contrast-agent 3.8.5 → 3.9.0

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '3.8.5'
+    VERSION = '3.9.0'
   end
 end

data/lib/contrast/api.rb

@@ -12,6 +12,7 @@ end
 
 cs__scoped_require 'contrast/api/dtm_pb'
 cs__scoped_require 'contrast/api/settings_pb'
+cs__scoped_require 'contrast/delegators'
 cs__scoped_require 'contrast/api/unix_socket'
 cs__scoped_require 'contrast/api/tcp_socket'
 cs__scoped_require 'contrast/api/speedracer'

data/lib/contrast/api/speedracer.rb

@@ -133,8 +133,8 @@ module Contrast
           message.prefilter = event
         when Contrast::Api::Dtm::HttpResponse
           message.postfilter = event
-        when Contrast::Api::Dtm::Noop
-          message.noop = event
+        when Contrast::Api::Dtm::Poll
+          message.poll = event
         when Contrast::Api::Dtm::ObservedRoute
           message.observed_route = event
         else

data/lib/contrast/components/agent.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+cs__scoped_require 'rubygems/version'
+
 module Contrast
   module Components
     module Agent
@@ -46,6 +48,10 @@ module Contrast
           !interpolation_patch_possible?
         end
 
+        def patch_yield?
+          !Contrast::Utils::BooleanUtil.false?(CONFIG.root.agent.ruby.propagate_yield)
+        end
+
         def interpolation_enabled?
           !Contrast::Utils::BooleanUtil.false?(CONFIG.root.agent.ruby.interpolate)
         end
@@ -54,12 +60,15 @@ module Contrast
           Contrast::Agent::FeatureState.instance.report_custom_code_sysfile_access?
         end
 
-        # TODO: RUBY-564 Move instrumentation to a new component that handles
-        # one-time agent initialization procedures.
-        SHARED_LIBRARIES = %w[contrast/core_extensions/thread
-                              contrast/rails_extensions/rack
-                              contrast/rails_extensions/buffer
-                              contrast/sinatra_extensions/assess/cookie].cs__freeze
+        def skip_instrumentation? loaded_module_name
+          return true unless loaded_module_name
+
+          loaded_module_name.start_with?(*CONFIG.root.agent.ruby.uninstrument_namespace)
+        end
+
+        # All this method chain does anymore is load the Thread patch that
+        # propagates request contexts.  That can go away RUBY-700.
+        SHARED_LIBRARIES = %w[contrast/extensions/ruby_core/thread].cs__freeze
         def run_instrumentation
           Contrast::Agent::FeatureState.instance.tap do |settings|
             SHARED_LIBRARIES.each { |lib| settings.instrument lib }
@@ -68,14 +77,24 @@ module Contrast
           enable_tracepoint # This handles all class loads & required instrumentation going forward
         end
 
+        # TODO: RUBY-564: This responsibility should be extracted out of this agent component and moved to
+        # the new component that handles one-time-whole-app initialization procedures.
+        def insert_middleware app
+          app.middleware.insert_before 0, Contrast::Agent::Middleware # Keep our middleware at the outermost layer of the onion
+        end
+
         def enable_tracepoint
           Contrast::Agent::TracePointHook.enable!
         end
 
         protected
 
+        INTERPOLATION_HOOKABLE_VERSION = Gem::Version.new('2.6.0')
+        # Ruby exposed the C method for interpolation in version 2.6.0, meaning
+        # we can attempt to patch using Funchook for that version and later.
         def interpolation_patch_possible?
-          Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('2.6.0')
+          @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION if @_interpolation_patch_possible.nil?
+          @_interpolation_patch_possible
         end
       end
 

data/lib/contrast/components/app_context.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/core_extensions/object'
 cs__scoped_require 'contrast/utils/sinatra_helper'
+cs__scoped_require 'rubygems/version'
 
 module Contrast
   module Components
@@ -23,12 +23,6 @@ module Contrast
         DEFAULT_SERVER_NAME = 'localhost'
         DEFAULT_SERVER_PATH = '/'
 
-        RAILS_TYPE   = 'rails'
-        SINATRA_TYPE = 'sinatra'
-        RACK_TYPE    = 'rack'
-
-        RAILS_MODULE_NAME_VERSION = Gem::Version.new('6.0.0')
-
         def present? str
           Contrast::Utils::EnvironmentUtil.present?(str)
         end
@@ -36,29 +30,17 @@ module Contrast
         def server_type
           @_server_type ||= begin
                               tmp = CONFIG.root.server.type
-                              tmp = framework_server_name unless present?(tmp)
+                              tmp = Contrast::Agent.framework_manager.server_type unless present?(tmp)
                               tmp
                             rescue StandardError
                               RACK_TYPE
                             end
         end
 
