contrast-agent 4.10.0 → 4.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab65fd574ef84fbe339e4f4d4bf340623235a442ecc11d7ba28c6af3c6f04d4d
-  data.tar.gz: 0fa9cc44fe85713ee924101139e615d361de6d906c8f5ff4fdd345a930eee9d2
+  metadata.gz: 2ad97d601b81e16e1d0263d86b60a3acd0e5a5ff9cb3f42598c262774a518169
+  data.tar.gz: 749f87aefffd1e1504834dc7f919d45280cf560a20805184757dd9f6bda97477
 SHA512:
-  metadata.gz: cb21ebcad0e772649d16a25d2f00cc057ee10df71638b7bd7cc6a4710a1ded28ce4dca749fa040ba2fb78e992727f4cc5d5f38e1187c363a8ea33a12333fc289
-  data.tar.gz: c3ad4c82a9e25ecb58c0ea906f1170cffdd6811952f9c1d71a6c75166358a37e0ebba40e55e9a7433156a51122b9ca1450bb5a4a2a87f9081a4a4268d9abfdb4
+  metadata.gz: cfa15549565b4f17c431332c7bc7c6fe84bd5bea321860db84f24a2df5e2d5241675200ed6e50ebe53fc319d94ade6ebfed26fe664fc297dde54a1fc9f645fda
+  data.tar.gz: 017f02883faee2d281b7b052844653ddbb744fa27f02cf5739c38e50256eb054effb966c5b35b79b05e7d3af62f35d90509352f5c4327c9474e936c7e740ef19

data/lib/contrast/agent/assess/contrast_object.rb

@@ -35,9 +35,6 @@ module Contrast
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
             @object_type = object.cs__class.cs__name
-            # TODO: RUBY-1084 determine if we need to copy these tags to
-            #   restore immutability. For instance, if these tags were on a
-            #   String that was then #reverse!'d, would our tags be wrong?
             @tags = Contrast::Agent::Assess::Tracker.properties(object)&.tags
           else
             @object = Contrast::Utils::ObjectShare::NIL_STRING

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -83,20 +83,21 @@ module Contrast
           end
 
           def append_arg_details preshift, args
-            preshift.args = args.dup
+            args_length = args.length
+            preshift.args = Array.new(args_length)
+            preshift.arg_lengths = Array.new(args_length)
             idx = 0
-            while idx < preshift.args.size
+            while idx < args_length
               original_arg = args[idx]
-              p_arg = preshift.args[idx]
+              p_arg = can_dup?(false, original_arg) ? original_arg.dup : original_arg
+              preshift.args[idx] = p_arg
+              preshift.arg_lengths[idx] = Contrast::Utils::DuckUtils.quacks_to?(p_arg, :length) ? p_arg.length : 0
               idx += 1
               next if p_arg.__id__ == original_arg.__id__
               next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
 
               Contrast::Agent::Assess::Tracker.copy(original_arg, p_arg)
             end
-            preshift.arg_lengths = preshift.args.map do |preshift_arg|
-              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
-            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -15,7 +15,7 @@ module Contrast
                 case ret
                 when Array
                   idx = 0
-                  while idx < ret.size
+                  while idx < ret.length
                     return_value = ret[idx]
                     index = idx
                     idx += 1
@@ -34,7 +34,7 @@ module Contrast
 
               def captures_tagger propagation_node, preshift, ret, _block
                 idx = 0
-                while idx < ret.size
+                while idx < ret.length
                   return_value = ret[idx]
                   index = idx
                   idx += 1
@@ -48,7 +48,7 @@ module Contrast
 
               def to_a_tagger propagation_node, preshift, ret, _block
                 idx = 0
-                while idx < ret.size
+                while idx < ret.length
                   return_value = ret[idx]
                   index = idx
                   idx += 1
@@ -61,7 +61,7 @@ module Contrast
 
               def values_at_tagger propagation_node, preshift, ret, _block
                 idx = 0
-                while idx < ret.size
+                while idx < ret.length
                   return_value = ret[idx]
                   return_index = idx
                   idx += 1

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -26,7 +26,6 @@ module Contrast
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source_string = source.is_a?(String) ? source : source.to_s
-
                 # If the lengths are the same, we should just copy the tags because nothing was removed, but a new
                 # instance could have been created. copy_from will handle the case where the source is the target.
                 if source_string.length == target.length
@@ -34,10 +33,7 @@ module Contrast
                   return
                 end
 
