contrast-agent 4.1.0 → 4.4.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -92,14 +92,11 @@ module Contrast
               end
 
               def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
-                parent_event = incoming_properties&.event
-                parent_events << parent_event if parent_event
+                parent_events << incoming_properties&.event if incoming_properties&.event
 
-                pattern = preshift.args[0]
                 source = preshift.object
 
                 # We can't efficiently find the places that things were
@@ -112,6 +109,34 @@ module Contrast
 
                 # if it's just a straight insert, that we can do
                 # Copy the tags from us to the return
+                ranges = find_string_sub_insert(properties, preshift, incoming, ret, global)
+
+                properties.delete_tags_at_ranges(ranges)
+                properties.shift_tags(ranges)
+                return unless incoming_tracked
+                return unless incoming_properties
+
+                tags = incoming_properties.tag_keys
+                ranges.each do |range|
+                  tags.each do |tag|
+                    properties.add_tag(tag, range)
+                  end
+                end
+              end
+
+              # Find the points at which the new String was placed into the original
+              #
+              # @param properties [Contrast::Agent::Assess::Properties] the Properties of the ret
+              # @param preshift [Contrast::Agent::Assess::PreShift] the capture of the state of the code just prior to
+              #   the invocation of the patched method
+              # @param incoming [String] the new String going into the substitution
+              # @param ret [String] the result of the substitution
+              # @param global [Boolean] if this was a global or single substitution
+              # @return [Array<Range>] the Ranges where substitution occurred
+              def find_string_sub_insert properties, preshift, incoming, ret, global
+                pattern = preshift.args[0]
+                source = preshift.object
+
                 properties.copy_from(source, ret)
                 # Figure out where inserts occurred
                 last_idx = 0
@@ -127,36 +152,27 @@ module Contrast
                   ranges << (start_index...end_index)
                   break unless global
                 end
-                properties.delete_tags_at_ranges(ranges)
-                properties.shift_tags(ranges)
-                return unless incoming_tracked
-                return unless incoming_properties
-
-                tags = incoming_properties.tag_keys
-                ranges.each do |range|
-                  tags.each do |tag|
-                    properties.add_tag(tag, range)
-                  end
-                end
+                ranges
               end
 
               def block_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def hash_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def pattern_gsub parent_events, preshift, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
-
                 source = preshift.object
-                source_properties = Contrast::Agent::Assess::Tracker.properties(source)
-                return unless source_properties
+                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source_properties.tag_keys.each do |key|
                   properties.add_tag(key, 0...1)

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -11,13 +11,11 @@ module Contrast
           # Disclaimer: there may be a better way, but we're
           # in a 'get it work' state. hopefully, we'll be in
           # a 'get it right' state soon.
-          class Trim
+          module Trim
             class << self
               def tr_tagger patcher, preshift, ret, _block
                 return ret unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return ret unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args
@@ -59,9 +57,7 @@ module Contrast
 
               def tr_s_tagger patcher, preshift, ret, _block
                 return unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -178,8 +178,8 @@ module Contrast
               # don't apply second source -- probably needs tuning later if we
               # use more than 'UNTRUSTED' in our sources
               return if Contrast::Agent::Assess::Tracker.tracked?(target)
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
               # otherwise for each tag this source_node applies, create a tag range
               # on the target object
               # I realize this looping is counter-intuitive from the above
@@ -243,19 +243,7 @@ module Contrast
               when Contrast::Utils::ObjectShare::OBJECT_KEY
                 object
               else
-                if source_target.is_a?(Integer)
-                  args[source_target]
-                  # If this isn't an index param, it's a named one. R.I.P.
-                else
-                  arg = nil
-                  args.each do |search|
-                    next unless search.is_a?(Hash)
-
-                    arg = search[source_target]
-                    break if arg
-                  end
-                  arg
-                end
+                args[source_target]
               end
             end
 

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -25,14 +25,13 @@ module Contrast
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
               def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 scope = args[0]
                 erb_template_prerender = object.instance_variable_get(:@data)
                 interpolated_inputs = []
-                handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
-                handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
+                handle_binding_variables(scope, erb_template_prerender, ret, properties, interpolated_inputs)
+                handle_local_variables(args, erb_template_prerender, ret, properties, interpolated_inputs)
                 properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 unless interpolated_inputs.empty?
                   current_event = properties.event
@@ -53,8 +52,7 @@ module Contrast
 
               private
 
-              def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_binding_variables scope, erb_template_prerender, ret, properties, interpolated_inputs
                 binding_variables = scope.instance_variables
 
                 binding_variables.each do |bound_variable_sym|
@@ -71,8 +69,7 @@ module Contrast
                 end
               end
 
-              def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_local_variables args, erb_template_prerender, ret, properties, interpolated_inputs
                 locals = args[1]
                 locals.each do |local_name, local_value|
                   next unless Contrast::Agent::Assess::Tracker.tracked?(local_value)

