contrast-agent 3.9.1 → 3.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0a8762b07c0f0d3d160bbb27e17889197263e3a791ea904df5e8fd6718ea380
-  data.tar.gz: e4e19fa0f8f300f4c7450d9d2cc83d907c03f5b2d0ab66662ba91fb200e0df1e
+  metadata.gz: 0dbe37872e820951219da1fe4ec999627ac80d353c7bcb410f9ba23eb1cde1f5
+  data.tar.gz: b047e09b04b21d8aa8d6aa18628f18e27db5d29582186071b2914c1782690979
 SHA512:
-  metadata.gz: be95e36b2c836a20cc8fab92c3dc5840b087f6ab762ddce901bc109ec2ef71cd25bb75a46dbb5f092f44621eaedc4655cff04956bd72075d7d432394fbd0e3e3
-  data.tar.gz: fcdbda9a333c872c43f4ab7079bd067573891c23b42b56afd42f09bf73613ba4c22c214d9bb21570e888463312985141a568d8a7e1cd826bb3f13db988e0e9cd
+  metadata.gz: ecae0eb3a447018a25090a709f100def02ee94f1ff6e8218a9acdbd32ee6a4bd5e5b118921aecc94888c5c99b0ece6b17bb1bd15d2c56b8995506856070712c7
+  data.tar.gz: 7675ace867f1e8e92003e03c52fbaf516b97c723b600dff7544e33dd4f1a9c5e4333f054cf45a984cd2117ef073a8b1b1775756fc1ee353ddb6c36a287a77c56

data/.flayignore

@@ -0,0 +1 @@
+./lib/contrast/api/*_pb.rb

data/.simplecov

@@ -1,4 +1,7 @@
-SimpleCov.minimum_coverage 92.30
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+SimpleCov.minimum_coverage line: 92.30
 SimpleCov.start do
   add_filter '/spec/'
-end
+end

data/ext/build_funchook.rb

@@ -31,15 +31,15 @@ unless find_header('funchook.h', ext_path)
   end
 
   SOURCE_PATHS = [
-      File.join('include', 'funchook.h'),
-      File.join('src', 'libfunchook.dylib'),
-      File.join('src', 'libfunchook.so')
+    File.join('include', 'funchook.h'),
+    File.join('src', 'libfunchook.dylib'),
+    File.join('src', 'libfunchook.so')
   ].freeze
 
   TARGET_PATHS = ([
-      File.expand_path(File.join(File.expand_path(__dir__), '..', 'shared_libraries')),
-      File.expand_path(__dir__)
-  ] + (bundler_install_target_paths)).freeze
+    File.expand_path(File.join(File.expand_path(__dir__), '..', 'shared_libraries')),
+    File.expand_path(__dir__)
+  ] + bundler_install_target_paths).freeze
 
   puts 'Copying required files'
 
@@ -51,11 +51,16 @@ unless find_header('funchook.h', ext_path)
     end
 
     TARGET_PATHS.each do |target_path|
+      unless File.writable?(target_path)
+        puts "Unable to copy into #{ target_path } - directory not writable"
+        next
+      end
       puts "Copying #{ source_file_path } into #{ target_path }"
       FileUtils.cp(source_file_path, target_path)
+    rescue StandardError
+      puts "Error while copying #{ source_file } to #{ target_path }"
     end
   end
 end
 
-
 have_header('funchook.h', ext_path)

data/ext/cs__assess_active_record_named/cs__active_record_named.c

@@ -3,6 +3,7 @@
 
 #include "cs__active_record_named.h"
 #include <ruby.h>
+#include "../cs__common/cs__common.h"
 
 VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
                                           const VALUE self) {
@@ -18,7 +19,7 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
      */
     VALUE new_body, ret;
     VALUE new_args[3];
-    new_body = rb_funcall(self, rb_sym_assess_rewrite, 2, argv[0], argv[1]);
+    new_body = rb_funcall(active_record_named, rb_sym_assess_rewrite, 3, self, argv[0], argv[1]);
     new_args[0] = argv[0];
     if (NIL_P(new_body)) {
         new_args[1] = argv[1];
@@ -31,17 +32,14 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
 }
 
 void Init_cs__assess_active_record_named(void) {
-    rb_sym_assess_rewrite = rb_intern("_cs__rewrite");
-    rb_sym_assess_scope = rb_intern("cs__patched_scope");
-
-    VALUE active_record_module = rb_define_module("ActiveRecord");
-    VALUE scoping_module =
-        rb_define_module_under(active_record_module, "Scoping");
-    VALUE named_module = rb_define_module_under(scoping_module, "Named");
-    VALUE class_methods_module =
-        rb_define_module_under(named_module, "ClassMethods");
-
-    contrast_alias_method(class_methods_module, "cs__patched_scope", "scope");
-    rb_define_method(class_methods_module, "scope",
-                     contrast_assess_active_record_scope, -1);
+    VALUE framework, rails, rewrite;
+    framework = rb_define_module_under(contrast, "Framework");
+    rails = rb_define_module_under(framework, "Rails");
+    rewrite = rb_define_module_under(rails, "Rewrite");
+    active_record_named = rb_define_class_under(rewrite, "ActiveRecordNamed", rb_cObject);
+    rb_sym_assess_rewrite = rb_intern("rewrite");
+    rb_sym_assess_scope   = contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
+                                                    "scope",
+                                                    contrast_assess_active_record_scope);
 }
+

data/ext/cs__assess_active_record_named/cs__active_record_named.h

@@ -1,5 +1,6 @@
 #include <ruby.h>
 
+static VALUE active_record_named;
 static VALUE rb_sym_assess_rewrite;
 static VALUE rb_sym_assess_scope;
 

data/ext/cs__assess_active_record_named/extconf.rb

@@ -1,2 +1,5 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
 $TO_MAKE = File.basename(__dir__)
 require_relative '../extconf_common'

data/ext/cs__assess_array/cs__assess_array.c

@@ -23,16 +23,15 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
     /* Finally, default to empty String. Implicit since nil.to_s is ''*/
 
     result = rb_funcall2(ary, rb_sym_assess_array_join, argc, argv);
-    result = rb_funcall(ary, rb_sym_assess_track_array_join, 2, sep, result);
+    result = rb_funcall(array_propagator, rb_sym_assess_track_array_join, 3, ary, sep, result);
 
     return result;
 }
 
 void Init_cs__assess_array(void) {
-    rb_sym_assess_array_join = rb_intern("cs__patched_join");
+    array_propagator = rb_define_class_under(core_assess, "ArrayPropagator", rb_cObject);
     rb_sym_assess_track_array_join = rb_intern("cs__track_join");
-
-    VALUE array_class = rb_define_class("Array", rb_cObject);
-    contrast_alias_method(array_class, "cs__patched_join", "join");
-    rb_define_method(array_class, "join", contrast_assess_array_join, -1);
+    rb_sym_assess_array_join = contrast_register_patch("Array",
+                                                       "join",
+                                                       contrast_assess_array_join);
 }

data/ext/cs__assess_array/cs__assess_array.h

@@ -1,5 +1,6 @@
 #include <ruby.h>
 
+static VALUE array_propagator;
 static VALUE rb_sym_assess_array_join;
 static VALUE rb_sym_assess_track_array_join;
 

data/ext/cs__assess_array/extconf.rb

@@ -1,2 +1,5 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
 $TO_MAKE = File.basename(__dir__)
 require_relative '../extconf_common'

data/ext/cs__assess_basic_object/cs__assess_basic_object.c

@@ -5,14 +5,9 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 
-void contrast_assess_instance_eval_trigger_check(VALUE module, VALUE source,
+void contrast_assess_instance_eval_trigger_check(VALUE self, VALUE source,
                                                  VALUE ret) {
-    VALUE has_trigger_check =
-        rb_respond_to(rb_cBasicObject, instance_trigger_check_method);
-    if (has_trigger_check) {
-        rb_funcall(rb_cBasicObject, instance_trigger_check_method, 2, source,
-                   ret);
-    }
+    rb_funcall(basic_eval_trigger, instance_trigger_check_method, 3, self, source, ret);
 }
 
