contrast-agent 4.0.0 → 4.3.2

data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb

@@ -18,12 +18,16 @@ module Contrast
             end
 
             def external_entity?
-              @_external_entity ||= begin
-                return external_id?(@system_id) if @system_id
-                return external_id?(@public_id) if @public_id
-
-                false
+              if @_external_entity.nil?
+                @_external_entity ||= if @system_id
+                                        external_id?(@system_id)
+                                      elsif @public_id
+                                        external_id?(@public_id)
+                                      else
+                                        false
+                                      end
               end
+              @_external_entity
             end
 
             # <!ENTITY name SYSTEM "URI">
@@ -48,7 +52,7 @@ module Contrast
             UP_DIR_LINUX = '../'
             UP_DIR_WIN =   '..\\'
             # we only use this against lowercase strings, removed A-Z for speed
-            FILE_PATTERN_WINDOWS = /^[\\\\]*[a-z]{1,3}:.*/.cs__freeze
+            FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
             def external_id? entity_id
               return false unless entity_id
 

data/lib/contrast/agent/reaction_processor.rb

@@ -22,7 +22,7 @@ module Contrast
       # @param application_settings [Contrast::Api::Settings::ApplicationSettings]
       #   those settings which the Service has relayed from TeamServer.
       def self.process application_settings
-        return nil unless application_settings&.reactions&.any?
+        return unless application_settings&.reactions&.any?
 
         application_settings.reactions.each do |reaction|
           # the enums are all uppercase, we need to downcase them before attempting to log

data/lib/contrast/agent/response.rb

@@ -118,16 +118,16 @@ module Contrast
       #   holds, wraps, or is the body of the Response
       # @return [nil, String] the content of the body
       def extract_body body
-        return nil unless body
+        return unless body
 
         if defined?(Rack::File) && body.is_a?(Rack::File)
           # not sure what to do in this situation, so don't do anything.
           nil
         elsif body.is_a?(Rack::BodyProxy)
           handle_rack_body_proxy(body)
-        elsif defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)
-          extract_body(body.body)
-        elsif body.is_a?(Rack::Response)
+        elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
+              body.is_a?(Rack::Response)
+
           extract_body(body.body)
         elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
           acc = []
@@ -152,7 +152,7 @@ module Contrast
       end
 
       def read_or_string obj
-        return nil unless obj
+        return unless obj
 
         if Contrast::Utils::DuckUtils.quacks_to?(obj, :read)
           tmp = obj.read

data/lib/contrast/agent/rewriter.rb

@@ -96,11 +96,11 @@ module Contrast
           return unless method_exists?(clazz, method_name, type)
 
           method_instance = method_instance(clazz, method_name, type)
-          return nil if method_instance.nil?
+          return if method_instance.nil?
 
           location = method_instance.source_location
-          return nil unless location_available?(location)
-          return nil if opener.written_from_location?(location)
+          return unless location_available?(location)
+          return if opener.written_from_location?(location)
 
           opener.written_from_location!(location)
           opener.source_code(location, method_name)

data/lib/contrast/agent/scope.rb

@@ -15,67 +15,93 @@ module Contrast
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
     class Scope
-      # The following %i[] list is the authoritative list
-      # of scopes.  If you define a new symbol here, you'll
-      # get scope methods:
-      #   %i[monkey] ->
-      #     enter_monkey_scope!
-      #     exit_monkey_scope!
-      #     in_monkey_scope?
-      #     with_monkey_scope { special_monkey_function }
-      SCOPE_LIST = %i[contrast deserialization].cs__freeze
-
-      iv_list = SCOPE_LIST.map { |name| :"@#{ name }_scope" }
-      define_method 'initialize' do
-        iv_list.each do |iv_sym|
-          instance_variable_set(iv_sym, 0)
-        end
+      SCOPE_LIST = %i[contrast deserialization split].cs__freeze
+
+      def initialize
+        @contrast_scope = 0
+        @deserialization_scope = 0
+        @split_scope = 0
       end
 