-        def framework_server_name
-          @_framework_server_name ||= begin
-                                        if defined?(Rails)
-                                          RAILS_TYPE
-                                        elsif defined?(Sinatra)
-                                          SINATRA_TYPE
-                                        else
-                                          RACK_TYPE
-                                        end
-                                      end
-        end
-
         def name
           @_name ||= begin
                        tmp = CONFIG.root.application.name
-                       tmp = framework_app_name unless present?(tmp)
+                       tmp = Contrast::Agent.framework_manager.app_name unless present?(tmp)
                        tmp = File.basename(Dir.pwd) unless present?(tmp)
                        Contrast::Utils::StringUtils.truncate(tmp, DEFAULT_APP_NAME)
                      rescue StandardError
@@ -66,14 +48,6 @@ module Contrast
                      end
         end
 
-        def framework_app_name
-          @_framework_app_name ||= begin
-                                     name = find_rails_app_name
-                                     name ||= find_sinatra_app_name
-                                     name
-                                   end
-        end
-
         def path
           @_path ||= begin
                        tmp = CONFIG.root.application.path
@@ -154,24 +128,13 @@ module Contrast
           @_client_id ||= [name, pgid].join('-')
         end
 
-        private
-
-        def find_sinatra_app_name
-          sinatra_app = Contrast::Utils::SinatraHelper.app_class
-          return unless sinatra_app
-
-          sinatra_app.cs__class.cs__name
+        # TODO: RUBY-564: This responsibility should be extracted out of app_context and moved to
+        # the new component that handles one-time-whole-app initialization procedures.
+        def instrument_middleware_stack?
+          !Contrast::Utils::JobServersRunning.job_servers_running?
         end
 
-        def find_rails_app_name
-          return nil unless defined?(Rails)
-
-          # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed entirely
-          # and instead we need to use parent_module_name
-          return Rails.application.cs__class.parent_module_name if Gem::Version.new(Rails.version) >= RAILS_MODULE_NAME_VERSION
-
-          Rails.application.cs__class.parent_name
-        end
+        private
 
         # TODO: RUBY-120, move this responsibility toward the protobuf object
         def protobuf_format param, truncate: true

data/lib/contrast/components/contrast_service.rb

@@ -65,12 +65,11 @@ module Contrast
                                       # should be "must not be false" -- oops.
                                       !false?(CONFIG.root.agent.start_bundled_service) &&
                                           # Either a valid host or a valid socket
-                                          (CONFIG.root.agent.service.host.nil? ||
+                                          ((CONFIG.root.agent.service.host.nil? ||
                                           CONFIG.root.agent.service.host == 'localhost' ||
-                                          CONFIG.root.agent.service.host == '127.0.0.1' ||
-                                          CONFIG.root.agent.service.host.empty?) ||
+                                          CONFIG.root.agent.service.host == '127.0.0.1') ||
                                           # Path validity is the service's problem
-                                          !CONFIG.root.agent.service.socket.empty?
+                                          !!CONFIG.root.agent.service.socket)
                                     end
         end
 

data/lib/contrast/components/interface.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'delegate'
-cs__scoped_require 'contrast/core_extensions/module'
+cs__scoped_require 'contrast/extensions/ruby_core/module'
 cs__scoped_require 'contrast/utils/boolean_util'
 
 module Contrast

data/lib/contrast/components/scope.rb

@@ -39,33 +39,13 @@ module Contrast
       end
 
       module InstanceMethods # :nodoc:
-        # These scopes can be meta-defined (RUBY-573)
-        #
-        # [:my_cool_scope, :another_good_one].each do |scope|
-        #   define_method "in_#{scope}_scope?" do
-        #     abc
-        #   end
-        # end
-
-        def in_contrast_scope?
-          scope_for_current_ec.in_contrast_scope?
-        end
-
-        def enter_contrast_scope!
-          scope_for_current_ec.enter_scope_for Contrast::Agent::Scope::CONTRAST_SCOPE
-          scope_for_current_ec
-        end
+        # For each instance method on a scope, define a forwarder
+        # to the scope on the current execution context's scope.
 
-        def exit_contrast_scope!
-          scope_for_current_ec.exit_scope_for Contrast::Agent::Scope::CONTRAST_SCOPE
-          scope_for_current_ec
-        end
-
-        def with_contrast_scope
-          enter_contrast_scope!
-          yield
-        ensure
-          exit_contrast_scope!
+        Contrast::Agent::Scope.public_instance_methods(false).each do |method_sym|
+          define_method(method_sym) do |*args, &block|
+            scope_for_current_ec.send(method_sym, *args, &block)
+          end
         end
 
         def scope_for_current_ec
@@ -104,3 +84,53 @@ module Contrast
     end
   end
 end
+
+# This is a reasonable place for the Kernel#catch hook to live.
+# No current plans for component re-design, but if we had some kind of
+# "do this when a component is hooked in" thing, this would live there.
+# For now, it's over-engineering to live anywhere else.  -ajm
+module Kernel # :nodoc:
+  alias_method :cs__catch, :catch
+
+  # In the event of a `throw`, we need to override `catch`
+  # to save & restore scope state:
+  #
+  #   scope_level == 0
+  #
+  #   catch(:abc) do
+  #     with_contrast_scope do
+  #       throw :abc # will leak
+  #     end
+  #   end
+  #
+  #   scope_level == 1
+  #
+  # Frankly, this isn't how scope should be used.  This is in place of
+  # proper `ensure` blocks within the instrumentation call stack.
+  # This will actually /create/ scope leaks if you're doing something like:
+  #
+  #   catch(:ohno) do
+  #     enter scope
+  #   end
+  #
+  #   abc()
+  #
+  #   exit scope
+  #
+  # i.e. if you intend to change net scope across a catch block boundary.
+
+  private
+
+  def catch *args, &block
+    # Save current scope level
+    scope_level = Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
+
+    # Run original catch with block.
+    retval = cs__catch(*args, &block)
+
+    # Restore scope.
+    Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
+
+    retval
+  end
+end

