contrast-agent 3.8.5 → 3.9.0

data/lib/contrast/agent/patching/policy/policy.rb

@@ -126,6 +126,10 @@ module Contrast
             triggers.select { |trigger| trigger.rule_id == rule_id }
           end
 
+          def find_source_node class_name, method_name, instance_method
+            sources.find { |source| source.class_name == class_name && source.method_name == method_name && source.instance_method == instance_method }
+          end
+
           def find_node rule_id, class_name, method_name, instance_method
             find_triggers_by_rule(rule_id).find do |node|
               node.class_name == class_name && node.method_name == method_name && node.instance_method == instance_method

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'contrast/components/interface'
+
 module Contrast
   module Agent
     module Patching
@@ -10,7 +12,10 @@ module Contrast
         #
         # @abstract
         class PolicyNode
-          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
+          include Contrast::Components::Interface
+          access_component :scope
+
+          attr_accessor :class_name, :instance_method, :method_name, :method_scope, :method_visibility
           attr_reader :properties
 
           def node_class
@@ -25,6 +30,7 @@ module Contrast
             @class_name = policy_hash[JSON_CLASS_NAME]
             @instance_method = policy_hash[JSON_INSTANCE_METHOD]
             @method_name = policy_hash[JSON_METHOD_NAME]
+            @method_scope = policy_hash[JSON_METHOD_SCOPE]
             @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
             @properties = policy_hash[JSON_PROPERTIES]
             symbolize
@@ -42,6 +48,11 @@ module Contrast
             raise(ArgumentError, "#{ node_class } #{ id } did not have a proper method name. Unable to create.") unless method_name
             raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_name value. Unable to create.") unless method_name.is_a?(Symbol)
             raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_visibility value. Unable to create.") unless method_visibility.is_a?(Symbol)
+            unless method_scope.nil? || Contrast::Agent::Scope.valid_scope?(method_scope)
+              raise(ArgumentError, "#{ node_class } #{ id } requires an undefined scope. Unable to create.")
+            end
+
+            nil
           end
 
           # just turns this into a ruby-ism
@@ -64,6 +75,7 @@ module Contrast
           def symbolize
             @method_name = @method_name.to_sym if @method_name
             @method_visibility = @method_visibility.to_sym if @method_visibility
+            @method_scope = @method_scope.to_sym if @method_scope
           end
 
           # The keys used to read from policy.json to create the individual
@@ -71,6 +83,7 @@ module Contrast
           JSON_CLASS_NAME = 'class_name'
           JSON_INSTANCE_METHOD = 'instance_method'
           JSON_METHOD_NAME = 'method_name'
+          JSON_METHOD_SCOPE = 'scope'
           JSON_METHOD_VISIBILITY = 'method_visibility'
           JSON_PROPERTIES = 'properties'
         end

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 cs__scoped_require 'contrast/agent/patching/policy/policy_node'
 
 module Contrast
@@ -20,6 +20,7 @@ module Contrast
           JSON_APPLICATOR_METHOD = 'applicator_method'
           JSON_REQUIRED_PROPS = 'required_properties'
           JSON_OPTIONAL_PROPS = 'optional_properties'
+          JSON_SCOPE = 'scope'
           JSON_ON_EXCEPTION = 'on_exception'
 
           attr_reader :rule_id

data/lib/contrast/agent/protect/policy/policy.rb

@@ -4,12 +4,12 @@
 cs__scoped_require 'contrast/agent/patching/policy/policy'
 
 # classes required by patches in the policy
-cs__scoped_require 'contrast/core_extensions/protect/applies_command_injection_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_deserialization_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_no_sqli_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_path_traversal_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_sqli_rule'
-cs__scoped_require 'contrast/core_extensions/protect/applies_xxe_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_command_injection_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_deserialization_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_no_sqli_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_path_traversal_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_sqli_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_xxe_rule'
 cs__scoped_require 'contrast/agent/protect/policy/trigger_node'
 
 module Contrast

data/lib/contrast/agent/protect/rule/base.rb

@@ -14,7 +14,7 @@ module Contrast
         class Base
           include Contrast::Components::Interface
 
-          access_component :logging, :analysis, :settings
+          access_component :logging, :analysis, :settings, :scope
 
           UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
             user_input.input_type = :UNKNOWN

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -90,7 +90,9 @@ module Contrast
           # @raise [Contrast::SecurityException] if attack detected while in
           #   block mode.
           def check_command_scope gadget_command
-            return unless deserializing?
+            # If we're within 'deserialization scope', then we've got a
+            # deserialization method in our call stack.
+            return unless in_deserialization_scope?
 