 VALUE
@@ -41,10 +36,17 @@ contrast_assess_basic_object_instance_eval(const int argc, const VALUE *argv,
 }
 
 void Init_cs__assess_basic_object(void) {
+    basic_eval_trigger = rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
     instance_trigger_check_method = rb_intern("instance_eval_trigger_check");
 
-    contrast_alias_method(rb_cBasicObject, "cs__patched_instance_eval",
-                          "instance_eval");
-    rb_define_method(rb_cBasicObject, "instance_eval",
-                     contrast_assess_basic_object_instance_eval, -1);
+    /* We don't keep a reference to the underlying method.
+     * Instead, we call rb_obj_instance_eval directly.
+     * This should work an overwhelming majority of the time,
+     * but if someone else patched BasicObject#instance_eval,
+     * IDK if this is intentional... noting it.  -ajm
+     */
+    contrast_register_patch("BasicObject",
+                            "instance_eval",
+                            contrast_assess_basic_object_instance_eval);
+
 }

data/ext/cs__assess_basic_object/cs__assess_basic_object.h

@@ -1,6 +1,7 @@
 #include <ruby.h>
 
-/* Contrast::Agent::Patching::Policy::Patcher */
+/* Contrast::Extension::Assess::EvalTrigger */
+static VALUE basic_eval_trigger;
 static VALUE instance_trigger_check_method;
 
 void contrast_alias_method(const VALUE target, const char *to,

data/ext/cs__assess_basic_object/extconf.rb

@@ -1,2 +1,5 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
 $TO_MAKE = File.basename(__dir__)
 require_relative '../extconf_common'

data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c

@@ -2,6 +2,7 @@
  * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
 
 #include "cs__assess_fiber_track.h"
+#include "../cs__common/cs__common.h"
 #include <funchook.h>
 #include <ruby.h>
 
@@ -44,7 +45,7 @@ VALUE rb_fiber_new_hook(VALUE (*func)(ANYARGS), VALUE obj) {
         VALUE enumerator_method = ID2SYM(enum_ptr->meth);
         /* e.g.: 1..100, #each_value.  Should reflect #inspect on the enum. */
 
-        rb_funcall(fiber_class, track_rb_fiber_new, 5, fiber, obj,
+        rb_funcall(fiber_propagator, track_rb_fiber_new, 5, fiber, obj,
                    enumerator_method, underlying, calling_method);
     }
 
@@ -56,7 +57,7 @@ VALUE rb_fiber_yield_hook(int argc, const VALUE *argv) {
     VALUE yielding_fiber = rb_fiber_current();
 
     /* propagate from yielding_fiber -> result */
-    rb_funcall(fiber_class, track_rb_fiber_yield, 3, yielding_fiber,
+    rb_funcall(fiber_propagator, track_rb_fiber_yield, 3, yielding_fiber,
                calling_method, *argv);
 
     return rb_fiber_yield_original(argc, argv);
@@ -78,7 +79,7 @@ int install_fiber_hooks() {
 }
 
 void Init_cs__assess_fiber_track(void) {
-    fiber_class = rb_define_class("Fiber", rb_cObject);
+    fiber_propagator = rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
     track_rb_fiber_new = rb_intern("track_rb_fiber_new");
     track_rb_fiber_yield = rb_intern("track_rb_fiber_yield");
     rb_sym_next = rb_intern("next");

data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h

@@ -2,15 +2,15 @@
 #include <ruby.h>
 
 static VALUE rb_sym_next;
-static VALUE fiber_class;
+static VALUE fiber_propagator;
 static VALUE track_rb_fiber_new;
 static VALUE track_rb_fiber_yield;
 
