RubyGems - contrast-agent - Versions diffs - 3.8.5 → 3.9.0 - Mend

contrast-agent 3.8.5 → 3.9.0

Files changed (153) hide show

data/lib/contrast/extensions/framework/rails/action_controller_railties_helper_inherited.rb ADDED

@@ -0,0 +1,20 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module ActionController
+  module Railties
+    # Used to monkey patch all the inherited calls in action_pack
+    #
+    # This is the usual entry point for Rails inheritance work, so it should
+    # catch most of the calls to inherited.
+    module Helpers
+      alias_method :cs__patched_inherited, :inherited
+      def inherited klass
+        klass&.instance_variable_set(:@cs__defining_class, true)
+        cs__patched_inherited(klass)
+      ensure
+        klass&.instance_variable_set(:@cs__defining_class, false)
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rails/active_record.rb ADDED

@@ -0,0 +1,26 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module ActiveRecord
+  module AttributeMethods
+    module Read
+      # Rails / ActiveRecord are sneaky a.f. They define attributes of a
+      # class in one method, then monkey patch allocate in another and
+      # finally invoke module_eval in this method... but of course they use a
+      # '_tmp_' header for the method name and then alias it in this module
+      # to name it what we expect
+      module ClassMethods
+        alias_method :cs__patched_define_method_attribute, :define_method_attribute
+        def define_method_attribute *args, &block
+          ret = cs__patched_define_method_attribute(*args, &block)
+          method_name = args[0]
+          Contrast::Agent::Assess::Policy::Patcher.patch_assess_method(self, method_name)
+          ret
+        end
+        protected :cs__patched_define_method_attribute, :define_method_attribute
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rails/active_record_named.rb ADDED

@@ -0,0 +1,53 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module ActiveRecord
+  module Scoping
+    module Named
+      # Our patch into the ActiveRecord::Scoping::Named::ClassMethods Module,
+      # allowing for the runtime rewrite of interpolation calls defined in
+      # methods defined dynamically during application execution.
+      #
+      # TODO: RUBY-534
+      module ClassMethods
+        include Contrast::Components::Interface
+        access_component :logging, :agent
+        def _cs__rewrite method_name, body
+          return body unless AGENT.rewrite_interpolation?
+          return body unless body.is_a?(Proc)
+          location = body.source_location
+          return body if location.nil?
+          # Good news, once we patch the body once, the source location
+          # becomes eval. We may need to fix this later though (so it may
+          # be bad news)
+          return body if location.empty? || location[0].empty? || location[0].include?('eval')
+          opener = Contrast::Agent::ClassReopener.new(Contrast::Agent::ModuleData.new(self))
+          original_source_code = opener.source_code(location, method_name)
+          return body unless original_source_code
+          return body if Contrast::Agent::Rewriter.send(:unrepeatable?, original_source_code)
+          return body unless Contrast::Agent::Rewriter.send(:interpolations?, original_source_code)
+          # the code looks like 'source :some_method_name, ->lambda_literal'
+          # we just need the lambda
+          body_start = original_source_code.index(',') + 1
+          original_source_code = original_source_code[body_start..-1]
+          new_method_source = Contrast::Agent::Rewriter.send(:rewrite_method, original_source_code)
+          return body unless Contrast::Agent::Rewriter.send(:valid_code?, new_method_source)
+          unbound_eval(cs__name, new_method_source)
+        rescue SyntaxError, StandardError => e
+          logger.debug(e, "Can't parse method source in scoped method #{ method_name }: #{ e.message }")
+          body
+        end
+      end
+    end
+  end
+end
+cs__scoped_require 'cs__assess_active_record_named/cs__assess_active_record_named'

data/lib/contrast/extensions/framework/rails/active_record_time_zone_inherited.rb ADDED

