contrast-agent 4.1.0 → 4.4.0

data/lib/contrast/agent/assess/property/tagged.rb

@@ -79,6 +79,10 @@ module Contrast
           # range       : 5-10
           # result      : 0-05
           #
+          # Note that we disable Lint/DuplicateBranch in this branch in order
+          # list out all tag range cases in the proper order to make this
+          # easier to understand
+          #
           # @param range [Range] the span to check, inclusive to exclusive
           # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
           #   key to tags
@@ -87,28 +91,15 @@ module Contrast
 
             at = Hash.new { |h, k| h[k] = [] }
             tags.each_pair do |key, value|
-              add = []
+              add = nil
               value.each do |tag|
-                comparison = tag.compare_range(range.begin, range.end)
-                # BELOW and ABOVE are applicable to this check and are removed.
-                case comparison
-                  # part of the tag is being selected
-                when Contrast::Agent::Assess::Tag::LOW_SPAN
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
-                  # the tag exists in the requested range, figure out the boundaries
-                when Contrast::Agent::Assess::Tag::WITHIN
-                  start = tag.start_idx - range.begin
-                  finish = range.size - start
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, finish, start)
-                  # the tag spans the requested range.
-                when Contrast::Agent::Assess::Tag::WITHOUT
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
-                  # part of the tag is being selected
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+                within_range = resize_to_range(tag, range)
+                if within_range
+                  add ||= []
+                  add << within_range
                 end
               end
-              next if add.empty?
+              next unless add&.any?
 
               at[key] = add
             end
@@ -173,14 +164,6 @@ module Contrast
             tags.fetch(label, nil) if tracked?
           end
 
-          # Convert the tags of this object into the TraceTaintRange required
-          # to be sent to the service
-          #
-          # @return [Array<Contrast::Api::Dtm::TraceTaintRange>]
-          def tags_to_dtm
-            Contrast::Api::Dtm::TraceTaintRange.build_for_event(tags)
-          end
-
           # Remove all tags within the given ranges.
           # This does not delete an entire tag if part of that tag is
           # outside this range, meaning we may reduce sizes of tags
@@ -301,9 +284,19 @@ module Contrast
             end
           end
 
-          # Shift the tag ranges covering the given range
-          # We assume this is for a insertion, meaning we
-          # have to move tags to the right
+          # Shift the tag ranges covering the given range to account for new
+          # data being added. We assume this is for a insertion, meaning we
+          # have to move tags out of the range and to the right. For example,
+          # given current tags:     0-15
+          # when we insert a range: 5-10
+          # then the result is:     0-5, 10-20
+          #
+          # Note that we disable Lint/DuplicateBranch in this branch in order
+          # list out all tag range cases in the proper order to make this
+          # easier to understand
+          #
+          # @param range [Range] the range of new information that's been
+          #   inserted
           def shift_tags_for_insertion range
             return unless tracked?
 
@@ -325,19 +318,50 @@ module Contrast
                 when Contrast::Agent::Assess::Tag::WITHIN
                   tag.shift(length)
                   # the tag spans the range. leave the part below alone
-                when Contrast::Agent::Assess::Tag::WITHOUT
+                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
                   new_tag = tag.clone
                   new_tag.update_start(range.begin)
                   new_tag.shift(length)
                   add << new_tag
                   tag.update_end(range.begin)
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE
+                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE # rubocop:disable Lint/DuplicateBranch
                   tag.shift(length)
                 end
               end
               Contrast::Utils::TagUtil.ordered_merge(value, add)
             end
           end
+
+          private
+
+          # Given a tag, compare it to a given range and, if any part of that tag is within the range, return a new tag
+          # covering the union of the original tag and the range. This new tag will start at the
+          # max(tag.start, range.start) and end at min(tag.end, range.end)
+          #
+          # @param tag [Contrast::Agent::Assess::Tag] the Tag that may be in this range
+          # @param range [Range] the span to check, inclusive to exclusive
+          # @return [Contrast::Agent::Assess::Tag, nil] a new tag, truncated to only span within the given range or nil
+          #   if no overlap exists
+          def resize_to_range tag, range
+            comparison = tag.compare_range(range.begin, range.end)
+            # BELOW and ABOVE are not applicable to this check and result in nil
+            case comparison
+              # part of the tag is being selected
+            when Contrast::Agent::Assess::Tag::LOW_SPAN
+              Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+              # the tag exists in the requested range, figure out the boundaries
+            when Contrast::Agent::Assess::Tag::WITHIN
+              start = tag.start_idx - range.begin
+              finish = range.size - start
+              Contrast::Agent::Assess::Tag.new(tag.label, finish, start)
+              # the tag spans the requested range.
+            when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
+              Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+              # part of the tag is being selected
+            when Contrast::Agent::Assess::Tag::HIGH_SPAN # rubocop:disable Lint/DuplicateBranch
+              Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/assess/tracker.rb