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -43,7 +43,7 @@ module Contrast
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, args)
+                      context, trigger_node, arg, object, ret, *args)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -101,18 +101,12 @@ module Contrast
             #   conditions were not met
             def build_finding context, trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
-
-              request = context.request
-              env = request.env
-              return if defined?(ActionController::Live) &&
-                  env &&
-                  env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)
+              return unless reportable?(context)
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
               build_from_source(finding, source)
-              trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
-              finding.events << trigger_event
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
               build_hash(finding, source)
               finding.routes << context.route if context.route
               finding.version = determine_compliance_version(finding)
@@ -127,6 +121,17 @@ module Contrast
 
             private
 
+            # A request is reportable if it is not from ActionController::Live
+            #
+            # @param context [Contrast::Agent::RequestContext] the current request context
+            # @return [Boolean]
+            def reportable? context
+              env = context.request.env
+              !(defined?(ActionController::Live) &&
+                env &&
+                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+            end
+
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -185,11 +185,7 @@ module Contrast
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
           def ranges_with_all_tags length, properties, required_tags
-            # if there are no tags, not required tags, or the tags don't have
-            # all the required tags, we can just return here.
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
 
             ranges = []
             chunking = false
@@ -229,8 +225,7 @@ module Contrast
           #   by the given conditions
           def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
 
             ranges = []
             tags.each do |desired|
@@ -243,6 +238,32 @@ module Contrast
             end
             ranges
           end
+
+          # We should only try to match tags on properties if those properties have any tags (are tracked) and there
+          # are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
+          # no properties.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def search_tags? properties, tags
+            return false unless properties.tracked?
+            return false unless tags&.any?
+
+            true
+          end
+
+          # Determine if the given properties have instances of all the given tags or not.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def matches_tags? properties, tags
+            return false unless search_tags?(properties, tags)
+            return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
+
+            true
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module TriggerValidation
+          # Validator used to assert a REDOS finding is actually vulnerable
+          # before serializing that finding as a DTM to report to the service.
+          module REDOSValidator
+            RULE_NAME = 'redos'
+
+            class << self
+              def valid? _patcher, object, _ret, args
+                # Can arrive here from either:
+                #   regexp =~ string
+                #   string =~ regexp
+                #   regexp.match string
+                #
+                # Thus object/args[0] can be string/regexp or regexp/string.
+                regexp = object.is_a?(Regexp) ? object : args[0]
+
+                # regexp must be exploitable.
+                return false unless regexp_vulnerable?(regexp)
+
+                true
+              end
+
+              protected
+
+              VULNERABLE_PATTERN = /[\[(].*?[\[(].*?[\])][*+?].*?[\])][*+?]/.cs__freeze
+
+              # Does the regexp
+              # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
+              def regexp_vulnerable? regexp
+                # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
+                # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
+                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
+                # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
+                # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
+
+                # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back
+                # (in the sense of `my_str == Regexp.new(my_str).to_s`), it gives you a Regexp that
+                # will have the same functional characteristics as the original.
+                # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
+                # Regexp#source will give you the original source.
+
+                # Use #match? because it doesn't fill out global variables
+                # in the way match or =~ do.
+                VULNERABLE_PATTERN.match? regexp.source
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -9,7 +9,7 @@ module Contrast
           # Validator used to assert a SSRF finding is actually vulnerable
           # before serializing that finding as a DTM to report to the service.
           module SSRFValidator
-            SSRF_RULE = 'ssrf'
+            RULE_NAME = 'ssrf'
             URL_PATTERN =
               %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
             # The Net::HTTP class validates host format on instantiation. Since
@@ -23,7 +23,6 @@ module Contrast
             # querystring
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/server_side_request_forgery.md
             def self.valid? patcher, _object, _ret, args
-              return true unless SSRF_RULE == patcher&.rule_id
               return true if patcher.id.to_s.start_with?(PATH_ONLY_PATCH_MARKER)
 
               url = args[0].to_s
@@ -39,7 +38,7 @@ module Contrast
               finish ||= url.length
 
               properties = Contrast::Agent::Assess::Tracker.properties(args[0])
-              properties.any_tags_between?(start, finish)
+              properties&.any_tags_between?(start, finish)
             end
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
 require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
+require 'contrast/agent/assess/policy/trigger_validation/redos_validator'
 
 module Contrast
   module Agent
@@ -15,7 +16,8 @@ module Contrast
         module TriggerValidation
           VALIDATORS = [
             Contrast::Agent::Assess::Policy::TriggerValidation::SSRFValidator,
-            Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator
+            Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator,
+            Contrast::Agent::Assess::Policy::TriggerValidation::REDOSValidator
           ].cs__freeze
 
           # Determines if the conditions in which this trigger was called are
@@ -32,9 +34,9 @@ module Contrast
           # @return [Boolean] if the conditions are valid for the generation of
           #   a Contrast::Api::Dtm::Finding
           def self.valid? patcher, object, ret, args
-            VALIDATORS.each do |validator|
-              return false unless validator.valid?(patcher, object, ret, args)
-            end
+            specific_validator = VALIDATORS.find { |validator| validator::RULE_NAME == patcher&.rule_id }
+            return specific_validator.valid?(patcher, object, ret, args) if specific_validator
+
             true
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -10,7 +10,7 @@ module Contrast
           # vulnerable before serializing that finding as a DTM to report to
           # the service.
           module XSSValidator
-            XSS_RULE = 'reflected-xss'
+            RULE_NAME = 'reflected-xss'
             SAFE_CONTENT_TYPES = %w[
               /csv
               /javascript
@@ -23,9 +23,7 @@ module Contrast
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
-            def self.valid? patcher, _object, _ret, _args
-              return true unless XSS_RULE == patcher&.rule_id
-
+            def self.valid? _patcher, _object, _ret, _args
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
               return true unless content_type
 

data/lib/contrast/agent/assess/properties.rb

@@ -6,7 +6,6 @@ require 'set'
 require 'contrast/agent/assess/property/evented'
 require 'contrast/agent/assess/property/tagged'
 require 'contrast/agent/assess/property/updated'
-require 'contrast/utils/prevent_serialization'
 
 module Contrast
   module Agent
@@ -18,7 +17,6 @@ module Contrast
       # to properly convey the events that lead up to the state of the tracked
       # user input.
       class Properties
-        include Contrast::Utils::PreventSerialization
         include Contrast::Agent::Assess::Property::Evented
         include Contrast::Agent::Assess::Property::Tagged
         include Contrast::Agent::Assess::Property::Updated