess/policy/preshift'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/utils/class_util'
 cs__scoped_require 'contrast/utils/prevent_serialization'
 
 module Contrast
@@ -23,7 +24,7 @@ module Contrast
               rep <<  if arg.is_a?(Hash)
                         safe_arg_hash_representation(arg)
                       else
-                        arg.cs__inspect
+                        Contrast::Utils::ClassUtil.to_contrast_string(arg)
                       end
             end
             rep
@@ -32,7 +33,7 @@ module Contrast
           def safe_arg_hash_representation hash
             # since this is the named hash for arguments, only the value is
             # suspect here
-            hash.transform_values(&:cs__inspect)
+            hash.transform_values { |v| Contrast::Utils::ClassUtil.to_contrast_string(v) }
           end
 
           # if given an object that can be duped, duplicate it. otherwise just
@@ -110,26 +111,26 @@ module Contrast
             # being called. We'll save all the information, but nothing will be
             # marked up, as nothing need be tracked
           when nil
-            @object = object.cs__inspect
+            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
             @args = cs__class.safe_args_representation(args)
-            @ret = ret.cs__inspect
+            @ret = Contrast::Utils::ClassUtil.to_contrast_string(ret)
             # If the target is O, then we dup the O and safely represent the rest
           when Contrast::Utils::ObjectShare::OBJECT_KEY
             @object = cs__class.safe_dup(tagged)
             @args = cs__class.safe_args_representation(args)
-            @ret = ret.cs__inspect
+            @ret = Contrast::Utils::ClassUtil.to_contrast_string(ret)
             # If the target is R, then we dup the R and safely represent the rest
           when Contrast::Utils::ObjectShare::RETURN_KEY
-            @object = object.cs__inspect
+            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
             @args = cs__class.safe_args_representation(args)
             @ret = cs__class.safe_dup(tagged)
             # If the target is P*, then we need to dup things a differently. We
             # need to find the true target inside so that we can mark it up
             # later, but the other args should be represented as their safe form.
           else
-            @object = object.cs__inspect
+            @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
             @args = cs__class.safe_args_representation(args)
-            @ret = ret.cs__inspect
+            @ret = Contrast::Utils::ClassUtil.to_contrast_string(ret)
             save_target_arg(target, tagged)
           end
         end

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -15,26 +15,33 @@ module Contrast
           READ_TABLE = 'readTable'
           READ_COLUMN = 'readColumn'
           class << self
+            # Given a Class representing a table in a Database and a map of
+            # methods representing columns, generate sources for each method
+            # such that calls to that method will result in a Source Event.
+            #
+            # @param klass [Class] the Class to taint
+            # @param tainted_columns [Hash<String, Contrast::Agent::Assess::Properties>]
+            #   the name of the method to taint, mapped to the properties it
+            #   should apply
             def create_sources klass, tainted_columns
+              class_name = klass.cs__name
               instance_methods = klass.instance_methods
               instance_methods.concat(klass.private_instance_methods)
-              tainted_columns.each_pair do |field, events|
-                dynamic_source_node = create_source_node(klass, field)
-                Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
+              tainted_columns.each_pair do |field, properties|
+                next unless properties
 
-                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.new
-                method_policy.method_name = field.to_sym
-                method_policy.method_visibility = :public
-                method_policy.instance_method = true
-                method_policy.source_node = dynamic_source_node
-                Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
+                method_name = field.to_sym
+                # Move on if we already know about this Dynamic Source
+                next if Contrast::Agent::Assess::Policy::Policy.instance.find_source_node(class_name, method_name, true)
 
+                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys))
+                Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
+                method_policy = build_source_policy(method_name, dynamic_source_node)
+                Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
                 current_context = Contrast::Agent::REQUEST_TRACKER.current
+                next unless current_context
 
-                next unless current_context.activity.dynamic_sources[dynamic_source_node.id]
-
-                dynamic_source = create_dynamic_source(current_context, dynamic_source_node, field, events)
-
+                dynamic_source = create_dynamic_source(current_context, dynamic_source_node, field, properties)
                 node_id = Contrast::Utils::StringUtils.force_utf8(dynamic_source_node.id)
                 current_context.activity.dynamic_sources[node_id] = dynamic_source
               end
@@ -42,25 +49,68 @@ module Contrast
 
             private
 
-            def create_source_node klass, field
+            # Given a class and method, create a SourceNode for them that will
+            # add the given tags as well as properties required to construct a
+            # finding with a TAINTED_DATABASE source
+            #
+            # @param class_name [String] the name of the Class to patch
+            # @param method_name [Symbol] the name of the Method to patch
+            # @param tags [Set<String>] the tags this event should apply
+            # @return [Contrast::Agent::Assess::Policy::SourceNode]
+            def create_source_node class_name, method_name, tags
               node = Contrast::Agent::Assess::Policy::SourceNode.new
-              node.class_name = klass.cs__name
+              node.class_name = class_name
               node.instance_method = true
-              node.method_name = field.to_sym
+              node.method_name = method_name
               node.method_visibility = :public
               node.target_string = Contrast::Utils::ObjectShare::RETURN_KEY
               node.type = DB_SOURCE_TYPE
+              node.tags = tags
+              node.tags << 'DATABASE_WRITE'
               node.add_property('dynamic_source_id', node.id)
+              node.add_property('dynamic_source_name', "#{ class_name }.#{ method_name }")
+              node.add_property(READ_TABLE, class_name)
+              node.add_property(READ_COLUMN, method_name)
+              node.add_property(WRITE_QUERY_TIME, Contrast::Utils::Timer.now_ms)
+              url = Contrast::Agent::REQUEST_TRACKER.current&.request&.normalized_uri
+              node.add_property(WRITE_QUERY_URL, url)
               node
             end
 