@@ -14,7 +14,20 @@ module Contrast
         PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
 
         class << self
+          # Retrieve the properties of the given Object, iff they exist.
+          #
+          # @param source [Object, nil] the thing for which to look up properties.
+          # @return [Contrast::Agent::Assess::Properties, nil]
           def properties source
+            PROPERTIES_HASH[source]
+          end
+
+          # Retrieve the properties of the given Object, returning a new
+          # instance if one does not already exist and the source is trackable.
+          #
+          # @param source [Object] the thing for which to look up properties.
+          # @return [Contrast::Agent::Assess::Properties, nil]
+          def properties! source
             return unless trackable?(source)
 
             PROPERTIES_HASH[source] ||= Contrast::Agent::Assess::Properties.new
@@ -33,30 +46,15 @@ module Contrast
           end
 
           # Copy the properties from one object to the next, assuming the
-          # target does not already have its own properties.
+          # target does not already have its own properties. This should only
+          # ever be called when building PreShift for those objects sources
+          # which are already tracked.
           #
           # @param source [Object] the instance from which to copy properties
           # @param target [Object] the instance to which to copy properties
           def copy source, target
             PROPERTIES_HASH[target] ||= properties(source).dup
           end
-
-          # Duplicate the given object, returning the duplicate after copying
-          # the properties of the original and storing them as the properties
-          # of the duplicate.
-          #
-          # @param source [Object] the thing to duplicate
-          # @return [Object] the duplicate of the original, or the original if
-          #   it does not respond to duplication
-          def duplicate source
-            return source unless source
-
-            duplicate = source.dup
-            PROPERTIES_HASH[duplicate] ||= PROPERTIES_HASH[source].dup
-            duplicate
-          rescue StandardError
-            source
-          end
         end
       end
     end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -19,6 +19,13 @@ module Contrast
           def feature
             'Deadzone'
           end
+
+          # Deadzone means place the code inside of the contrast scope so that
+          # none of our code executes. As such, all DeadZone nodes have that as
+          # their method scope
+          def method_scope
+            :contrast
+          end
         end
       end
     end

data/lib/contrast/agent/middleware.rb

@@ -46,27 +46,6 @@ module Contrast
         agent_startup_routine
       end
 
-      # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and
-      #   processing messages
-      # - start the heartbeat thread, which triggers service startup
-      # - start instrumenting libraries and do a 'catchup' patch for everything
-      #   we didn't see get loaded
-      # - enable TracePoint, which handles all class loads and required
-      #   instrumentation going forward
-      def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
-          Contrast::Agent.thread_watcher.ensure_running?
-        end
-
-        logger.debug_with_time('middleware: instrument shared libraries and patch') do
-          Contrast::Agent::Patching::Policy::Patcher.patch
-        end
-
-        AGENT.enable_tracepoint
-        Contrast::Agent::AtExitHook.exit_hook
-      end
-
       # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready
       # to do some processing on a per request basis. If not, we just pass the request along to the
       # next middleware in the stack.
@@ -76,14 +55,11 @@ module Contrast
       # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
       #   to the user up the Rack framework.
       def call env
-        Contrast::Utils::HeapDumpUtil.run
+        return app.call(env) unless AGENT.enabled?
 
-        if AGENT.enabled?
-          Contrast::Agent::StaticAnalysis.catchup
-          call_with_agent(env)
-        else
-          app.call(env)
-        end
+        Contrast::Agent.heapdump_util.start_thread!
+        handle_first_request
+        call_with_agent(env)
       end
 
       private
@@ -91,6 +67,8 @@ module Contrast
       def setup_agent
         SETTINGS.reset_state
 
+        inform_deprecations
+
         if CONFIG.invalid?
           AGENT.disable!
           logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
@@ -101,13 +79,67 @@ module Contrast
         end
       end
 
+      # Startup the Agent as part of the initialization process:
+      # - start the service sending thread, responsible for sending and
+      #   processing messages
+      # - start the heartbeat thread, which triggers service startup
+      # - start instrumenting libraries and do a 'catchup' patch for everything
+      #   we didn't see get loaded
+      # - enable TracePoint, which handles all class loads and required
+      #   instrumentation going forward
+      def agent_startup_routine
+        logger.debug_with_time('middleware: starting service') do
+          Contrast::Agent.thread_watcher.ensure_running?
+        end
+
+        logger.debug_with_time('middleware: instrument shared libraries and patch') do
+          Contrast::Agent::Patching::Policy::Patcher.patch
+        end
+
+        logger.debug_with_time('middleware: enabling tracepoint') do
+          AGENT.enable_tracepoint
+        end
+        Contrast::Agent::AtExitHook.exit_hook
+      end
+
+      # Some things have to wait until first request to happen, either because
+      # resolution is not complete or because the framework will preload
+      # classes, which confuses some of our instrumentation.
+      def handle_first_request
+        @_handle_first_request ||= begin
+          Contrast::Agent::StaticAnalysis.catchup
+          force_patching
+          true
+        end
+      end
+
+      # TODO: RUBY-1090 remove this method and those it calls.
+      #
+      # These modules are auto-loaded by Rails, meaning they are defined at
+      # startup, but that they don't actually exist. We account for this in
+      # most cases by using the ClassUtil.truly_defined? method, but it appears
+      # to fail for these Modules. In the short term, we can forcing a re-patch
+      # so that their dead zones apply.
+      def force_patching
+        force_patch(ActionDispatch::FileHandler) if defined?(ActionDispatch::FileHandler)
+        force_patch(ActionDispatch::Http::MimeNegotiation) if defined?(ActionDispatch::Http::MimeNegotiation)
+        force_patch(ActionView::Template) if defined?(ActionView::Template)
+      end
+
+      def force_patch mod
+        data = Contrast::Agent::ModuleData.new(mod)
+        Contrast::Agent::Patching::Policy::Patcher.send(:patch_into_module, data, true)
+      end
+
       # This is where we process each request we intercept as a middleware. We make the request context
       # available globally so that it can be accessed from anywhere. A RequestHandler object is made
       # for each request, which handles prefilter and postfilter operations.
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
+      #   and values of this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
+      #   to the user up the Rack framework.
       def call_with_agent env
         Contrast::Agent.thread_watcher.ensure_running?
-        return unless AGENT.enabled?
-
         framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
         context = Contrast::Agent::RequestContext.new(framework_request)
         response = nil
@@ -117,28 +149,9 @@ module Contrast
           logger.request_start
           request_handler = Contrast::Agent::RequestHandler.new(context)
 