             context = Contrast::Agent::REQUEST_TRACKER.current
             kwargs = { COMMAND_SCOPE: true }
@@ -100,30 +102,6 @@ module Contrast
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
-          # I don't know a better way to do this without introducing another
-          # scope.
-          # The policy files are designed around using the Module names, not
-          # the file names, but stack is built using filenames. These are the
-          # files and methods we patch for this rule.
-          #
-          # There's not real test for this since I can't figure out how to get
-          # a command to execute from within the .load methods
-          # Assuming someone else does, this should just work (tested with
-          # Screener and the combination "%w[erb.rb `result']")
-          DESERIALIZER_STACK = [
-            %w[/psych.rb: `load'],
-            %w[/marshal.rb: `load']
-          ].cs__freeze
-          # We're considered deserializing if the call stack includes a
-          # reference to the file in which a serializer is defined and
-          # the method of that serializer responsible for deserializing.
-          # @return [Boolean] if the caller indicates deserialization.
-          def deserializing?
-            Kernel.caller.product(DESERIALIZER_STACK).find do |(frame, (class_signature_form, method_signature_form))|
-              frame.end_with?(method_signature_form) && frame.include?(class_signature_form)
-            end
-          end
-
           protected
 
           # Build the RaspRuleSample for the detected Deserialization attack.

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/core_extensions/protect/applies_sqli_rule'
+cs__scoped_require 'contrast/extensions/ruby_core/protect/applies_sqli_rule'
 
 module Contrast
   module Agent

data/lib/contrast/agent/railtie.rb

@@ -1,24 +1,30 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/utils/operating_environment'
+cs__scoped_require 'contrast/utils/job_servers_running'
 
 module Contrast
   module Agent
     # A Railtie to allow for the automatic hooking of the Agent into a Rails
     # application.
     class Railtie < Rails::Railtie
+      include Contrast::Components::Interface
+      access_component :agent, :app_context, :logging
+
       initializer 'Contrast Ruby Agent Initializer' do |app|
         if defined?(Rails) && defined?(Rails.logger)
           Rails.logger.debug('In railtie ::')
           Rails.logger.debug(app.middleware.inspect)
         end
 
-        if Contrast::Utils::OperatingEnvironment.unsupported?
-          Rails.logger.debug('Detected a non-webserver context, skipping Contrast middleware insertion.')
+        # TODO: RUBY-564 This logic is not specific to Rails and should be used more broadly
+        # with all web frameworks. Move this check to be a part of our new initialization
+        # routine.
+        if APP_CONTEXT.instrument_middleware_stack?
+          AGENT.insert_middleware(app)
         else
-          # Keep our middleware at the outermost layer of the onion
-          app.middleware.insert_before 0, Contrast::Agent::Middleware
+          Rails.logger.debug('Detected a running job server, skipping Contrast middleware insertion.')
+          logger.debug(nil, "Disabling Contrast for process #{ Process.pid }")
         end
       end
 

data/lib/contrast/agent/request.rb

@@ -265,17 +265,7 @@ module Contrast
         http_request.version = '1.1' # currently not in rack request; hard-coding
         http_request.method = Contrast::Utils::StringUtils.force_utf8(request_method)
         http_request.raw = Contrast::Utils::StringUtils.force_utf8(@rack_request.path_info)
-        http_request.parsed_connection = true
-        http_request.uri = Contrast::Utils::StringUtils.force_utf8(path)
-        http_request.normalized_uri = Contrast::Utils::StringUtils.force_utf8(normalized_uri)
-        http_context = if http_request.uri == Contrast::Utils::ObjectShare::SLASH
-                         Contrast::Utils::ObjectShare::SLASH
-                       else
-                         http_request.uri.split(Contrast::Utils::ObjectShare::SLASH).first
-                       end
-        http_request.context = Contrast::Utils::StringUtils.force_utf8(http_context)
-        http_request.path = Contrast::Utils::StringUtils.force_utf8(http_request.uri)
-        http_request.query_string = Contrast::Utils::StringUtils.force_utf8(query_string)
+        http_request.parsed_connection = false
       end
 
       def append_params http_request
@@ -395,10 +385,6 @@ module Contrast
         @_content_type ||= @rack_request.content_type
       end
 
-      def path
-        @_path ||= @rack_request.path
-      end
-
       def request_cookies
         @_request_cookies ||= @rack_request.cookies
       end
@@ -407,10 +393,6 @@ module Contrast
         @_parameters ||= with_contrast_scope { normalize_params(@rack_request.params) }
       end
 
-      def base_url
-        @_base_url ||= @rack_request.base_url
-      end
-
       # End of Rack Request memoized values
 
       def file_names

data/lib/contrast/agent/request_context.rb

@@ -59,7 +59,7 @@ module Contrast
 
           @sample_response &&= ASSESS.scan_response?
 
