contrast-agent 3.8.5 → 3.9.0

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -22,12 +22,12 @@ module Contrast
                     arg = preshift.args[source]
                     if arg.is_a?(String)
                       tracked_inputs << arg if arg.cs__tracked?
-                    elsif Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(arg)
+                    elsif Contrast::Utils::DuckUtils.iterable_hash?(arg)
                       arg.each_pair do |key, value|
                         tracked_inputs << key if tracked_value?(key)
                         tracked_inputs << value if tracked_value?(value)
                       end
-                    elsif Contrast::Utils::DuckUtils.quacks_like_tracked_enumerable?(arg)
+                    elsif Contrast::Utils::DuckUtils.iterable_enumerable?(arg)
                       arg.each do |value|
                         tracked_inputs << value if tracked_value?(value)
                       end

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -1,6 +1,10 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/agent/assess/policy/preshift'
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/thread_tracker'
+
 module Contrast
   module Agent
     module Assess
@@ -9,8 +13,15 @@ module Contrast
           # This class is specifically for String#split & String#grapheme_clusters propagation
           # it propagates tag ranges from a string to elements within an untracked array
           class Split < Contrast::Agent::Assess::Policy::Propagator::Base
+            include Contrast::Components::Interface
+
+            access_component :agent, :logging
+
+            SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
             class << self
               def propagate propagation_node, preshift, target
+                return Contrast::Agent::Assess::Policy::Propagator::Keep.propagate(propagation_node, preshift, target) unless target.is_a?(Array)
+
                 source = find_source(propagation_node.sources[0], preshift)
 
                 separator_length = if propagation_node.method_name == :grapheme_clusters
@@ -22,7 +33,6 @@ module Contrast
                                    end
 
