contrast-agent 3.8.5 → 3.9.0

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -101,13 +101,13 @@ module Contrast
             return false unless source.cs__tracked?
 
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = find_ranges_by_tag(source.cs__properties, required_tags)
+            vulnerable_ranges = find_ranges_by_all_tags(Contrast::Utils::StringUtils.ret_length(source), source.cs__properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
             # find the ranges that are exempt from the rule
             # (validated, sanitized, etc)
-            secure_ranges = find_ranges_by_tag(source.cs__properties, disallowed_tags)
+            secure_ranges = find_ranges_by_any_tag(source.cs__properties, disallowed_tags)
             # if there are vulnerable ranges and no secure, report
             return true if secure_ranges.empty?
 
@@ -135,7 +135,7 @@ module Contrast
             return unless dataflow?
 
             validate_rule_tags(required_tags)
-            @required_tags = required_tags || []
+            @required_tags = Set.new(required_tags)
             @required_tags << UNTRUSTED
           end
 
@@ -153,7 +153,7 @@ module Contrast
             return unless dataflow?
 
             validate_rule_tags(disallowed_tags)
-            @disallowed_tags = disallowed_tags || []
+            @disallowed_tags = Set.new(disallowed_tags)
             @disallowed_tags << LIMITED_CHARS
             @disallowed_tags << CUSTOM_ENCODED
             @disallowed_tags << CUSTOM_VALIDATED
@@ -172,14 +172,60 @@ module Contrast
             end
           end
 
-          def find_ranges_by_tag cs__properties, tags
+          # Find the ranges that satisfy all of the given tags.
+          #
+          # @param length [Integer] the length of the object which may have the
+          #   given tags -- used as the maximum index to search for all of the
+          #   tags.
+          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          #   properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
+          #   by the given conditions
+          def find_ranges_by_all_tags length, cs__properties, tags
+            # if there aren't any all_tags or tags, break early
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
+
+            # :zap: faster to treat all as any if there's only one tag
+            return find_ranges_by_any_tag(cs__properties, tags) if tags.length == 1
+
             ranges = []
+            # find all the indicies on the source that have all the given tags
+            (0..length).each do |idx|
+              tags_at = cs__properties.tag_names_at(idx)
+              ranges << idx if tags.all? { |tag| tags_at.include?(tag) }
+            end
+            # break early if no indicies satisfy all the tags
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY if ranges.empty?
+
+            # chunk all the adjacent ranges
+            chunked = ranges.chunk_while { |i, j| i + 1 == j }
+            tag_ranges = []
+            # and convert them into Tags
+            chunked.each do |join|
+              start = join[0]
+              stop = join[-1]
+              # add the 1 to account for end index being exclusive
+              tag_length = stop - start + 1
+              tag_ranges = Contrast::Utils::TagUtil.ordered_merge(tag_ranges, Tag.new(tag_length, start))
+            end
+            tag_ranges
+          end
 
+          # Find the ranges that satisfy any of the given tags.
+          #
+          # @param cs__properties [Contrast::Agent::Assess::Properties] the
+          #   properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
+          #   by the given conditions
+          def find_ranges_by_any_tag cs__properties, tags
             # if there aren't any all_tags or tags, break early
-            return ranges unless cs__properties.tracked?
-            return ranges unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless cs__properties.tracked?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
 
-            # find all tags that match the desired ones
+            ranges = []
             tags.each do |desired|
               found = cs__properties.fetch_tag(desired)
               next unless found
@@ -188,7 +234,6 @@ module Contrast
               # used in another trace
               ranges = Contrast::Utils::TagUtil.ordered_merge(ranges, found.dup)
             end
-
             ranges
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb

@@ -18,6 +18,19 @@ module Contrast
             Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator
           ].cs__freeze
 