-      SCOPE_LIST.each do |name|
-        iv_sym = :"@#{ name }_scope"
+      def in_contrast_scope?
+        @contrast_scope.positive?
+      end
 
-        define_method "in_#{ name }_scope?" do
-          instance_variable_get(iv_sym).positive?
-        end
+      def in_deserialization_scope?
+        @deserialization_scope.positive?
+      end
 
-        enter_method_sym = :"enter_#{ name }_scope!"
-        define_method enter_method_sym do
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level + 1)
-        end
+      def in_split_scope?
+        @split_scope.positive?
+      end
 
-        exit_method_sym = :"exit_#{ name }_scope!"
-        define_method exit_method_sym do
-          # by design, can go below zero.
-          # every exit/enter pair (regardless of series)
-          # should cancel each other out.
-          #
-          # so we prefer this sequence:
-          #   scope =  0
-          #   exit  = -1
-          #   enter =  0
-          #   enter =  1
-          #   exit  =  0
-          #   scope =  0
-          #
-          # over this sequence:
-          #   scope =  0
-          #   exit  =  0
-          #   enter =  1
-          #   enter =  2
-          #   exit  =  1
-          #   scope =  1
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level - 1)
-        end
+      def enter_contrast_scope!
+        @contrast_scope += 1
+      end
 
-        define_method "with_#{ name }_scope" do |*_args, &block|
-          send enter_method_sym
-          block.call
-        ensure
-          send exit_method_sym
-        end
+      def enter_deserialization_scope!
+        @deserialization_scope += 1
+      end
+
+      def enter_split_scope!
+        @split_scope += 1
+      end
+
+      def split_scope_depth
+        @split_scope
+      end
+
+      # Scope Exits...
+      # by design, can go below zero.
+      # every exit/enter pair (regardless of series)
+      # should cancel each other out.
+      #
+      # so we prefer this sequence:
+      #   scope =  0
+      #   exit  = -1
+      #   enter =  0
+      #   enter =  1
+      #   exit  =  0
+      #   scope =  0
+      #
+      # over this sequence:
+      #   scope =  0
+      #   exit  =  0
+      #   enter =  1
+      #   enter =  2
+      #   exit  =  1
+      #   scope =  1
+      def exit_contrast_scope!
+        @contrast_scope -= 1
+      end
+
+      def exit_deserialization_scope!
+        @deserialization_scope -= 1
+      end
+
+      def exit_split_scope!
+        @split_scope -= 1
+      end
+
+      def with_contrast_scope
+        enter_contrast_scope!
+        yield
+      ensure
+        exit_contrast_scope!
+      end
+
+      def with_deserialization_scope
+        enter_deserialization_scope!
+        yield
+      ensure
+        exit_deserialization_scope!
+      end
+
+      def with_split_scope
+        enter_split_scope!
+        yield
+      ensure
+        exit_split_scope!
       end
 
       # Dynamic versions of the above.

data/lib/contrast/agent/static_analysis.rb

@@ -17,14 +17,9 @@ module Contrast
         # report the already-loaded gems.
         def catchup
           @_catchup ||= begin
-            with_contrast_scope do
-              Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
-              send_inventory_message
-              true
-            end
+            threaded_analysis!
+            true
           end
-        rescue StandardError => e
-          logger.warn('Unable to run post-initialization static analysis', e)
         end
 
         def send_inventory_message
@@ -35,6 +30,17 @@ module Contrast
           Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
           Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
         end
+
+        private
+
+        def threaded_analysis!
+          Contrast::Agent::Thread.new do
+            Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
+            send_inventory_message
+          rescue StandardError => e
+            logger.warn('Unable to run post-initialization static analysis', e)
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.0.0'
+    VERSION = '4.3.2'
   end
 end