                 current_index = 0
-
                 target.each do |elem|
                   elem_length = elem.length
                   range = Contrast::Agent::Assess::AdjustedSpan.new(current_index, current_index + elem_length)
@@ -40,6 +50,132 @@ module Contrast
                   current_index = current_index + elem_length + separator_length
                 end
               end
+
+              # Marks the point in which the String#split method is called.
+              # Responsible for building the context required to propagate when
+              # the results of #split are yielded directly to a block
+              #
+              # @param string [String] the String on which split is invoked
+              # @param args [Array<Object>] the arguments passed to the
+              #   original split call
+              def begin_split string, args
+                save_split_depth!
+                depth = SPLIT_TRACKER.get(:split_depth)
+                save_split_index!(depth)
+                save_split_value!(depth, string, args)
+              rescue Exception => e # rubocop:disable Lint/RescueException
+                # don't let our errors propagate and disable String#split for
+                # this since we're in an error state
+                logger.warn(e, 'Unable to record split context')
+                end_split
+              end
+
+              # Marks the point in which the String#split method is exited.
+              # Responsible for removing the context required to propagate when
+              # the results of #split are yielded directly to a block
+              def end_split
+                depth = SPLIT_TRACKER.get(:split_depth)
+                return unless depth
+
+                depth -= 1
+                if depth.negative?
+                  SPLIT_TRACKER.delete(:split_depth)
+                  SPLIT_TRACKER.delete(:split_index)
+                  SPLIT_TRACKER.delete(:split_value)
+                else
+                  SPLIT_TRACKER.set(:split_depth, depth)
+                end
+              rescue StandardError => e
+                logger.warn(e, 'Unable to remove split context')
+              end
+
+              # This method is called whenever an rb_yield is called. We need
+              # to leave it as soon as possible with as little work as
+              # possible.
+              #
+              # @param target [String] the entity being passed to the yield
+              #   block
+              def propagate_yield target
+                depth = SPLIT_TRACKER.get(:split_depth)
+                return unless depth
+
+                source = SPLIT_TRACKER.get(:split_value)&.fetch(depth)
+                return unless source
+
+                index = SPLIT_TRACKER.get(:split_index)&.fetch(depth)
+                return unless index
+
+                true_source = source[index]
+                target.cs__copy_from(true_source)
+              rescue StandardError => e
+                logger.warn(e, 'Unable to track within split context')
+              ensure
+                if defined?(depth) && defined?(index) && depth && index
+                  idx = SPLIT_TRACKER.get(:split_index)
+                  idx[depth] = index + 1 if defined?(idx) && idx.is_a?(Array)
+                end
+              end
+
+              def instrument_string_split
+                if @_instrument_string_split.nil?
+                  @_instrument_string_split = begin
+                                                cs__scoped_require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield?
+                                                true
+                                              rescue StandardError => e
+                                                logger.error(e, 'Error loading split rb_yield patch')
+                                                false
+                                              end
+                end
+                @_instrument_string_split
+              end
+
+              private
+
+              def save_split_depth!
+                depth = SPLIT_TRACKER.get(:split_depth)
+                if depth
+                  depth += 1
+                  SPLIT_TRACKER.set(:split_depth, depth)
+                else
+                  SPLIT_TRACKER.set(:split_depth, 0)
+                end
+              end
+
+              def save_split_index! depth
+                split_index = SPLIT_TRACKER.get(:split_index)
+                unless split_index
+                  split_index = []
+                  SPLIT_TRACKER.set(:split_index, split_index)
+                end
+                # save the index to the ThreadLocal; not useless
+                split_index[depth] = 0 # rubocop:disable Lint/UselessSetterCall
+              end
+
+              def save_split_value! depth, string, args
+                preshift = Contrast::Agent::Assess::PreShift.build_preshift(split_node, string, args)
+                target = string.split
+                propagate(split_node, preshift, target)
+                split_value = SPLIT_TRACKER.get(:split_value)
+                unless split_value
+                  split_value = []
+                  SPLIT_TRACKER.set(:split_value, split_value)
+                end
+                # save the target to the ThreadLocal; not useless
+                split_value[depth] = target # rubocop:disable Lint/UselessSetterCall
+              end
+
+              # Quick hook to the String#split propagation node in our Assess
+              # policy
+              #
+              # @return [Contrast::Agent::Assess::Policy::PropagationNode]
+              #   String#split node
+              def split_node
+                @_split_node ||= begin
+                                   Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
+                                     node.class_name == 'String' && node.method_name == :split && node.instance_method?
+                                   end
+                                 end
+              end
             end
           end
         end
@@ -47,3 +183,32 @@ module Contrast
     end
   end
 end
+
+if RUBY_VERSION >= '2.6.0'
+  # Special class to handle String#split in 2.6 which, when given a block,
+  # propagates each split piece directly
+  class String
+    alias_method :cs__patched_string_split_special, :split
+
+    # override of the the standard split method to handle the 2.6 direct
+    # yield case.
+    #
+    # Note: because this patch is applied before our standard propagation, this
+    # call wrapped in it. As such, any call here happens in scope, so there is
+    # no need to manage it on our own.
+    def split *args, &block
+      if block
+        Contrast::Agent::Assess::Policy::Propagator::Split.begin_split(self, args)
+        begin
+          cs__patched_string_split_special(*args, &block)
+        ensure
+          Contrast::Agent::Assess::Policy::Propagator::Split.end_split
+        end
+      else
+        cs__patched_string_split_special(*args, &block)
+      end
+    end
+  end
+
+  Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split
+end

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -47,6 +47,7 @@ module Contrast
               return unless ASSESS.enabled?
               return unless AGENT.rewrite_interpolation?
               return unless AGENT.interpolation_enabled?
+              return if AGENT.skip_instrumentation? mod.cs__name
               return if mod.cs__frozen?
               return if mod.singleton_class?
               return if mid_defining?(mod)

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -13,6 +13,7 @@ cs__scoped_require 'set'
 cs__scoped_require 'contrast/utils/object_share'
 cs__scoped_require 'contrast/utils/sha256_builder'
 cs__scoped_require 'contrast/agent/assess/adjusted_span'
+cs__scoped_require 'contrast/agent/assess/policy/source_validation/source_validation'
 
 cs__scoped_require 'contrast/components/interface'
 
@@ -28,109 +29,149 @@ module Contrast
           include Contrast::Components::Interface
           access_component :logging, :analysis
 
-          def self.determine_target source_node, object, ret, args
-            source_target = source_node.targets[0]
-            case source_target
-            when Contrast::Utils::ObjectShare::RETURN_KEY
-              ret
-            when Contrast::Utils::ObjectShare::OBJECT_KEY
-              object
-            else
-              if source_target.is_a?(Integer)
-                args[source_target]
-                # If this isn't an index param, it's a named one. R.I.P.
-              else
-                arg = nil
-                args.each do |search|
-                  next unless search.is_a?(Hash)
+          PARAMETER_TYPE     = 'PARAMETER'
+          PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
+          HEADER_TYPE        = 'HEADER'
+          HEADER_KEY_TYPE    = 'HEADER_KEY'
+          COOKIE_TYPE        = 'COOKIE'
+          COOKIE_KEY_TYPE    = 'COOKIE_KEY'
 