 VALUE rb_fiber_new(VALUE (*func)(ANYARGS), VALUE obj);
-VALUE *(*rb_fiber_new_original)(VALUE (*func)(ANYARGS), VALUE obj);
+VALUE (*rb_fiber_new_original)(VALUE (*func)(ANYARGS), VALUE obj);
 
 VALUE rb_fiber_yield(int argc, const VALUE *argv);
-VALUE *(*rb_fiber_yield_original)(int argc, const VALUE *argv);
+VALUE (*rb_fiber_yield_original)(int argc, const VALUE *argv);
 
 /* If you call `#next` on an enumerator object, that enumerator object
  * instantiates a fiber and runs its given proc inside of that fiber.

data/ext/cs__assess_fiber_track/extconf.rb

@@ -1,2 +1,5 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
 $TO_MAKE = File.basename(__dir__)
 require_relative '../extconf_common'

data/ext/cs__assess_hash/cs__assess_hash.c

@@ -5,7 +5,14 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 
-static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
+/* Hashes can be constructed thusly):
+ *   irb(main):001:0> Hash[:a, :b]
+ *   => {:a=>:b}
+ *
+ * This method instruments that unique bracket-construction style
+ * of initializing a hash.
+ */
+static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
                                               const VALUE hash) {
     VALUE result;
 
@@ -14,14 +21,14 @@ static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
         int i;
         for (i = 0; i < argc; i++) {
             argv[i] =
-                rb_funcall(hash, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
+                rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
         }
         /* Hash[ key, value, ... ]         -> new_hash */
     } else if (argc > 1) {
         int i;
         for (i = 0; i < argc; i += 2) {
             argv[i] =
-                rb_funcall(hash, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
+                rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
         }
     }
 
@@ -29,36 +36,52 @@ static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
      * String keys
      * # Hash[ object ]                  -> new_hash
      */
-    result = rb_funcall2(hash, rb_sym_assess_hash_brackets, argc, argv);
+    result = rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
 
     return result;
 }
 
+/* Hashes, when keyed with a string, will dup & freeze that string.
+ * This is resource-efficient, but inconvenient for instrumentation.
+ */
 static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
                                               const VALUE hash) {
     VALUE result;
-    VALUE key;
-
-    key = rb_funcall2(hash, rb_sym_assess_hash_bracket_set, argc, argv);
-    argv[0] = key;
+    /* Current name (assess_hash_bracket_set).
+     * It doesn't set anything on the hash.
+     * It takes the arg that /would/ have been the key, and preemptively
+     * calls #dup and then #freeze, and then gives you that key.
+     *
+     * We intentionally don't enter Contrast scope for this patch.
+     * #dup instruments the string, and #freeze gets the hash to accept
+     * the key directly, without calling its own #dup/#freeze.
+     * (That naturally happens in C-land, our instrumentation is in Ruby,
+     * so our patches to #dup don't take effect within Hash#[]= unless we
+     * specifically do this instrumentation.
+     * We haven't revisited this approach since we started more extensively
+     * hooking public C functions.)
+     */
+    if(argc > 0) {
+        argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[0]);
+    }
+    /* This is the underlying assignment, w/ our instrumented key. */
     result = rb_funcall2(hash, rb_sym_assess_hash_bracket_equals, argc, argv);
 
     return result;
 }
 
 void Init_cs__assess_hash(void) {
+    hash_propagator = rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
     rb_sym_assess_hash_dup_and_freeze = rb_intern("cs__duplicate_and_freeze");
-    rb_sym_assess_hash_brackets = rb_intern("cs__patched_[]");
-    rb_sym_assess_hash_bracket_set = rb_intern("cs__bracket_set");
-    rb_sym_assess_hash_bracket_equals = rb_intern("cs__patched_[]=");
 
     VALUE hash_class = rb_define_class("Hash", rb_cObject);
-    array_class = rb_define_class("Array", rb_cObject);
 
