contrast-agent 4.1.0 → 4.4.0

data/lib/contrast/utils/class_util.rb

@@ -52,7 +52,7 @@ module Contrast
         # Return a String representing the object invoking this method in the
         # form expected by our dataflow events.
         #
-        # @param object [Object] the entity to convert to a String
+        # @param object [Object, nil] the entity to convert to a String
         # @return [String] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
         def to_contrast_string object
@@ -63,6 +63,8 @@ module Contrast
             return cached if cached
 
             object.dup
+          elsif object.nil?
+            Contrast::Utils::ObjectShare::NIL_STRING
           elsif object.cs__is_a?(Symbol)
             ":#{ object }"
           elsif object.cs__is_a?(Numeric)

data/lib/contrast/utils/duck_utils.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # Utility methods for identifying instances that can be used interchangeably
-    class DuckUtils
+    module DuckUtils
       class << self
         # Determine if the given object, or the object to which it delegates,
         # responds to the given method.

data/lib/contrast/utils/heap_dump_util.rb

@@ -2,12 +2,13 @@
 # frozen_string_literal: true
 
 require 'objspace'
+require 'singleton'
 require 'contrast/components/interface'
 
 module Contrast
   module Utils
     # Implementation of a heap dump util to automate generation
-    class HeapDumpUtil
+    class HeapDumpUtil < Contrast::Agent::WorkerThread
       include Contrast::Components::Interface
       access_component :heap_dump, :logging
 
@@ -15,98 +16,113 @@ module Contrast
       FILE_WRITE_FLAGS = 'w'
 
       class << self
-        def run
-          return unless heap_dump_enabled?
-
-          log_enabled_warning
-          dir = heap_dump_control[:path]
-          Dir.mkdir(dir) unless Dir.exist?(dir)
-          return unless File.writable?(dir)
-
-          delay = heap_dump_control[:delay]
-          Contrast::Agent::Thread.new do
-            logger.info("HEAP DUMP THREAD INITIALIZED. WAITING #{ delay } SECONDS TO BEGIN.")
-            sleep(delay)
-            capture_heap_dump
-          end
-        rescue StandardError => e
-          logger.info(LOG_ERROR_DUMPS, e)
-          nil
+        def enabled?
+          heap_dump_enabled?
+        end
+
+        def control
+          heap_dump_control
         end
+      end
+
+      def start_thread!
+        return unless Contrast::Utils::HeapDumpUtil.enabled?
 
-        def log_enabled_warning
-          dir    = heap_dump_control[:path]
-          window = heap_dump_control[:window]
-          count  = heap_dump_control[:count]
-          delay  = heap_dump_control[:delay]
-          clean  = heap_dump_control[:clean]
-
-          logger.info <<~WARNING
-            *****************************************************
-            ********      HEAP DUMP HAS BEEN ENABLED     ********
-            *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
-            *****************************************************
-
-            Heap dump is a debugging tool that snapshots the entire
-            state of the Ruby VM. It is an exceptionally expensive
-            process, and should only be used to debug especially
-            pernicious errors.
-
-            It will write multiple memory snaphots, which are liable
-            to be multiple gigabytes in size.
-            They will be named "[unix timestamp]-heap.dump",
-            e.g.: 1020304050-heap.dump
-
-            It will then call Ruby `exit()`.
-
-            If this is not your specific intent, you can (and should)
-            disable this option in your Contrast config file.
-
-            HEAP DUMP PARAMETERS:
-            \t[write files to this directory]             dir:     #{ dir    }
-            \t[wait this many seconds in between dumps]   window:  #{ window }
-            \t[heap dump this many times]                 count:   #{ count  }
-            \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
-            \t[perform gc pass before dump]               clean:   #{ clean  }
-
-            *****************************************************
-            ********        YOU HAVE BEEN WARNED         ********
-            *****************************************************
-          WARNING
+        control = Contrast::Utils::HeapDumpUtil.control
+        log_enabled_warning
+        dir = control[:path]
+        Dir.mkdir(dir) unless Dir.exist?(dir)
+        return unless File.writable?(dir)
+
+        delay = control[:delay]
+        @_thread = Contrast::Agent::Thread.new do
+          logger.info("HEAP DUMP THREAD INITIALIZED. WAITING #{ delay } SECONDS TO BEGIN.")
+          sleep(delay)
+          capture_heap_dump
         end
+      rescue StandardError => e
+        logger.info(LOG_ERROR_DUMPS, e)
+        nil
+      end
+
+      def log_enabled_warning
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        delay  = control[:delay]
+        clean  = control[:clean]
+
+        logger.info <<~WARNING
+          *****************************************************
+          ********      HEAP DUMP HAS BEEN ENABLED     ********
+          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+          *****************************************************
+
+          Heap dump is a debugging tool that snapshots the entire
+          state of the Ruby VM. It is an exceptionally expensive
+          process, and should only be used to debug especially
+          pernicious errors.
+
+          It will write multiple memory snaphots, which are liable
+          to be multiple gigabytes in size.
+          They will be named "[unix timestamp]-heap.dump",
+          e.g.: 1020304050-heap.dump
+
+          It will then call Ruby `exit()`.
+
+          If this is not your specific intent, you can (and should)
+          disable this option in your Contrast config file.
+
+          HEAP DUMP PARAMETERS:
+          \t[write files to this directory]             dir:     #{ dir    }
+          \t[wait this many seconds in between dumps]   window:  #{ window }
+          \t[heap dump this many times]                 count:   #{ count  }
+          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+          \t[perform gc pass before dump]               clean:   #{ clean  }
+
+          *****************************************************
+          ********        YOU HAVE BEEN WARNED         ********
+          *****************************************************
+        WARNING
+      end
+
+      def capture_heap_dump
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        clean  = control[:clean]
+        logger.info('HEAP DUMP MAIN LOOP')
+        ObjectSpace.trace_object_allocations_start
+        count.times do |i|
+          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
+          snapshot_heap(dir, clean)
+          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
+          sleep(window)
+        end
+      ensure
+        ObjectSpace.trace_object_allocations_stop
+        logger.info('*****************************************************')
+        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
+        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+        logger.info('*****************************************************')
+        exit # rubocop:disable Rails/Exit We weren't kidding!
+      end
 