@@ -0,0 +1,21 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module ActiveRecord
+  module AttributeMethods
+    # Used to monkey patch all the inherited calls in action_pack
+    module TimeZoneConversion
+      module ClassMethods #:nodoc:
+        private
+        alias_method :cs__patched_inherited, :inherited
+        def inherited klass
+          klass&.instance_variable_set(:@cs__defining_class, true)
+          cs__patched_inherited(klass)
+        ensure
+          klass&.instance_variable_set(:@cs__defining_class, false)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rails/buffer.rb ADDED

@@ -0,0 +1,28 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+module ActionController
+  module Live
+    # This class acts as our patch into the ActionController::Live::Buffer
+    # class, allowing us to track the close event on streamed responses.
+    class Buffer
+      include Contrast::Components::Interface
+      access_component :contrast_service
+      # normally pre->in->post filters are applied however, in a streamed response
+      # we can run into a case where it's pre -> in -> post -> more infilters
+      # in order to submit anything found during the infilters after the response has been written we need to explicity send them
+      alias_method :cs__close, :close
+      def close
+        if (context = Contrast::Agent::REQUEST_TRACKER.current)
+          [context.server_activity, context.activity, context.observed_route].each do |msg|
+            CONTRAST_SERVICE.send_message msg
+          end
+        end
+        cs__close
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/rails/configuration.rb ADDED

@@ -0,0 +1,27 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+module Rails
+  class Application
+    # Our patch into the Rails::Application::Configuration Class, allowing
+    # for the runtime detection of insecure configurations on individual
+    # ActionDispatch::Session::AbstractStore instances within the
+    # application.
+    class Configuration
+      include Contrast::Utils::InvalidConfigurationUtil
+      include Contrast::Components::Interface
+      # Note to self / PR reviewers / wizard people dear reader,
+      # including the components into Rails here may be unnecessary
+      # if we're not calling anything besides #analyze_session_store?
+      access_component :analysis, :scope
+      alias_method :cs__patched_session_store, :session_store
+      def session_store *args
+        ret = cs__patched_session_store(*args)
+        Contrast::Utils::RailsAssessConfiguration.analyze_session_store(*args)
+        ret
+      end
+    end
+  end
+end

data/lib/contrast/extensions/framework/sinatra/base.rb ADDED

@@ -0,0 +1,59 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/framework/sinatra_support'
+module Sinatra
+  # Our patch into the Sinatra::Base Class, allowing for the inventory of the
+  # routes called by the application
+  class Base
+    alias_method :cs__patched_call!, :call!
+    # publicly available method for Sinatra::Base things -- unfortunately,
+    # getting the routes appear to require a lookup every time
+    def call! *args
+      cs__patched_map_route(*args)
+      cs__patched_call!(*args)
+    end
+    private
+    # Use logic copied from Sinatra::Base#process_route to determine which
+    # pattern matches the request being invoked by Sinatra::Base#call!
+    #
+    # @param args [Array<Object>] we rely on the @settings object in
+    #   Sinatra::Base and the env variable passed in as args[0]
+    def cs__patched_map_route *args
+      context = Contrast::Agent::REQUEST_TRACKER.current
+      return unless context
+      env = args[0]
+      return unless env
+      # There isn't a Request object in the Sinatra::Base yet - it's made
+      # during the #call! method, which we're patching - so we need to
+      # access the env
+      method = env[Rack::REQUEST_METHOD]
+      route = env[Rack::PATH_INFO]
+      route = route.to_s
+      # get all potential routes for this request type
+      routes = settings.routes[method]
+      return unless routes
+      # Do some cleanup that matches Sinatra::Base#process_route
+      route = '/' if route.empty? && !settings.empty_path_info?
+      route = route[0..-2] if !settings.strict_paths? && route != '/' && route.end_with?('/')
+      # Find the route that matches this request. Since we're using
+      # settings, we should resolve in the same precedence as Sinatra
+      routes.each do |pattern, _, _| # Mustermann::Sinatra
+        next unless pattern.params(route)
+        dtm = Contrast::Framework::SinatraSupport.send(:route_to_coverage, cs__class, method, pattern)
+        context.append_route_coverage(dtm)
+        break
+      end
+    end
+  end
+end