data/lib/contrast/api/decorators/library.rb

@@ -13,6 +13,7 @@ module Contrast
         def self.included klass
           klass.extend(ClassMethods)
         end
+
         # Used to add class methods to the Library class on inclusion of the decorator
         module ClassMethods
           def build digest, gem_specification

data/lib/contrast/api/decorators/library_usage_update.rb

@@ -11,6 +11,7 @@ module Contrast
         def self.included klass
           klass.extend(ClassMethods)
         end
+
         # Used to add class methods to the LibraryUsageUpdate class on inclusion of the decorator
         module ClassMethods
           def build digest, files

data/lib/contrast/api/decorators/trace_event.rb

@@ -15,44 +15,30 @@ module Contrast
 
         # Wrapper around build_event_object for the args array. Handles
         # tainting the correct argument.
-        def build_event_args contrast_event, taint_target
+        def build_event_args! contrast_event, taint_target
           contrast_event.args.each_index do |idx|
             truncate_arg = taint_target != idx
             event_arg = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.args[idx], truncate_arg)
             args << event_arg
           end
+          self
         end
 
-        # TeamServer only supports one object's taint ranges at a time.
-        # We'll find the taint ranges for the target and return those
-        def build_taint_ranges contrast_event, taint_target
+        # TeamServer only supports one object's taint ranges at a time. We keep
+        # those tags on the event directly, so we just need to convert them to
+        # their DTM form in order to report this.
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        def build_taint_ranges! contrast_event
           # If there's no taint_target, this isn't a dataflow trace, but a
           # trigger one
-          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless taint_target
+          return self unless contrast_event&.tags
 
-          properties = case taint_target
-                       when Contrast::Utils::ObjectShare::OBJECT_KEY
-                         Contrast::Agent::Assess::Tracker.properties(contrast_event.object)
-                       when Contrast::Utils::ObjectShare::RETURN_KEY
-                         Contrast::Agent::Assess::Tracker.properties(contrast_event.ret)
-                       else
-                         target = contrast_event.args[taint_target]
-                         if target.is_a?(Hash)
-                           if contrast_event.policy_node&.targets&.any?
-                             Contrast::Agent::Assess::Tracker.properties(target[contrast_event.policy_node.targets[0]])
-                           else
-                             Contrast::Agent::Assess::Tracker.properties(target[contrast_event.policy_node.sources[0]])
-                           end
-                         else
-                           Contrast::Agent::Assess::Tracker.properties(target)
-                         end
-                       end
-          return unless properties.tracked?
-
-          self.taint_ranges += properties.tags_to_dtm
+          self.taint_ranges += Contrast::Api::Dtm::TraceTaintRange.build_for_event(contrast_event.tags)
+          self
         end
 
-        def build_parent_ids contrast_event
+        def build_parent_ids! contrast_event
           contrast_event&.parent_events&.each do |event|
             next unless event
 
@@ -60,12 +46,14 @@ module Contrast
             parent.id = event.event_id.to_i
             parent_object_ids << parent
           end
+          self
         end
 
-        def build_stack contrast_event
+        def build_stack! contrast_event
           # We delayed doing this as long as possible b/c it's expensive
           stack_dtms = Contrast::Utils::StackTraceUtils.build_assess_stack_array(contrast_event.stack_trace)
           self.stack += stack_dtms
+          self
         end
 
         # Class methods for TraceEvent
@@ -85,10 +73,10 @@ module Contrast
             event_dtm.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
             truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
             event_dtm.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
-            event_dtm.build_event_args(contrast_event, taint_target)
-            event_dtm.build_parent_ids(contrast_event)
-            event_dtm.build_taint_ranges(contrast_event, taint_target)
-            event_dtm.build_stack(contrast_event)
+            event_dtm.build_event_args!(contrast_event, taint_target)
+            event_dtm.build_parent_ids!(contrast_event)
+            event_dtm.build_taint_ranges!(contrast_event)
+            event_dtm.build_stack!(contrast_event)
             event_dtm.object_id = contrast_event.event_id.to_i
             event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret, contrast_event.policy_node, contrast_event.args)
             event_dtm