-                source_chars = source_string.chars
                 source_idx = 0
-
-                target_chars = target.chars
                 target_idx = 0
 
                 remove_ranges = []
@@ -45,10 +41,9 @@ module Contrast
 
                 # loop over the target, the result of the delete every range of characters that it differs from the
                 # source represents a section that was deleted. these sections need to have their tags updated
-                target_len = target_chars.length
-                while target_idx < target_len
-                  target_char = target_chars[target_idx]
-                  source_char = source_chars[source_idx]
+                while target_idx < target.length
+                  target_char = target[target_idx]
+                  source_char = source_string[source_idx]
                   if target_char == source_char
                     target_idx += 1
                     if start
@@ -63,7 +58,7 @@ module Contrast
 
                 # once we're done looping over the target, anything left over is extra from the source that was
                 # deleted. tags applying to it need to be removed.
-                remove_ranges << (source_idx...source_chars.length) if source_idx != source_chars.length
+                remove_ranges << (source_idx...source_string.length) if source_idx != source_string.length
 
                 # handle deleting the removed ranges
                 properties.delete_tags_at_ranges(remove_ranges)

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -246,9 +246,8 @@ module Contrast
                 logger.debug('Trigger source is untrackable. Unable to inspect.',
                              node_id: trigger_node.id,
                              source_id: source.__id__,
-                             source_type: source.cs__class.to_s,
+                             source_type: source.cs__class.cs__name,
                              frozen: source.cs__frozen?)
-                logger.trace(source.to_s[0..99])
               end
             end
 

data/lib/contrast/agent/inventory/dependency_usage_analysis.rb

@@ -60,7 +60,7 @@ module Contrast
 
           digest = Contrast::Utils::Sha256Builder.instance.build_from_spec(spec)
           unless digest
-            logger.debug('Unable to resolve digest for gem spec', spec: spec.to_s)
+            logger.debug('Unable to resolve digest for gem spec', spec: spec.to_s) if logger.debug?
             return
           end
           report_path = adjust_path_for_reporting(path, spec)

data/lib/contrast/agent/request.rb

@@ -92,10 +92,12 @@ module Contrast
                 defined?(Rack::Multipart::UploadedFile) &&
                 body.is_a?(Rack::Multipart::UploadedFile)
 
-            logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
+            logger.trace('not parsing uploaded file body',
+                         file_name: body.original_filename,
+                         content_type: body.content_type)
             @_body = nil
           else
-            logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
+            logger.trace('parsing body from request', body_type: body.cs__class.cs__name)
             @_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
           end
 
@@ -185,7 +187,7 @@ module Contrast
         when Enumerable
           idx = 0
           res = {}
-          while idx < val.size
+          while idx < val.length
             res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
             idx += 1
           end

data/lib/contrast/agent/request_context.rb

@@ -131,8 +131,10 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
-          logger.trace('Results', input_analysis: ia.inspect)
+          if logger.trace?
+            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
+            logger.trace('Results', input_analysis: ia.inspect)
+          end
           @speedracer_input_analysis = ia
           speedracer_input_analysis.request = request
         else
@@ -202,7 +204,10 @@ module Contrast
           rule = ::Contrast::PROTECT.rule(rule_id)
           next unless rule
 
-          logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
+          if logger.debug?
+            logger.debug('Building attack result from Contrast Service input analysis result',
+                         result: ia_result.inspect)
+          end
 
           attack_result = if rule.mode == :BLOCK
                             # special case for rules (like reflected xss) that used to have an infilter / block mode

data/lib/contrast/agent/scope.rb

@@ -104,39 +104,51 @@ module Contrast
         exit_split_scope!
       end
 
-      # Dynamic versions of the above.
-      # These are equivalent, but they're slower and riskier.
-      # Prefer the static methods if you know what scope you need at the call site.
+      # Static methods to be used, the cases are defined by the usage from the above methods
+      # if more methods are added - please extend the case statements as they are no longed dynamic
       def in_scope? name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"in_#{ name }_scope?" }
-        send(call)
+        case name
+        when :contrast
+          in_contrast_scope?
+        when :deserialization
+          in_deserialization_scope?
+        when :split
+          in_split_scope?
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def enter_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"enter_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          enter_contrast_scope!
+        when :deserialization
+          enter_deserialization_scope!
+        when :split
+          enter_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def exit_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"exit_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          exit_contrast_scope!
+        when :deserialization
+          exit_deserialization_scope!
+        when :split
+          exit_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       class << self
         def valid_scope? scope_sym
           Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
         end
-
-        def ensure_valid_scope! scope_sym
-          unless valid_scope? scope_sym # rubocop:disable Style/GuardClause
-            with_contrast_scope do
-              raise NoMethodError, "Scope '#{ scope_sym.inspect }' is not registered as a scope."
-            end
-          end
-        end
       end
     end
   end