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess.rb RENAMED

@@ -32,20 +32,21 @@ module Contrast
       # classes that don't play nice w/ our standard propagation
       cs__scoped_require 'contrast/agent/assess/frozen_properties'
-      cs__scoped_require 'contrast/core_extensions/assess/assess_extension'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/assess_extension'
       # this needs to come first b/c array and others work on strings and
       # expect them to be trackable
-      cs__scoped_require 'contrast/core_extensions/assess/string'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/string'
-      cs__scoped_require 'contrast/core_extensions/assess/array'
-      cs__scoped_require 'contrast/core_extensions/assess/erb'
-      cs__scoped_require 'contrast/core_extensions/assess/fiber'
-      cs__scoped_require 'contrast/core_extensions/assess/hash'
-      cs__scoped_require 'contrast/core_extensions/assess/kernel'
-      cs__scoped_require 'contrast/core_extensions/assess/regexp'
-      cs__scoped_require 'contrast/core_extensions/assess/module'
-      cs__scoped_require 'contrast/core_extensions/assess/basic_object'
-      cs__scoped_require 'contrast/core_extensions/assess/tilt_template_trigger'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/array'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/erb'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/fiber'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/hash'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/kernel'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/regexp'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/module'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/basic_object'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/tilt_template_trigger'
+      cs__scoped_require 'contrast/extensions/ruby_core/assess/xpath_library_trigger'
     end
   end
 end

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/array.rb RENAMED

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+cs__scoped_require 'contrast/agent/patching/policy/patch'
 cs__scoped_require 'contrast/agent/patching/policy/patcher'
 cs__scoped_require 'contrast/components/interface'
@@ -21,7 +22,7 @@ class Array
       'source' => 'O',
       'target' => 'R',
       'patch_class' => 'NOOP',
-      'patch_method' => '__cs_track_join'
+      'patch_method' => 'cs__track_join'
   }.cs__freeze
   ARRAY_JOIN_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(ARRAY_JOIN_HASH)
@@ -29,8 +30,8 @@ class Array
   # Multiple Strings are appended with the #join method. Because that
   # operation happens in C, we have to do it here rather than rely on the
   # patch of our String append or concat methods.
-  def __cs_track_join separator, ret
-    return ret if Contrast::Agent::Patching::Policy::Patcher.skip_assess_analysis?
+  def cs__track_join separator, ret
+    return ret if Contrast::Agent::Patching::Policy::Patch.skip_assess_analysis?
     with_contrast_scope do
       shift = 0

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/assess_extension.rb RENAMED

@@ -14,8 +14,6 @@ module Contrast
       # dataflow features should be sent
       # 'include Contrast::CoreExtensions::Assess::AssessExtension'
       module AssessExtension
-        include Contrast::Utils::ScopeUtil
         # Lazily build properties object. Only objects that have been tracked
         # will have the @_cs__properties, but all will respond to the
         # cs__properties method call. You should only call this method if you

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/basic_object.rb RENAMED

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-cs__scoped_require 'contrast/core_extensions/eval_trigger'
+cs__scoped_require 'contrast/extensions/ruby_core/eval_trigger'
 cs__scoped_require 'contrast/agent/patching/policy/patcher'
 # Our patch into the BasicObject class, allowing us to track calls to the eval

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/erb.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/exec_trigger.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/fiber.rb RENAMED