+          # Determines if the conditions in which this trigger was called are
+          # valid and should result in the generation of a
+          # Contrast::Api::Dtm::Finding.
+          #
+          # @param patcher [Contrast::Agent::Assess::Policy::TriggerNode] the
+          #   Node which applies to the Trigger Method
+          # @param object [Object] the Object on which the Trigger Method was
+          #   invoked
+          # @param ret [Object] the return of the Trigger Method
+          # @param args [Array<Object>] the Arguments with which the Trigger
+          #   Method was invoked
+          # @return [Boolean] if the conditions are valid for the generation of
+          #   a Contrast::Api::Dtm::Finding
           def self.valid? patcher, object, ret, args
             VALIDATORS.each do |validator|
               return false unless validator.valid?(patcher, object, ret, args)

data/lib/contrast/agent/assess/properties.rb

@@ -66,6 +66,10 @@ module Contrast
         # to be expanded out to the size of the new String.
         #
         # Note: Tags do not know their key, so this is only the range covered
+        #
+        # @param idx [Integer] the index to check for tags
+        # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
+        #   covering the given index. This is only the ranges, not the names.
         def tags_at idx
           return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags?
 
@@ -82,6 +86,27 @@ module Contrast
           at
         end
 
+        # Find all of the tag names that span a given index.
+        #
+        # @param idx [Integer] the index to check for tags
+        # @return [Set<String>] a set of all the tags covering the given index.
+        #   This is only the names of the tags, not their ranges.
+        def tag_names_at idx
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags?
+
+          at = Set.new
+          tags.each_pair do |tag_name, tag_array|
+            tag_array.each do |tag|
+              if tag.covers?(idx)
+                at << tag_name
+              elsif tag.above?(idx)
+                break
+              end
+            end
+          end
+          at
+        end
+
         # given a range, select all tags in that range the selected tags are
         # shifted such that the start index of the new tag (0) aligns with the
         # given start index in the range
@@ -127,6 +152,10 @@ module Contrast
         # collection. If the given range touches an existing tag,
         # we'll combine the two, adjusting the existing one and
         # dropping this new one.
+        #
+        # @param label [String] the name of the tag
+        # @param range [Contrast::Agent::Assess::AdjustedSpan] the span that
+        #   the tag covers
         def add_tag label, range
           length = range.stop - range.start
           tag = Contrast::Agent::Assess::Tag.new(length, range.start)

data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb

@@ -20,46 +20,50 @@ module Contrast
 
             CS__CSRF_LOG_MSG = 'applying CSRF assess rule'
 
-            def self.rule
-              @_rule ||= Contrast::Agent::FeatureState.instance.assess_rule(
-                  Contrast::Agent::Assess::Rule::Csrf::NAME)
-            end
-
-            def self.csrf_tagger patcher, preshift, _ret, _block
-              return unless rule&.enabled?
+            class << self
+              def csrf_tagger patcher, preshift, _ret, _block
+                return unless rule&.enabled?
 
-              idx = patcher.sources[0].to_i
-              args = preshift.args
-              return unless args&.length.to_i > idx
+                idx = patcher.sources[0].to_i
+                args = preshift.args
+                return unless args&.length.to_i > idx
 
-              sql = args[idx]
-              return unless sql
+                sql = args[idx]
+                return unless sql
 
-              with_contrast_scope do
-                logger.debug(nil, CS__CSRF_LOG_MSG)
-                rule.record_db_state_change(
-                    Contrast::Agent::REQUEST_TRACKER.current,
-                    sql)
+                with_contrast_scope do
+                  logger.debug(nil, CS__CSRF_LOG_MSG)
+                  rule.record_db_state_change(
+                      Contrast::Agent::REQUEST_TRACKER.current,
+                      sql)
+                end
               end
-            end
 
-            def self.cs__assess_apply_csrf_rule sql
-              context = Contrast::Agent::REQUEST_TRACKER.current
+              def apply_csrf_rule sql
+                context = Contrast::Agent::REQUEST_TRACKER.current
 
-              return unless context&.app_loaded?
-              return unless ASSESS.enabled?
-              return unless sql
+                return unless context&.app_loaded?
+                return unless ASSESS.enabled?
+                return unless sql
+
+                rule = Contrast::Agent::FeatureState.instance.assess_rule(
+                    Contrast::Agent::Assess::Rule::Csrf::NAME)
+                return unless rule&.enabled?
+
+                with_contrast_scope do
+                  logger.debug(CS__CSRF_LOG_MSG)
+                  rule.record_db_state_change(context, sql)
+                end
+              rescue StandardError => e
+                logger.warn(e, 'Error running CSRF assess rule')
+              end
 