-          append_route_coverage(Contrast::Utils::PathUtil.get_route(@request))
+          append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
         end
       end
 

data/lib/contrast/agent/rewriter.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 # intentional -- we're using a << operator here
 
@@ -18,8 +18,8 @@ module Contrast
       include Contrast::Components::Interface
       access_component :logging, :scope
 
-      SELF_DEFINITION = 'def self.'.cs__freeze
-      DEFINITION = 'def '.cs__freeze
+      SELF_DEFINITION = 'def self.'
+      DEFINITION = 'def '
 
       class << self
         def rewrite_class module_data, redo_rewrite = false
@@ -95,6 +95,7 @@ module Contrast
           return nil if location.empty? || location[0].empty? || location[0].include?('eval')
           return nil if opener.written_from_location?(location)
 
+          opener.written_from_location!(location)
           opener.source_code(location, method_name)
         rescue SyntaxError
           logger.debug(nil, "SyntaxError: Can't parse method source from #{ clazz }##{ method_name }")

data/lib/contrast/agent/scope.rb

@@ -1,28 +1,125 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# Scope lets us disable Contrast for certain code calls. We need to do this so
-# that we don't propagate through our own code.
-#
-# Think logging: If you have
-# something like "The source was '" + source + "'", and source is tracked,
-# you'll trigger propagation with the + method. This in turn would cause
-# propagation if you log there "The target ''" + target + "' was propagated'"
-# Which would then cause another propagation with the '+' method, forever.
-#
-# Instead, we should say "If I'm already doing Contrast things, don't track
-# this"
-#
-# NOTE: DO NOT DO ANYTHING IN THIS CLASS THAT COULD RESULT IN A MONKEY PATCHED
-# ACTION. WE CAN'T ENTER SCOPE BEFORE WE HAVE A SCOPE! YOU HAVE BEEN WARNED!!!
 module Contrast
   module Agent
+    # Scope lets us disable Contrast for certain code calls. We need to do this so
+    # that we don't propagate through our own code.
+    #
+    # Think logging: If you have
+    # something like "The source was '" + source + "'", and source is tracked,
+    # you'll trigger propagation with the + method. This in turn would cause
+    # propagation if you log there "The target ''" + target + "' was propagated'"
+    # Which would then cause another propagation with the '+' method, forever.
+    #
+    # Instead, we should say "If I'm already doing Contrast things, don't track
+    # this"
     class Scope
-      # At first, all scopes are 0, meaning we're not in Contrast land
-      # NOTE: DO NOT DO ANYTHING IN THIS CLASS THAT COULD RESULT IN A MONKEY
-      # PATCHED ACTION. WE CAN'T ENTER SCOPE BEFORE WE HAVE A SCOPE! YOU HAVE
-      # BEEN WARNED!!! (again)
+      # The following %i[] list is the authoritative list
+      # of scopes.  If you define a new symbol here, you'll
+      # get scope methods:
+      #   %i[monkey] ->
+      #     enter_monkey_scope!
+      #     exit_monkey_scope!
+      #     in_monkey_scope?
+      #     with_monkey_scope { special_monkey_function }
+      SCOPE_LIST = %i[contrast deserialization].cs__freeze
+
+      iv_list = SCOPE_LIST.map { |name| :"@#{ name }_scope" }
+      define_method 'initialize' do
+        iv_list.each do |iv_sym|
+          instance_variable_set(iv_sym, 0)
+        end
+      end
+
+      SCOPE_LIST.each do |name|
+        iv_sym = :"@#{ name }_scope"
+
+        define_method "in_#{ name }_scope?" do
+          instance_variable_get(iv_sym).positive?
+        end
+
+        enter_method_sym = :"enter_#{ name }_scope!"
+        define_method enter_method_sym do
+          level = instance_variable_get(iv_sym)
+          instance_variable_set(iv_sym, level + 1)
+        end
+
+        exit_method_sym = :"exit_#{ name }_scope!"
+        define_method exit_method_sym do
+          # by design, can go below zero.
+          # every exit/enter pair (regardless of series)
+          # should cancel each other out.
+          #
+          # so we prefer this sequence:
+          #   scope =  0
+          #   exit  = -1
+          #   enter =  0
+          #   enter =  1
+          #   exit  =  0
+          #   scope =  0
+          #
+          # over this sequence:
+          #   scope =  0
+          #   exit  =  0
+          #   enter =  1
+          #   enter =  2
+          #   exit  =  1
+          #   scope =  1
+          level = instance_variable_get(iv_sym)
+          instance_variable_set(iv_sym, level - 1)
+        end
+
+        define_method "with_#{ name }_scope" do |*_args, &block|
+          begin
+            send enter_method_sym
+            block.call
+          ensure
+            send exit_method_sym
+          end
+        end
+      end
+
+      # Dynamic versions of the above.
+      # These are equivalent, but they're slower and riskier.
+      # Prefer the static methods if you know what scope you need at the call site.
+      def in_scope? name
+        cs__class.ensure_valid_scope! name
+        call = with_contrast_scope { :"in_#{ name }_scope?" }
+        send(call)
+      end
+
+      def enter_scope! name
+        cs__class.ensure_valid_scope! name
+        call = with_contrast_scope { :"enter_#{ name }_scope!" }
+        send(call)
+      end
+
+      def exit_scope! name
+        cs__class.ensure_valid_scope! name
+        call = with_contrast_scope { :"exit_#{ name }_scope!" }
+        send(call)
+      end
+
+      def with_scope name, &block
+        cs__class.ensure_valid_scope! name
+        call = with_contrast_scope { :"with_#{ name }_scope" }
+        send(call, &block)
+      end
+
+      class << self
+        def valid_scope? scope_sym
+          Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
+        end
+
+        def ensure_valid_scope! scope_sym
+          unless valid_scope? scope_sym # rubocop:disable Style/GuardClause
+            with_contrast_scope do
+              raise NotImplementedError, "Scope '#{ scope_sym.inspect }' is not registered as a scope."
+            end
+          end
+        end
+      end
     end
   end
 end
-cs__scoped_require 'cs__scope/cs__scope'