@@ -50,13 +50,12 @@ class Fiber
     def track_rb_fiber_yield fiber, _method, results
       # results will be nil if StopIteration was raised,
       # otherwise an Array of the yielded arguments
-      return if results.nil?
+      return unless results.cs__is_a?(Array)
       return unless ASSESS.enabled?
       with_contrast_scope do
         results.each do |result|
-          next unless Contrast::Utils::DuckUtils.quacks_like_cs_patched?(result)
+          next unless Contrast::Utils::DuckUtils.trackable?(result)
           next if result.cs__frozen?
           cs__splat_tags(result, fiber)
@@ -71,7 +70,7 @@ class Fiber
     end
     def track_rb_fiber_new fiber, _enum, _enum_method, underlying, _underlying_method
-      return unless Contrast::Utils::DuckUtils.quacks_like_cs_patched?(underlying)
+      return unless Contrast::Utils::DuckUtils.trackable?(underlying)
       return unless underlying.is_a?(String) && !underlying.empty?
       return unless ASSESS.enabled?

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/hash.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/kernel.rb RENAMED

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 cs__scoped_require 'contrast/components/interface'
-cs__scoped_require 'contrast/core_extensions/assess/exec_trigger'
+cs__scoped_require 'contrast/extensions/ruby_core/assess/exec_trigger'
 # This module provides us with a way to invoke Kernel propagation for those
 # methods which are too complex to fit into one of the standard

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/module.rb RENAMED

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
-cs__scoped_require 'contrast/core_extensions/eval_trigger'
+cs__scoped_require 'contrast/extensions/ruby_core/eval_trigger'
 # Our patch into the Module class, allowing us to track calls to the eval
 # method

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/regexp.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/string.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/assess/tilt_template_trigger.rb RENAMED

File without changes

data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb ADDED

@@ -0,0 +1,40 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+cs__scoped_require 'contrast/components/interface'
+# This module acts a trigger to handle the special cases of the XPath library gem
+# and the Oga gem. Untrusted data may come into either of the trigger methods from
+# these classes as an array or hash, respectively. Since untrusted user input comes
+# into these triggers as a splat argument or an options hash, we need to iterate
+# thorugh these objects to see if we were tracking on any of them and report a finding
+# if so.
+module XPathLibraryTrigger
+  include Contrast::Components::Interface
+  class << self
+    def xpath_trigger_check context, trigger_node, _source, object, ret, invoked, *args
+      return ret unless args
+      # convert the options arg in Oga::XML::CharacterNode#initialize into an
+      # array of its values so we can check if any are unsafe
+      args = args.first.values if oga_defined? && object.cs__is_a?(Oga::XML::CharacterNode) && args.first.cs__is_a?(Hash)
+      args.each do |arg|
+        next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
+        next unless arg.cs__tracked?
+        next unless trigger_node.violated?(arg)
+        Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
+            context, trigger_node, arg, object, ret, invoked + 1, args)
+      end
+      ret
+    end
+    private
+    def oga_defined?
+      @_oga_defined ||= defined?(Oga::XML::CharacterNode)
+    end
+  end
+end

data/lib/contrast/{core_extensions → extensions/ruby_core}/delegator.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/eval_trigger.rb RENAMED

@@ -28,7 +28,7 @@ module Contrast
           # source might not be all the args passed in, but it is the one we care
           # about. we could pass in all the args in the last param here if it
           # becomes an issue in rendering on TS
-          Contrast::Agent::Assess::Policy::TriggerMethod.cs__apply_trigger(
+          Contrast::Agent::Assess::Policy::TriggerMethod.apply_eval_trigger(
               current_context,
               trigger_node(clazz, method),
               source,

data/lib/contrast/{core_extensions → extensions/ruby_core}/inventory.rb RENAMED

File without changes

data/lib/contrast/{core_extensions → extensions/ruby_core}/inventory/datastores.rb RENAMED

@@ -20,7 +20,7 @@ module Contrast
           # report.
           DATA_STORE_MARKER = 'data_store'
-          def cs__patched_report_data_store _method, _exception, properties, object, _args
+          def patched_report_data_store _method, _exception, properties, object, _args
             return unless INVENTORY.enabled?
             marker = properties[DATA_STORE_MARKER]