-          # prefilter sequence
-          with_contrast_scope do
-            context.service_extract_request
-            request_handler.ruleset.prefilter
-          end
-
-          response = application_code(env) # pass request down the Rack chain with original env
-
-          # postfilter sequence
-          with_contrast_scope do
-            context.extract_after(response) # update context with final response information
-
-            if Contrast::Agent.framework_manager.streaming?(env)
-              context.reset_activity
-              request_handler.stream_safe_postfilter
-            else
-              request_handler.ruleset.postfilter
-              # return response stored in the context in case any postfilter rules updated the response data
-              response = context.response&.rack_response || response
-              request_handler.send_activity_messages
-            end
-          end
+          pre_call_with_agent(context, request_handler)
+          response = application_code(env)
+          post_call_with_agent(context, env, request_handler, response)
         ensure
           logger.request_end
         end
@@ -148,6 +161,47 @@ module Contrast
         handle_exception(e)
       end
 
+      # Handle the operations the Agent needs to accomplish prior to the Application code executing during this
+      # request.
+      #
+      # @param context [Contrast::Agent::RequestContext]
+      # @param request_handler [Contrast::Agent::RequestHandler]
+      def pre_call_with_agent context, request_handler
+        with_contrast_scope do
+          context.service_extract_request
+          request_handler.ruleset.prefilter
+        end
+      rescue StandardError => e
+        raise e if security_exception?(e)
+
+        logger.error('Unable to execute agent pre_call', e)
+      end
+
+      # Handle the operations the Agent needs to accomplish after the Application code executes during this request.
+      #
+      # @param context [Contrast::Agent::RequestContext]
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @param request_handler [Contrast::Agent::RequestHandler]
+      # @param response [Array,Rack::Response]
+      def post_call_with_agent context, env, request_handler, response
+        with_contrast_scope do
+          context.extract_after(response) # update context with final response information
+
+          if Contrast::Agent.framework_manager.streaming?(env)
+            context.reset_activity
+            request_handler.stream_safe_postfilter
+          else
+            request_handler.ruleset.postfilter
+            request_handler.send_activity_messages
+          end
+        end
+      rescue StandardError => e
+        raise e if security_exception?(e)
+
+        logger.error('Unable to execute agent post_call', e)
+      end
+
       def application_code env
         logger.trace_with_time('application') do
           app.call(env)
@@ -161,9 +215,7 @@ module Contrast
       # We're only going to suppress SecurityExceptions indicating a blocked attack.
       # And, only if the config.agent.ruby.exceptions.capture? is set
       def handle_exception exception
-        if exception.is_a?(Contrast::SecurityException) ||
-              exception.message&.include?(SECURITY_EXCEPTION_MARKER)
-
+        if security_exception?(exception)
           exception_control = AGENT.exception_control
           raise exception unless exception_control[:enable]
 
@@ -173,6 +225,33 @@ module Contrast
           raise exception
         end
       end
+
+      # Is the given exception one raised by our Protect code?
+      #
+      # @param exception [Exception]
+      # @return [Boolean]
+      def security_exception? exception
+        exception.is_a?(Contrast::SecurityException) ||
+            exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+      end
+
+      # As we deprecate support to prepare to remove dead code, we need to
+      # inform our users still relying on the now deprecated and soon to be
+      # removed functionality. This method handles doing that by leveraging the
+      # standard Kernel#warn approach
+      def inform_deprecations
+        # Ruby 2.5 is currently in security maintenance, meaning int is only
+        # receiving updates for security issues. It will move to eol on 31
+        # March 2021. As such, we can remove support for it in Q2. We'll begin
+        # the deprecation warnings now so that customers have time to reach out
+        # if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if
+        #   there are no other deprecations, when we drop 2.5 support.
+        return unless RUBY_VERSION < '2.6.0'
+
+        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
+                    'Please contact Customer Support prior if you require continued support.')
+      end
     end
   end
 end