data/lib/contrast/agent/tracepoint_hook.rb

@@ -27,14 +27,22 @@ module Contrast
 
         private
 
+        # Use the TracePoint from the :end event, meaning the completion of a definition of a Class or Module (or
+        # really the completion of that piece of a definition, as determined by an `end` statement since there could be
+        # definitions across multiple files) to carry out actions required on definition. This typically involves
+        # patching and usage analysis
+        #
+        # @param tracepoint_event [TracePoint] the TracePoint from the :end
         def process tracepoint_event
           with_contrast_scope do
-            logger.trace('Received TracePoint end event', module: tracepoint_event.self.to_s)
-
+            # the Module or Class that was loaded during this event
             loaded_module = tracepoint_event.self
+            # the file being loaded that contained this definition
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
+            logger.trace('Received TracePoint end event', module: loaded_module, path: path)
+
             Contrast::Agent.framework_manager.register_late_framework(loaded_module)
             Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
@@ -43,7 +51,7 @@ module Contrast
             end
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
           rescue StandardError => e
-            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module)
+            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module, path: path)
           end
         end
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.10.0'
+    VERSION = '4.11.0'
   end
 end

data/lib/contrast/utils/class_util.rb

@@ -3,11 +3,13 @@
 
 require 'contrast/extension/module'
 require 'contrast/utils/object_share'
+require 'contrast/utils/lru_cache'
 
 module Contrast
   module Utils
     # Utility methods for exploring the complete space of Objects
     class ClassUtil
+      @lru_cache = LRUCache.new
       class << self
         # some classes have had things prepended to them, like Marshal in Rails
         # 5 and higher. Their ActiveSupport::MarshalWithAutoloading will break
@@ -47,27 +49,32 @@ module Contrast
         # @param object [Object, nil] the entity to convert to a String
         # @return [String] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
+
         def to_contrast_string object
-          # Only treat object like a string if it actually is a string
+          # After implementing the LRU Cache, we firstly need to check if already had that object cached
+          # and if we have it - we can return it directly
+          return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
+
+          # Only treat object like a string if it actually is a string+
           # some subclasses of String override string methods we depend on
-          if object.cs__class == String
-            cached = to_cached_string(object)
-            return cached if cached
-
-            object.dup
-          elsif object.nil?
-            Contrast::Utils::ObjectShare::NIL_STRING
-          elsif object.cs__is_a?(Symbol)
-            ":#{ object }"
-          elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
-            "#{ object.cs__name }@#{ object.__id__ }"
-          elsif object.cs__is_a?(Regexp)
-            object.source
-          elsif use_to_s?(object)
-            object.to_s
-          else
-            "#{ object.cs__class.cs__name }@#{ object.__id__ }"
-          end
+          @lru_cache[object.__id__] = if object.cs__class == String
+                                        cached = to_cached_string(object)
+                                        return cached if cached
+
+                                        object.dup
+                                      elsif object.nil?
+                                        Contrast::Utils::ObjectShare::NIL_STRING
+                                      elsif object.cs__is_a?(Symbol)
+                                        ":#{ object }"
+                                      elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
+                                        "#{ object.cs__name }@#{ object.__id__ }"
+                                      elsif object.cs__is_a?(Regexp)
+                                        object.source
+                                      elsif use_to_s?(object)
+                                        object.to_s
+                                      else
+                                        "#{ object.cs__class.cs__name }@#{ object.__id__ }"
+                                      end
         end
 
         # The method const_defined? can cause autoload, which is bad for us.

data/lib/contrast/utils/io_util.rb

@@ -9,40 +9,48 @@ module Contrast
     module IOUtil
       extend Contrast::Components::Logger::InstanceMethods
 