data/lib/contrast/agent/service_heartbeat.rb

@@ -20,8 +20,7 @@ module Contrast
           loop do
             begin
               logger.debug(nil, 'Sending Heartbeat...')
-              # TODO: RUBY-672: Change noop to poll messages
-              CONTRAST_SERVICE.queue_message(Contrast::Api::Dtm::Noop.new)
+              CONTRAST_SERVICE.queue_message(poll_message)
             end
             sleep REFRESH_INTERVAL_SEC
           end
@@ -29,6 +28,10 @@ module Contrast
       end
       alias_method :start, :updater_thread
 
+      def poll_message
+        @_poll_message ||= Contrast::Api::Dtm::Poll.new
+      end
+
       def stop
         Thread.kill(@_updater_thread) if @_updater_thread&.alive?
       end

data/lib/contrast/agent/settings_state.rb

@@ -120,16 +120,20 @@ module Contrast
       def send_inventory_message
         return unless INVENTORY.enabled?
 
-        msg = Contrast::Api::Dtm::ApplicationUpdate.new
-        msg.platform = Contrast::Api::Dtm::Platform.new
-        msg.platform.major, msg.platform.minor, msg.platform.build = *Contrast::Utils::EnvironmentUtil.platform
+        app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.new
 
-        Contrast::Utils::EnvironmentUtil.add_library_to_app_update(msg, protobuf_format(CONFIG.root.inventory.tags))
-        Contrast::Utils::EnvironmentUtil.scan_views(msg)
-        Contrast::Utils::EnvironmentUtil.scan_routes(msg)
-        Contrast::Utils::InventoryUtil.append_db_config(msg)
+        # TODO: RUBY-770
+        Contrast::Utils::EnvironmentUtil.add_library_to_app_update(app_update_msg, protobuf_format(CONFIG.root.inventory.tags))
 
-        CONTRAST_SERVICE.queue_message msg
+        Contrast::Delegators::ApplicationUpdate.new(app_update_msg).instance_eval do
+          append_view_technology_descriptor_data(Contrast::Agent.framework_manager.find_applicable_view_technologies) if INVENTORY.enabled?
+          append_route_coverage_data(Contrast::Agent.framework_manager.find_route_discovery_data) if INVENTORY.enabled?
+          append_platform_version(Contrast::Agent.framework_manager.platform_version)
+        end
+
+        Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
+
+        CONTRAST_SERVICE.queue_message app_update_msg
       end
 
       def present? str