-                  arg = search[source_target]
-                  break if arg
-                end
-                arg
+          class << self
+            # This is called from within our woven proc. It will be called as if it
+            # were inline in the Rack application.
+            #
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+            #   the policy that applies to the method being called
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method
+            #   was invoked
+            # @return [Object, nil] the tracked Return or nil if no changes
+            #   were made
+            def source_patchers method_policy, object, ret, args
+              return if method_policy.source_node.nil?
+
+              current_context = Contrast::Agent::REQUEST_TRACKER.current
+              return unless current_context&.analyze_request? && ASSESS.enabled?
+
+              replaced_return = nil
+              source_node = method_policy.source_node
+
+              target = determine_target(source_node, object, ret, args)
+
+              # We don't propagate to frozen things that haven't been tracked
+              # before. By definition, something that is a source has not
+              # previously been tracked; therefore, we can break out early.
+              if target.cs__frozen?
+                # That being said, we don't have enough context to know if we
+                # can make this assumption and still function, so we'll allow for
+                # source tracking of frozen things by a common config setting.
+                #
+                # Rails' StrongParameters make a case for this to be default
+                # behavior
+                return replaced_return unless ASSESS.track_frozen_sources?
+
+                # If we're tracking the frozen target, we need to unfreeze
+                # (dup) it to track and then freeze that result. For
+                # simplicities sake, we ONLY do this if the return is the
+                # target (I don't want to have to deal with unfreezing self)
+                return replaced_return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+                restore_frozen_state = true
+                ret = Contrast::Utils::FreezeUtil.unfreeze_dup(ret)
+                target = ret
               end
-            end
-          end
 
-          # This is called from within our woven proc. It will be called as if it
-          # were inline in the Rack application.
-          def self.source_patchers method_policy, object, ret, args
-            return if method_policy.source_node.nil?
-
-            current_context = Contrast::Agent::REQUEST_TRACKER.current
-            return unless current_context&.analyze_request? && ASSESS.enabled?
-
-            replaced_return = nil
-            source_node = method_policy.source_node
-
-            target = determine_target(source_node, object, ret, args)
-
-            # We don't propagate to frozen things that haven't been tracked
-            # before. By definition, something that is a source has not
-            # previously been tracked; therefore, we can break out early.
-            if target.cs__frozen?
-              # That being said, we don't have enough context to know if we
-              # can make this assumption and still function, so we'll allow for
-              # source tracking of frozen things by a common config setting.
-              #
-              # Rails' StrongParameters make a case for this to be default
-              # behavior
-              return replaced_return unless ASSESS.track_frozen_sources?
-
-              # If we're tracking the frozen target, we need to unfreeze
-              # (dup) it to track and then freeze that result. For
-              # simplicities sake, we ONLY do this if the return is the
-              # target (I don't want to have to deal with unfreezing self)
-              return replaced_return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-
-              restore_frozen_state = true
-              ret = Contrast::Utils::FreezeUtil.unfreeze_dup(ret)
-              target = ret
-            end
+              invoked = 3 # apply_post_patch => apply_assess => source_patchers
+              apply_source(current_context, source_node, target, object, ret, source_node.type, nil, invoked, *args)
 
-            SourceMethod.cs__apply_source(current_context, source_node, target, object, ret, *args)
+              ret.cs__freeze if restore_frozen_state
+              ret
+            end
 
-            ret.cs__freeze if restore_frozen_state
-            ret
-          end
+            private
 