-            def create_dynamic_source current_context, source_node, field, events
+            # @param method_name [Symbol] the name of the Method to which this
+            #   method applies
+            # @param dynamic_source_node [Contrast::Api::Dtm::DynamicSource]
+            #   the SourceNode that applies to this method
+            # @return [Contrast::Agent::Patching::Policy::MethodPolicy] the
+            #   policy to apply to the given method
+            def build_source_policy method_name, dynamic_source_node
+              method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.new
+              method_policy.method_visibility = :public
+              method_policy.instance_method = true
+              method_policy.method_name = method_name
+              method_policy.source_node = dynamic_source_node
+              method_policy
+            end
+
+            # @param current_context [Contrast::Agent::RequestContext] the
+            #   context of the request in which this source is to be created.
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
+            #   the SourceNode that applies to this method
+            # @param field [String] the name of the method to which this source
+            #   applies
+            # @param properties [Contrast::Agent::Assess::Properties] the
+            #   properties which this source should relate to the data tracked
+            #   as a result of this Source Method
+            # @return [Contrast::Api::Dtm::DynamicSource] the message to send
+            #   to the Service to allow it to report the events leading up to
+            #   the creation of the Dynamic Source
+            def create_dynamic_source current_context, source_node, field, properties
               dynamic_source = Contrast::Api::Dtm::DynamicSource.new
               dynamic_source.class_name = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
-              events.each do |event|
+              properties.events.each do |event|
                 dynamic_source.events << event.to_dtm_event
               end
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)

data/lib/contrast/agent/assess/policy/policy.rb

@@ -95,20 +95,6 @@ module Contrast
             Contrast::Agent::Assess::Rule::Provider::HardcodedKey,
             Contrast::Agent::Assess::Rule::Provider::HardcodedPassword
           ].cs__freeze
-
-          # Handles updating the dynamic sources of this Application and indicates
-          # if doing so results in a state that requires repatching -- i.e. new
-          # dynamic sources have been discovered by agents monitoring other
-          # instances of this application
-          def update_dynamic_sources dynamic_sources_map
-            dynamic_sources_map.each do |key, dynamic_source|
-              # key is the dynamic source node id
-              next if sources.any? { |source| source.id == key }
-
-              dynamic_source_node = Contrast::Agent::Assess::Policy::SourceNode.build_dynamic_source(key, dynamic_source)
-              add_node(dynamic_source_node, :dynamic_source)
-            end
-          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -3,7 +3,7 @@
 
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/core_extensions/assess/assess_extension'
+cs__scoped_require 'contrast/extensions/ruby_core/assess/assess_extension'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -58,7 +58,7 @@ module Contrast
           private
 
           def unsafe_io_object? object, initializing
-            Contrast::Utils::DuckUtils.quacks_like_closable_io(object) && !initializing && object.closed?
+            Contrast::Utils::DuckUtils.closable_io?(object) && !initializing && object.closed?
           end
 
           def can_dup? initializing, object

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -98,9 +98,9 @@ module Contrast
                     "Propagator #{ propagation_node.id } detected: propagated to #{ target.__id__ }")
               elsif Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
                 handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, invoked, args, block)
-              elsif Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(target)
+              elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
                 handle_hash_propagation(propagation_node, preshift, target, object, ret, invoked, args, block)
-              elsif Contrast::Utils::DuckUtils.quacks_like_tracked_enumerable?(target)
+              elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
                 handle_enumerable_propagation(propagation_node, preshift, target, object, ret, invoked, args, block)
               end
             rescue StandardError => e
@@ -227,6 +227,8 @@ module Contrast
                 ret = Contrast::Utils::FreezeUtil.unfreeze_dup(target)
                 target = ret
               end
+              return if target.cs__properties == Contrast::Agent::Assess::Insulator.generate_frozen.properties
+
               propagation_class.propagate(propagation_node, preshift, target)
 
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied

data/lib/contrast/agent/assess/policy/propagator/custom.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 
 module Contrast
   module Agent

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -36,7 +36,7 @@ module Contrast
                     value.cs__properties.build_event(propagation_node, value, preshift.object, target, preshift.args)
                     next unless tracked_value?(value)
 
-                    tainted_columns[key] = value.cs__properties.events
+                    tainted_columns[key] = value.cs__properties
                   end
                 end