-      # We're only going to call rewind on things that we believe are safe to
-      # call it on. This method white lists those cases and returns false in
-      # all others.
-      def self.should_rewind? potential_io
-        return true if potential_io.is_a?(StringIO)
-        return false unless io?(potential_io)
-
-        should_rewind_io?(potential_io)
-      rescue StandardError => e
-        logger.debug('Encountered an issue determining if rewindable', e, module: potential_io.cs__class.cs__name)
-        false
-      end
-
-      # IO cannot be used with streams such as pipes, ttys, and sockets.
-      def self.should_rewind_io? io
-        return false if io.tty?
-
-        status = io.stat
-        return false unless status
-        return false if status.pipe?
-        return false if status.socket?
-
-        true
-      end
-
-      # A class is IO if it is a decedent or delegate of IO
-      def self.io? object
-        return true if object.is_a?(IO)
-
-        # DelegateClass, which is a Delegator, defines __getobj__ as a way to
-        # get the object that the class wraps around (delegates to)
-        return false unless object.is_a?(Delegator)
-
-        object.__getobj__.is_a?(IO)
+      class << self
+        # We're only going to call rewind on things that we believe are safe to
+        # call it on. This method white lists those cases and returns false in
+        # all others.
+        def should_rewind? potential_io
+          return true if potential_io.is_a?(StringIO)
+          return false unless io?(potential_io)
+
+          should_rewind_io?(potential_io)
+        rescue StandardError => e
+          logger.debug('Encountered an issue determining if rewindable', e, module: potential_io.cs__class.cs__name)
+          false
+        end
+
+        # A class is IO if it is a decedent or delegate of IO
+        def io? object
+          return true if object.is_a?(IO)
+
+          # DelegateClass, which is a Delegator, defines __getobj__ as a way to
+          # get the object that the class wraps around (delegates to)
+          return false unless object.is_a?(Delegator)
+
+          object.__getobj__.is_a?(IO)
+        end
+
+        private
+
+        # IO rewind cannot be used with streams such as pipes, ttys, and sockets or for ones which have been closed.
+        #
+        # @param io [IO] the input to check for the ability to rewind
+        # @return [Boolean] if the given IO can be rewound
+        def should_rewind_io? io
+          return false if io.closed?
+          return false if io.tty?
+
+          status = io.stat
+          return false unless status
+          return false if status.pipe?
+          return false if status.socket?
+
+          true
+        end
       end
     end
   end

data/lib/contrast/utils/lru_cache.rb

@@ -0,0 +1,43 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # A LRU(Least Recently Used) Cache store.
+    class LRUCache
+      def initialize capacity = 500
+        raise StandardError 'Capacity must be bigger than 0' if capacity <= 0
+
+        @capacity = capacity
+        @cache = {}
+      end
+
+      def [] key
+        val = @cache.delete(key)
+        @cache[key] = val if val
+        val
+      end
+
+      def []= key, value
+        @cache.delete(key)
+        @cache[key] = value
+        @cache.shift if @cache.size > @capacity
+        value # rubocop:disable Lint/Void
+      end
+
+      def keys
+        @cache.keys
+      end
+
+      def key? key
+        @cache.key?(key)
+      end
+
+      def values
+        @cache.values
+      end
+    end
+  end
+end

data/lib/contrast/utils/ruby_ast_rewriter.rb

@@ -38,7 +38,7 @@ module Contrast
         return if node.children.all? { |child_node| child_node.type == :str }
         new_content = +'('
         idx = 0
-        while idx < node.children.size
+        while idx < node.children.length
           #node.children.each_with_index do |child_node, index|
           child_node = node.children[idx]
           # A begin node looks like #{some_code} in ruby, we do a substring

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 4.10.0
+  version: 4.11.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-08-31 00:00:00.000000000 Z
+date: 2021-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -617,20 +617,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_string/extconf.rb
+- ext/cs__assess_array/extconf.rb
 - ext/cs__assess_regexp/extconf.rb
 - ext/cs__protect_kernel/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__assess_fiber_track/extconf.rb
+- ext/cs__assess_string/extconf.rb
+- ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
 - ext/cs__contrast_patch/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
 - ext/cs__assess_module/extconf.rb
-- ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_array/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -1079,6 +1079,7 @@ files:
 - lib/contrast/utils/invalid_configuration_util.rb
 - lib/contrast/utils/io_util.rb
 - lib/contrast/utils/job_servers_running.rb
+- lib/contrast/utils/lru_cache.rb
 - lib/contrast/utils/object_share.rb
 - lib/contrast/utils/os.rb
 - lib/contrast/utils/preflight_util.rb