-          # This is our method that actually taints the object our source_node
-          # targets.
-          def self.cs__apply_source context, source_node, target, object, ret, *args
-            return unless context
-
-            source_node_source = source_node.sources[0]
-            source_name = case source_node_source
-                          when nil
-                            nil
-                          when Contrast::Utils::ObjectShare::RETURN_KEY
-                            ret
-                          when Contrast::Utils::ObjectShare::OBJECT_KEY
-                            self
-                          else
-                            args[source_node_source]
-                          end
-            _cs__apply_source context, source_node, target, object, ret, source_node.type, source_name, 0, *args
-          end
+            # This is our method that actually taints the object our
+            # source_node targets.
+            #
+            # @param context [Contrast::Utils::ThreadTracker] the current request
+            #   context
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
+            #   the node to direct applying this source event
+            # @param target [Object] the target of the Source Event
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param source_type [String] the type of this source, from the
+            #   source_node, or a KEY_TYPE if invoked for a map
+            # @param source_name [String, nil] the name of this source, i.e.
+            #   the key used to accessed if from a map or nil if a type like
+            #   BODY
+            # @param invoked [Integer] the depth of this invocation from
+            #   application code; often a lie.
+            # @param args [Array<Object>] the Arguments with which the method
+            #   was invoked
+            def apply_source context, source_node, target, object, ret, source_type, source_name = nil, invoked = 0, *args
+              return unless context && source_node && target
 
-          # I lied above. We had to figure out what the target of the source was.
-          # Now that we know, we'll actually tag it.
-          def self._cs__apply_source context, source_node, target, object, ret, source_type, source_name = nil, invoked = 0, *args
-            return unless context && source_node && target
+              source_name ||= determine_source_name(source_node, object, ret, *args)
+              # We know we only work on certain things.
+              # Skip if this isn't one of them
+              if Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
+                apply_tags(source_node, target, object, ret, source_type, source_name, invoked, *args)
+                # While we don't taint hashes themselves, we may taint the things
+                # they hold. Let's pass their keys and values back to ourselves and
+                # try again
+              elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
+                source_key_type = invoked.zero? ? key_type(source_type) : source_type
+                invoked += 1
+                to_replace = []
+                target.each_pair do |key, value|
+                  # We only do this for Strings b/c of the way Hash lookup works.
+                  # To replace another object would break hash lookup and,
+                  # therefore, the application
+                  if ASSESS.track_frozen_sources? &&
+                        key.is_a?(String) &&
+                        Contrast::Utils::DuckUtils.quacks_to?(target, :delete)
+                    key = Contrast::Utils::FreezeUtil.unfreeze_dup(key)
+                    to_replace << key
+                  end
+                  apply_source(context, source_node, key, object, ret, source_key_type, key, invoked, *args)
+                  apply_source(context, source_node, value, object, ret, source_type, key, invoked, *args)
+                end
 
-            # We know we only work on certain things.
-            # Skip if this isn't one of them
-            if Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
+                # Hash is designed to keep one instance of the string key in it.
+                # We need to remove the existing one and replace it with our new
+                # tracked one.
+                to_replace.each do |key|
+                  key.cs__freeze
+                  value = target[key]
+                  target.delete(key)
+                  target[key] = value
+                end
+                # While we don't taint arrays themselves, we may taint the things
+                # they hold. Let's pass their keys and values back to ourselves and
+                # try again
+              elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
+                invoked += 1
+                target.each { |value| apply_source(context, source_node, value, object, ret, source_type, source_name, invoked, *args) }
+              end
+            rescue StandardError => e
+              logger.warn(e, "Unable to apply source for source_node #{ source_node.id }")
+            end
 
+            def apply_tags source_node, target, object, ret, source_type, source_name, invoked, *args
               # don't apply second source -- probably needs tuning later if we
               # use more than 'UNTRUSTED' in our sources
               return if target.cs__tracked? || target.cs__frozen?
 
+              invoked += 1
               # otherwise for each tag this source_node applies, create a tag range
               # on the target object
               # I realize this looping is counter-intuitive from the above
               # message, that's why we're revisiting.
               source_node.tags.each do |tag|
+                next unless Contrast::Agent::Assess::Policy::SourceValidation.valid?(tag, source_type, source_name)
+
                 length = Contrast::Utils::StringUtils.ret_length(target)
                 target.cs__properties.add_tag(tag, Contrast::Agent::Assess::AdjustedSpan.new(0, length))
                 target.cs__properties.add_properties(source_node.properties)
@@ -139,67 +180,85 @@ module Contrast
 
               # make a representation of this method that TeamServer can render
               target.cs__properties.build_event(source_node, target, object, ret, args, invoked, source_type, source_name)
+            end
 