-        def capture_heap_dump
-          dir    = heap_dump_control[:path]
-          window = heap_dump_control[:window]
-          count  = heap_dump_control[:count]
-          clean  = heap_dump_control[:clean]
-          logger.info('HEAP DUMP MAIN LOOP')
-          ObjectSpace.trace_object_allocations_start
-          count.times do |i|
-            logger.info('STARTING HEAP DUMP PASS', current_pass: i + 1, max: count)
-            output = "#{ Time.now.to_f }-heap.dump"
-            output = File.join(dir, output)
-            begin
-              logger.info('OPENING HEADUMP FILE', dir: dir, file: output)
-              file = File.new(output, FILE_WRITE_FLAGS)
-              if clean
-                logger.info('PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
-                GC.start
-              end
-              ObjectSpace.dump_all(output: file)
-              logger.info('FINISHING HEAP DUMP PASS', current_pass: i + 1, max: count)
-            ensure
-              file.close
-            end
-            sleep(window)
+      def snapshot_heap dir, clean
+        output = "#{ Time.now.to_f }-heap.dump"
+        output = File.join(dir, output)
+        begin
+          logger.info('OPENING HEADUMP FILE', dir: dir, file: output)
+          file = File.new(output, FILE_WRITE_FLAGS)
+          if clean
+            logger.info('PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
+            GC.start
           end
+          ObjectSpace.dump_all(output: file)
         ensure
-          ObjectSpace.trace_object_allocations_stop
-          logger.info('*****************************************************')
-          logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
-          logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
-          logger.info('*****************************************************')
-          exit # We weren't kidding!
+          file.close
         end
       end
     end

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -26,19 +26,9 @@ module Contrast
       def cs__report_finding rule_id, user_provided_options, call_location
         with_contrast_scope do
           finding = Contrast::Api::Dtm::Finding.new
-          finding.rule_id = rule_id
-          path = call_location.path
-          # just get the file name, not the full path
-          path = path.split(Contrast::Utils::ObjectShare::SLASH).last
-          session_id = user_provided_options[:key].to_s if user_provided_options
-
           finding.version = Contrast::Agent::Assess::Policy::TriggerMethod::CURRENT_FINDING_VERSION
-          finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
-          finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
-          file_path = call_location.absolute_path
-          snippet = file_snippet(file_path, call_location)
-          finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
-
+          finding.rule_id = rule_id
+          set_properties(finding, user_provided_options, call_location)
           hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
           finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
           finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
@@ -50,6 +40,25 @@ module Contrast
 
       private
 
+      # Set the properties needed to report and subsequently render this finding on the finding given.
+      #
+      # @param finding [Contrast::Api::Dtm::Finding] the configuration finding to populate
+      # @param user_provided_options [Hash] the configuration value(s) which
+      #   violated the rule
+      # @param call_location [Thread::Backtrace::Location] the location where
+      #   the bad configuration was set
+      def set_properties finding, user_provided_options, call_location
+        path = call_location.path
+        # just get the file name, not the full path
+        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
+        session_id = user_provided_options[:key].to_s if user_provided_options
+        finding.properties[CS__SESSION_ID] = Contrast::Utils::StringUtils.force_utf8(session_id)
+        finding.properties[CS__PATH] = Contrast::Utils::StringUtils.force_utf8(path)
+        file_path = call_location.absolute_path
+        snippet = file_snippet(file_path, call_location)
+        finding.properties[CS__SNIPPET] = Contrast::Utils::StringUtils.force_utf8(snippet)
+      end
+
       def file_snippet file_path, call_location
         idx = call_location&.lineno
         if file_path && idx && File.exist?(file_path)