data/lib/contrast/api/decorators/trace_event_object.rb

@@ -29,13 +29,21 @@ module Contrast
           ELLIPSIS = '...'
           UNTRUNCATED_PORTION_LENGTH = 25
           TRUNCATION_LENGTH = (UNTRUNCATED_PORTION_LENGTH * 2) + ELLIPSIS.length
-          def build object, truncate
+
+          # Convert the given Object into a Contrast::Api::Dtm::TraceEventObject
+          #
+          # @param contrast_object [Contrast::Agent::Assess::ContrastObject, nil]
+          #   the thing to convert, if any
+          # @param truncate [Boolean] if the converted object can/should be
+          #   truncated.
+          # @return [Contrast::Api::Dtm::TraceEventObject]
+          def build contrast_object, truncate
             event_object = new
             with_contrast_scope do
-              obj_string = Contrast::Utils::StringUtils.force_utf8(object)
+              obj_string = Contrast::Utils::StringUtils.force_utf8(contrast_object&.object)
               obj_string = truncate(obj_string) if truncate && obj_string.length > TRUNCATION_LENGTH
               event_object.value = Base64.encode64(obj_string)
-              event_object.tracked = Contrast::Utils::Assess::TrackingUtil.tracked?(object)
+              event_object.tracked = contrast_object&.tracked?
             end
             event_object
           end

data/lib/contrast/api/decorators/trace_event_signature.rb

@@ -17,27 +17,49 @@ module Contrast
 
         # Class methods for TraceEventSignature
         module ClassMethods
+          # Convert the given composites into components that TeamServer can
+          # understand in order to build a representation of the method
+          # invoked.
+          #
+          # @param ret_obj [Contrast::Agent::Assess::ContrastObject, nil] the
+          #   return value of the method call.
+          # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+          #   the policy which pertains to the method invoked.
+          # @param args [Array<Contrast::Agent::Assess::ContrastObject>, nil]
+          # @return [Contrast::Api::Dtm::TraceEventSignature]
           def build ret_obj, policy_node, args
             signature = new
-            return_type = ret_obj ? ret_obj.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
-            signature.return_type = Contrast::Utils::StringUtils.force_utf8(return_type)
+            signature.return_type = Contrast::Utils::StringUtils.force_utf8(type_name(ret_obj))
             signature.class_name = Contrast::Utils::StringUtils.force_utf8(policy_node.class_name)
             signature.method_name = Contrast::Utils::StringUtils.force_utf8(policy_node.method_name)
             if args
               args&.each do |arg|
-                arg_type = arg ? arg.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
-                signature.arg_types << Contrast::Utils::StringUtils.force_utf8(arg_type)
+                signature.arg_types << Contrast::Utils::StringUtils.force_utf8(type_name(arg))
               end
             end
             signature.constructor = policy_node.method_name == :new
             # if there's a ret, then this method isn't nil. not 100% full proof since you can
             # return nil, but this is the best we've got currently.
-            signature.void_method = ret_obj.nil?
+            signature.void_method = ret_obj.nil? || ret_obj.object.nil?
             # 8 is STATIC in Java... we have to placate them for now
             # it has been requested that flags be removed since it isn't used
             signature.flags = 8 unless policy_node.instance_method?
             signature
           end
+
+          private
+
+          # While Ruby signatures do not require neither a return type and can
+          # return anything depending on inputs, code paths, etc, nor constant
+          # parameter types, TeamServer was designed with strongly typed
+          # languages (Java) in mind, so we need types in our signatures.
+          #
+          # @param contrast_object [Contrast::Agent::Assess::ContrastObject, nil]
+          #   the object to find the type of
+          # @return [String] the name of the module of the ret_obj, or `nil`
+          def type_name contrast_object
+            contrast_object ? contrast_object.object_type : Contrast::Utils::ObjectShare::NIL_STRING
+          end
         end
       end
     end