-              rule = Contrast::Agent::FeatureState.instance.assess_rule(
-                  Contrast::Agent::Assess::Rule::Csrf::NAME)
-              return unless rule&.enabled?
+              private
 
-              with_contrast_scope do
-                logger.debug(CS__CSRF_LOG_MSG)
-                rule.record_db_state_change(context, sql)
+              def rule
+                @_rule ||= Contrast::Agent::FeatureState.instance.assess_rule(
+                    Contrast::Agent::Assess::Rule::Csrf::NAME)
               end
-            rescue StandardError => e
-              logger.warn(e, 'Error running CSRF assess rule')
             end
           end
         end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 
 module Contrast
   module Agent

data/lib/contrast/agent/class_reopener.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 cs__scoped_require 'ripper'
-cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 cs__scoped_require 'contrast/components/interface'
 
 # This method is left purposefully at the top level namespace. Moving it
@@ -17,12 +17,12 @@ cs__scoped_require 'contrast/components/interface'
 def unbound_eval class_name, content
   # Yuck, this is a top-level method that has to break encapsulation
   # in order to access scoping!
-  Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.enter_contrast_scope
+  Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.enter_contrast_scope!
   eval(content) # rubocop:disable Security/Eval
 rescue Exception # rubocop:disable Lint/RescueException
   Contrast::Agent::SettingsState.log_error("Unable to perform unbound eval of new content for #{ class_name }.")
 ensure
-  Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.exit_contrast_scope
+  Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.exit_contrast_scope!
 end
 
 module Contrast
@@ -32,10 +32,13 @@ module Contrast
     # @deprecated Changes to this class are discouraged as this approach is
     #   being phased out with support for those language versions.
     class ClassReopener
-      END_NEW_LINE = "end\n".cs__freeze
-      PROTECTED_WITH_NEW_LINE = "protected\n".cs__freeze
-      PRIVATE_WITH_NEW_LINE = "private\n".cs__freeze
-      CLASS_SELF_LINE = "class << self\n".cs__freeze
+      include Contrast::Components::Interface
+      access_component :logging
+
+      END_NEW_LINE = "end\n"
+      PROTECTED_WITH_NEW_LINE = "protected\n"
+      PRIVATE_WITH_NEW_LINE = "private\n"
+      CLASS_SELF_LINE = "class << self\n"
 
       attr_reader :public_singleton_methods, :class_module_path, :class_name, :files, :is_class, :name_space,
                   :public_instance_methods, :protected_instance_methods, :private_instance_methods, :locations
@@ -55,25 +58,9 @@ module Contrast
         gather_modules
       end
 
-      def gather_modules
-        return if class_module_path.nil?
-
-        segments = class_module_path.split(Contrast::Utils::ObjectShare::DOUBLE_COLON)
-        @class_name = segments.last
-        current = nil
-        segments[0..-2].each do |chunk|
-          defined = current ? current.cs__const_defined?(chunk) : Module.cs__const_defined?(chunk)
-          next unless defined
-
-          current = current ? current.cs__const_get(chunk) : Module.cs__const_get(chunk)
-          if current.is_a?(Class)
-            name_space << [chunk, Class]
-          elsif current.is_a?(Module)
-            name_space << [chunk, Module]
-          end
-        end
-      end
-
+      # Indicates if any methods were rewritten for this class.
+      #
+      # @return [Boolean]
       def staged_changes?
         public_singleton_methods.any? ||
             public_instance_methods.any? ||
@@ -81,18 +68,34 @@ module Contrast
             private_instance_methods.any?
       end
 
+      # Indicates if this class was written from the given location.
+      #
+      # @param source_location [Array<String, Integer>] the result of a
+      #   Method#source_location call
+      # @return [Boolean]
       def written_from_location? source_location
         return false unless source_location
 
         file = source_location[0]
         location = source_location[1]
-        locs = locations[file]
-        return true if locs.include?(location)
+        locations[file].include?(location)
+      end
 
-        locs << location
-        false
+      # Marks that this class was written from the given location.
+      #
+      # @param source_location [Array<String, Integer>] the result of a
+      #   Method#source_location call
+      # @return [Boolean]
+      def written_from_location! source_location
+        return false unless source_location
+
+        file = source_location[0]
+        location = source_location[1]
+        locations[file] << location
       end
 
+      # Evaluate the patches that have been staged for this class, replacing
+      # the method definitions with those our rewrite.
       def commit_patches
         return unless staged_changes?
 