-    VALUE singleton = rb_singleton_class(hash_class);
-    contrast_alias_method(singleton, "cs__patched_[]", "[]");
-    rb_define_method(singleton, "[]", contrast_assess_hash_bracket_get, -1);
+    rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch("Hash",
+                                                                               "[]",
+                                                                               contrast_assess_hash_bracket_constructor);
+
+    rb_sym_assess_hash_bracket_equals = contrast_register_patch("Hash",
+                                                                "[]=",
+                                                                contrast_assess_hash_bracket_set);
 
-    contrast_alias_method(hash_class, "cs__patched_[]=", "[]=");
-    rb_define_method(hash_class, "[]=", contrast_assess_hash_bracket_set, -1);
 }

data/ext/cs__assess_hash/cs__assess_hash.h

@@ -1,11 +1,9 @@
 #include <ruby.h>
 
-static VALUE array_class;
-
 static VALUE rb_sym_assess_hash_dup_and_freeze;
-static VALUE rb_sym_assess_hash_brackets;
-static VALUE rb_sym_assess_hash_bracket_set;
+static VALUE rb_sym_assess_hash_bracket_constructor;
 static VALUE rb_sym_assess_hash_bracket_equals;
+static VALUE hash_propagator;
 
 /*
  * Monkeypatch Ruby Hash with Contrast Security Hash in order ot avoid losing
@@ -15,8 +13,8 @@ static VALUE rb_sym_assess_hash_bracket_equals;
  * ahead of time should avoid this, similar to the behavior of the -@ Strings
  * -HM
  */
-static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
-                                              const VALUE hash);
+static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
+                                                      const VALUE hash);
 
 static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
                                               const VALUE hash);

data/ext/cs__assess_hash/extconf.rb

@@ -1,2 +1,5 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
 $TO_MAKE = File.basename(__dir__)
 require_relative '../extconf_common'

data/ext/cs__assess_kernel/cs__assess_kernel.c

@@ -18,19 +18,21 @@ contrast_patched_kernel_exec(const int argc, const VALUE *argv,
         rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
     }
 
-    return rb_funcall(self, rb_intern("cs__assess_kernel_exec"), argc, *argv);
+    /* maybe this should be rb_funcall2.  this works right now because *argv == argv[0].
+     * exec shouldn't ever be called with != 1 argc, so not a huge problem */
+    return rb_funcall(self, rb_sym_assess_kernel_exec, argc, *argv);
 }
 
 void Init_cs__assess_kernel(void) {
-    kernel_propagator = rb_define_module("KernelPropagator");
+    kernel_propagator = rb_define_module_under(core_assess, "KernelPropagator");
     exec_apply_trigger = rb_intern("apply_trigger");
 
-    VALUE singleton = rb_singleton_class(rb_mKernel);
+    rb_sym_assess_kernel_exec = contrast_register_patch("Kernel",
+                                                        "exec",
+                                                        contrast_patched_kernel_exec);
 
-    contrast_alias_method(rb_mKernel, "cs__assess_kernel_exec", "exec");
-    rb_define_private_method(rb_mKernel, "exec", contrast_patched_kernel_exec,
-                             -1);
-
-    contrast_alias_method(singleton, "cs__assess_kernel_exec", "exec");
-    rb_define_method(singleton, "exec", contrast_patched_kernel_exec, -1);
+    /* should return the same value as above */
+    rb_sym_assess_kernel_exec = contrast_register_singleton_patch("Kernel",
+                                                                  "exec",
+                                                                  contrast_patched_kernel_exec);
 }

data/ext/cs__assess_kernel/cs__assess_kernel.h

@@ -2,6 +2,7 @@
 
 static VALUE exec_apply_trigger;
 static VALUE kernel_propagator;
+static VALUE rb_sym_assess_kernel_exec;
 
 VALUE
 contrast_patched_kernel_exec(const int argc, const VALUE *argv,