data/lib/contrast/utils/object_share.rb

@@ -1,13 +1,13 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# rubocop:disable  Object/Freeze
+# rubocop:disable Security/Object/Freeze
 module Contrast
   module Utils
     # A utility class where a series of commonly used Strings and other
     # commonly used objects can be store and frozen to prevent unnecessary
     # duplication.
-    class ObjectShare
+    module ObjectShare
       # Strings
       ASTERISK =      '*'
       BACK_SLASH =    '\\'
@@ -76,4 +76,4 @@ module Contrast
     end
   end
 end
-# rubocop:enable  Object/Freeze
+# rubocop:enable Security/Object/Freeze

data/lib/contrast/utils/preflight_util.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # Utility for generating preflight message token
-    class PreflightUtil
+    module PreflightUtil
       def self.create_preflight finding
         "#{ finding.rule_id },#{ finding.hash_code }"
       end

data/lib/contrast/utils/resource_loader.rb

@@ -4,7 +4,7 @@
 module Contrast
   module Utils
     # ResourceLoader can attempt to read a file from a predefined resource directory
-    class ResourceLoader
+    module ResourceLoader
       RESOURCES = 'resources'
 
       # __FILE__/../../../resources

data/lib/contrast/utils/sha256_builder.rb

@@ -29,8 +29,8 @@ module Contrast
 
       # Generate a SHA256 hash of the combined source code of this Gem
       def sha256 path
-        return nil unless path
-        return nil unless File.exist?(path) && !File.directory?(path)
+        return unless path
+        return unless File.exist?(path) && !File.directory?(path)
 
         @sha256_cache[path] ||= Digest::SHA256.file(path).to_s
       end

data/lib/contrast/utils/string_utils.rb

@@ -74,7 +74,7 @@ module Contrast
       # @return [String] a copy of the given String, upper cased, trimmed,
       #   dashes replaced with underscore, and HTTP trimmed
       def self.normalized_key str
-        return nil unless str
+        return unless str
 
         str = str.to_s
         @_normalized_keys ||= {}

data/lib/contrast/utils/tag_util.rb

@@ -19,16 +19,15 @@ module Contrast
 
             relationship = tag.compare_range(range.start_idx, range.end_idx)
             case relationship
-            when Contrast::Agent::Assess::Tag::BELOW
               # since the tags are ordered, if we're below, nope out
-              return false
-            when Contrast::Agent::Assess::Tag::LOW_SPAN
-              # if we ever get a low span, that means a low part
-              # won't be covered. there's no need to continue
-              return false
-            when Contrast::Agent::Assess::Tag::WITHOUT
-              # if we ever get a without, that means a low part won't
-              # be covered. there's no need to continue
+            when Contrast::Agent::Assess::Tag::BELOW,
+                # if we ever get a low span, that means a low part
+                # won't be covered. there's no need to continue
+                Contrast::Agent::Assess::Tag::LOW_SPAN,
+                # if we ever get a without, that means a low part won't
+                # be covered. there's no need to continue
+                Contrast::Agent::Assess::Tag::WITHOUT
+
               return false
             when Contrast::Agent::Assess::Tag::WITHIN
               # if we're within, then 0 out this tag since it is
@@ -131,10 +130,7 @@ module Contrast
           smallered = []
           curr = nil
           tags.each do |tag|
-            if curr.nil?
-              curr = tag
-              smallered << curr
-            elsif tag.start_idx <= curr.end_idx
+            if curr && tag.start_idx <= curr.end_idx
               curr.update_end(tag.end_idx) if tag.end_idx > curr.end_idx
             else
               curr = tag

data/resources/assess/policy.json

@@ -640,7 +640,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "gsub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -650,7 +650,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "gsub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -660,7 +660,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "sub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -670,7 +670,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Substitution",
       "patch_method": "sub_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -680,7 +680,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -690,7 +690,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -700,7 +700,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_s_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name": "String",
@@ -710,7 +710,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::Trim",
       "patch_method": "tr_s_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "O"
     }, {
       "class_name": "String",
@@ -984,7 +984,7 @@
       "action": "CUSTOM",
       "patch_class": "Contrast::Extension::Assess::KernelPropagator",
       "patch_method": "sprintf_tagger",
-      "source": "O,P",
+      "source": "O,P1",
       "target": "R"
     }, {
       "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
@@ -1173,26 +1173,20 @@
           "instance_method": true,
           "method_visibility": "public",
           "method_name":"match",
-          "source":"P0",
-          "trigger_class": "Contrast::Agent::Assess::Rule::Redos",
-          "trigger_method": "regexp_complexity_check"
+          "source":"P0"
 
         }, {
           "class_name":"String",
           "instance_method": true,
           "method_visibility": "public",
           "method_name":"=~",
-          "source":"O",
-          "trigger_class": "Contrast::Agent::Assess::Rule::Redos",
-          "trigger_method": "regexp_complexity_check"
+          "source":"O"
         }, {
           "class_name":"Regexp",
           "instance_method": true,
           "method_visibility": "public",
           "method_name":"=~",
-          "source":"P0",
-          "trigger_class": "Contrast::Agent::Assess::Rule::Redos",
-          "trigger_method": "regexp_complexity_check"
+          "source":"P0"
 
         }
       ]