@@ -101,46 +104,86 @@ module Contrast
         unbound_eval(class_name, content) if !!valid && !class_name.empty?
       end
 
+      # Find the sourcecode of the method at the given location and return it
+      # if it is complete and compilable.
+      #
+      # @param location [Array<String, Integer>] the result of a
+      #   Method#source_location call
+      # @param method_name [Symbol] the name of the method defined at the given
+      #   location
+      # @return [String, nil] the code defining the method or nil if no valid
+      #   code could be found.
       def source_code location, method_name
         file_name = location[0]
         line_number = location[1]
         return unless file_name && line_number
+        return unless File.exist?(file_name) && File.readable?(file_name)
+        return if File.empty?(file_name)
 
-        unless files.key?(file_name)
-          return unless File.exist?(file_name)
-
-          files[file_name] = File.readlines(file_name)
-        end
-
+        files[file_name] = File.readlines(file_name) unless files.key?(file_name)
         lines = files[file_name]
-
-        old_verbose = $VERBOSE
-        $VERBOSE = nil
-        code = ''
-        complete = false
+        code = +''
         # location#line_number is 1 based, arrays are 0 based
         line_number -= 1
         lines[line_number..-1].each do |line|
-          begin
-            code << line
-            RubyVM::InstructionSequence.compile(code) # this will raise SyntaxError for malformed code
-            # Assert that a line which ends with a , or \ is incomplete.
-            complete = code !~ /[,\\]\s*\z/
-            break if complete
-          rescue SyntaxError
-            code.gsub(/\#\{.*?\}/, 'temp')
-          end
+          code << line
+          next unless compiles?(code)
+          break if complete?(code)
+        end
+        unless complete?(code) && compiles?(code)
+          logger.warn("Failed to capture #{ method_name } in #{ file_name } at #{ line_number } for rewriting.")
+          return
         end
-        $VERBOSE = old_verbose
-        raise SyntaxError, "Failure: method #{ method_name } in #{ file_name } at #{ line_number }" unless complete
-
         code
       end
 
       private
 
+      def gather_modules
+        return if class_module_path.nil?
+
+        segments = class_module_path.split(Contrast::Utils::ObjectShare::DOUBLE_COLON)
+        @class_name = segments.last
+        current = nil
+        segments[0..-2].each do |chunk|
+          defined = current ? current.cs__const_defined?(chunk) : Module.cs__const_defined?(chunk)
+          next unless defined
+
+          current = current ? current.cs__const_get(chunk) : Module.cs__const_get(chunk)
+          if current.is_a?(Class)
+            name_space << [chunk, Class]
+          elsif current.is_a?(Module)
+            name_space << [chunk, Module]
+          end
+        end
+      end
+
+      # code which ends with a , or \ is incomplete.
+      #
+      # @param code [String] the text to determine if complete
+      # @return [Boolean]
+      def complete? code
+        code !~ /[,\\]\s*\z/
+      end
+
+      # code which does not resolve to RubyVM::InstructionSequence does not
+      # compile
+      #
+      # @param code [String] the text to determine if compiles
+      # @return [Boolean]
+      def compiles? code
+        old_verbose = $VERBOSE
+        $VERBOSE = nil
+        RubyVM::InstructionSequence.compile(code)
+        true
+      rescue SyntaxError => _e
+        false
+      ensure
+        $VERBOSE = old_verbose
+      end
+
       def build_content
-        content = ''
+        content = +''
         name_space.each do |arr|
           name = arr[0]
           type = arr[1]