-              # While we don't taint hashes themselves, we may taint the things
-              # they hold. Let's pass their keys and values back to ourselves and
-              # try again
-            elsif Contrast::Utils::DuckUtils.quacks_like_tracked_hash?(target)
-              source_key_type = invoked.zero? ? key_type(source_type) : source_type
-              invoked += 1
-              to_replace = []
-              target.each_pair do |key, value|
-                # We only do this for Strings b/c of the way Hash lookup works.
-                # To replace another object would break hash lookup and,
-                # therefore, the application
-                if ASSESS.track_frozen_sources? &&
-                      key.is_a?(String) &&
-                      Contrast::Utils::DuckUtils.quacks_to?(target, :delete)
-                  key = Contrast::Utils::FreezeUtil.unfreeze_dup(key)
-                  to_replace << key
-                end
-                _cs__apply_source(context, source_node, key, object, ret, source_key_type, key, invoked, *args)
-                _cs__apply_source(context, source_node, value, object, ret, source_type, key, invoked, *args)
-              end
+            # Find the name of the source
+            #
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
+            #   the node to direct applying this source event
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method
+            #   was invoked
+            # @return [String, nil] the human readable name of the target to
+            #   which this source event applies, or nil if none provided by the
+            #   node
+            def determine_source_name source_node, object, ret, *args
+              return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
 
-              # Hash is designed to keep one instance of the string key in it.
-              # We need to remove the existing one and replace it with our new
-              # tracked one.
-              to_replace.each do |key|
-                key.cs__freeze
-                value = target[key]
-                target.delete(key)
-                target[key] = value
+              source_node_source = source_node.sources[0]
+              case source_node_source
+              when nil
+                nil
+              when Contrast::Utils::ObjectShare::RETURN_KEY
+                ret
+              when Contrast::Utils::ObjectShare::OBJECT_KEY
+                object
+              else
+                args[source_node_source]
               end
-              # While we don't taint arrays themselves, we may taint the things
-              # they hold. Let's pass their keys and values back to ourselves and
-              # try again
-            elsif Contrast::Utils::DuckUtils.quacks_like_tracked_enumerable?(target)
-              invoked += 1
-              target.each { |value| _cs__apply_source(context, source_node, value, object, ret, source_type, source_name, invoked, *args) }
             end
-          rescue StandardError => e
-            logger.warn(e, "Unable to apply source for source_node #{ source_node.id }")
-          end
 
-          # Silly helper method so that TeamServer can properly mark up
-          # the source of this trace, if this source ends up in a trigger
-          PARAMETER_TYPE     = 'PARAMETER'
-          PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
-          HEADER_TYPE        = 'HEADER'
-          HEADER_KEY_TYPE    = 'HEADER_KEY'
-          COOKIE_TYPE        = 'COOKIE'
-          COOKIE_KEY_TYPE    = 'COOKIE_KEY'
+            # Find the literal target of the propagation
+            #
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
+            #   the node to direct applying this source event
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method
+            #   was invoked
+            # @return [Object] the target to which this source event applies
+            def determine_target source_node, object, ret, args
+              source_target = source_node.targets[0]
+              case source_target
+              when Contrast::Utils::ObjectShare::RETURN_KEY
+                ret
+              when Contrast::Utils::ObjectShare::OBJECT_KEY
+                object
+              else
+                if source_target.is_a?(Integer)
+                  args[source_target]
+                  # If this isn't an index param, it's a named one. R.I.P.
+                else
+                  arg = nil
+                  args.each do |search|
+                    next unless search.is_a?(Hash)
 
-          def self.key_type source_type
-            case source_type
-            when PARAMETER_TYPE
-              PARAMETER_KEY_TYPE
-            when HEADER_TYPE
-              HEADER_KEY_TYPE
-            when COOKIE_TYPE
-              COOKIE_KEY_TYPE
-            else
-              source_type
+                    arg = search[source_target]
+                    break if arg
+                  end
+                  arg
+                end
+              end
+            end
+
+            # Simple helper method to flip the type from value to key when the
+            # source is the key of a Hash
+            #
+            # @param source_type [String] the original value source type
+            # @return [String] the key form of the source type, if one exists,
+            #   else the original source type
+            def key_type source_type
+              case source_type
+              when PARAMETER_TYPE
+                PARAMETER_KEY_TYPE
+              when HEADER_TYPE
+                HEADER_KEY_TYPE
+              when COOKIE_TYPE
+                COOKIE_KEY_TYPE
+              else
+                source_type
+              end
             end
           end
         end