data/lib/contrast/config/ruby_configuration.rb

@@ -25,9 +25,14 @@ module Contrast
       KEYS = {
           disabled_agent_rake_tasks: Contrast::Config::DefaultValue.new(DISABLED_RAKE_TASK_LIST),
           exceptions: Contrast::Config::ExceptionConfiguration,
-          interpolate: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE), # :-(
-          require_scan: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE), # control whether or not we run file scanning rules
-          track_frozen_sources: EMPTY_VALUE,
+          # controls whether or not we patch interpolation, either by rewrite or by funchook
+          interpolate: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
+          # controls whether or not we patch the rb_yield block to track split propagation
+          propagate_yield: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
+          # control whether or not we run file scanning rules on require
+          require_scan: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
+          # controls whether or not we track frozen Strings by replacing them
+          track_frozen_sources: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::TRUE),
           uninstrument_namespace: Contrast::Config::DefaultValue.new(DEFAULT_UNINSTRUMENTED_NAMESPACES)
       }.cs__freeze
 

data/lib/contrast/delegators.rb

@@ -0,0 +1,9 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  # Used to define decorators for objects to add behavior without polluting the namespace
+  module Delegators
+  end
+end
+cs__scoped_require 'contrast/delegators/application_update'

data/lib/contrast/delegators/application_update.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Delegators
+    # Used to decorate the ApplicationUpdate protobuf model so it can own some of the data massaging required for
+    # AppUpdate dtm
+    class ApplicationUpdate < SimpleDelegator
+      def append_view_technology_descriptor_data view_technology_descriptors
+        view_technology_descriptors.each do |vtd|
+          vtd.technology_names.each do |tech_name|
+            @delegate_sd_obj.technologies[tech_name] = true
+          end
+        end
+      end
+
+      # TS only allows you to report 500 routes per application
+      def append_route_coverage_data route_coverage_dtms
+        route_coverage_dtms.take(500).each do |route_coverage_dtm|
+          @delegate_sd_obj.routes << route_coverage_dtm
+        end
+      end
+
+      def append_platform_version platform_version
+        @delegate_sd_obj.platform = Contrast::Api::Dtm::Platform.new if @delegate_sd_obj.platform.nil?
+        @delegate_sd_obj.platform.major = platform_version.major
+        @delegate_sd_obj.platform.minor = platform_version.minor
+        @delegate_sd_obj.platform.build = platform_version.patch
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rack/cookie.rb

@@ -0,0 +1,24 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+
+module Rack
+  module Session
+    # Our patch into the Rack::Session::Cookie Class, allowing for the
+    # runtime detection of insecure configurations on individual cookies
+    # within the application
+    class Cookie
+      include Contrast::Utils::InvalidConfigurationUtil
+      include Contrast::Components::Interface
+
+      access_component :scope
+
+      alias_method :cs__patched_initialize, :initialize
+      def initialize app, options = {}
+        Contrast::Utils::RackAssessSessionCookie.analyze_cookie_initialization(options)
+        cs__patched_initialize(app, options)
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rack/request.rb

@@ -0,0 +1,24 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# In earlier versions of rack < 2.0.0 the Rack::Response and Rack::Request do
+# not have get_header or set_header methods. This is our way of working
+# around that.
+module Rack
+  # Our patch into the Rack::Request class, allowing us to call set_header
+  # and get_header in our code without worrying about older versions of
+  # Rack not implementing these methods.
+  class Request
+    unless Rack::Request.instance_methods(true).include?(:set_header)
+      def set_header name, value
+        @env[name] = value
+      end
+    end
+
+    unless Rack::Request.instance_methods(true).include?(:get_header)
+      def get_header name
+        @env[name]
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rack/response.rb

@@ -0,0 +1,23 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# In earlier versions of rack < 2.0.0 the Rack::Response and Rack::Request do
+# not have get_header or set_header methods. This is our way of working
+# around that.
+module Rack
+  # Our patch into the Rack::Response Class, allowing us to call set_header
+  # and get_header in our code without worrying about older versions of
+  # Rack not implementing these methods.
+  class Response
+    unless Rack::Response.instance_methods(true).include?(:set_header)
+      def set_header key, value
+        headers[key] = value
+      end
+    end
+    unless Rack::Response.instance_methods(true).include?(:get_header)
+      def get_header key
+        headers[key]
+      end
+    end
+  end
+end