contrast-agent 4.10.0 → 4.13.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ab65fd574ef84fbe339e4f4d4bf340623235a442ecc11d7ba28c6af3c6f04d4d
-  data.tar.gz: 0fa9cc44fe85713ee924101139e615d361de6d906c8f5ff4fdd345a930eee9d2
+  metadata.gz: 96cff410085a542c1003dda242268f349bc20f738b82bde70725b695661a79bc
+  data.tar.gz: 2a5d703693f697785034df1f602ef0f61241ae16edf11dbd174ad9a8da01b72c
 SHA512:
-  metadata.gz: cb21ebcad0e772649d16a25d2f00cc057ee10df71638b7bd7cc6a4710a1ded28ce4dca749fa040ba2fb78e992727f4cc5d5f38e1187c363a8ea33a12333fc289
-  data.tar.gz: c3ad4c82a9e25ecb58c0ea906f1170cffdd6811952f9c1d71a6c75166358a37e0ebba40e55e9a7433156a51122b9ca1450bb5a4a2a87f9081a4a4268d9abfdb4
+  metadata.gz: 409632acc3352b7c172a1aa12c9f5de482b5e5c3c0307b0732c48c7b8cf8d56c5ef5a4c039a0c866dd0c1ea31340b21ee8e4bcc0f2c4c4fdea9cd4fffcbaa212
+  data.tar.gz: 17b56ee4355a472b637cf1f9059f1bfce01319351713fc3b35e744bc3afad3d4f068cf77dd474032193249cb8f178141d7d7da2aa7b4d2f3a0cc2158e1c55d0c

data/ext/cs__assess_module/cs__assess_module.c

@@ -57,6 +57,45 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
     return ret;
 }
 
+VALUE
+contrast_assess_module_prepend(const int argc, const VALUE *argv,
+                               const VALUE self) {
+
+    rb_prepend_module(self, argv[0]);
+
+    VALUE module_at;
+    VALUE rb_incl_in_mod_ary = rb_funcall(self, rb_intern("included_in"), 0);
+
+    if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
+       int i = 0;
+       int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+       for (i = 0; i < size; ++i) {
+           module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
+           if (RB_TYPE_P(module_at, T_MODULE)) {
+              rb_include_module(module_at, argv[0]);
+           }
+       }
+    }
+    return self;
+}
+
+VALUE
+contrast_assess_module_included(const int argc, const VALUE *argv,
+                               const VALUE self) {
+   VALUE frozen;
+   if (RB_TYPE_P(self, T_MODULE)) {
+       // check if frozen
+       frozen = rb_funcall(self, rb_intern("cs__frozen?"), 0);
+       if (frozen == Qfalse) {
+           VALUE ary = rb_funcall(self, rb_intern("included_in"), 0);
+           if (RB_TYPE_P(ary, T_ARRAY)) {
+              rb_ary_push(ary, argv[0]);
+           }
+       }
+   }
+   return self;
+}
+
 void Init_cs__assess_module(void) {
     module_eval_trigger =
         rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
@@ -76,4 +115,13 @@ void Init_cs__assess_module(void) {
 
     contrast_register_patch("Module", "module_eval",
                             contrast_assess_module_module_eval);
+   /*
+    * We patch these for better ancestors handling, and only for older ruby versions.
+    */
+  if (rb_ver_below_three()) {
+     contrast_register_patch("Module", "included",
+                             contrast_assess_module_included);
+     contrast_register_patch("Module", "prepend",
+                             contrast_assess_module_prepend);
+     }
 }

data/ext/cs__assess_module/cs__assess_module.h

@@ -24,5 +24,12 @@ contrast_assess_module_class_eval(const int argc, const VALUE *argv,
 VALUE
 contrast_assess_module_module_eval(const int argc, const VALUE *argv,
                                    const VALUE mod);
+VALUE
+contrast_assess_module_prepend(const int argc, const VALUE *argv,
+                               const VALUE self);
+
+VALUE
+contrast_assess_module_included(const int argc, const VALUE *argv,
+                               const VALUE mod);
 
 void Init_cs__assess_module(void);

data/ext/cs__common/cs__common.c

@@ -73,11 +73,20 @@ VALUE contrast_register_singleton_patch(const char *module_name,
                                     IMPL_ALIAS_SINGLETON);
 }
 
-VALUE contrast_register_singleton_prepend_patch(
-    const char *module_name, const char *method_name,
-    VALUE(c_fn)(const int, VALUE *, const VALUE)) {
+VALUE contrast_register_prepend_patch(const char *module_name,
+                              const char *method_name,
+                              VALUE(c_fn)(const int, VALUE *,
+                                          const VALUE)) {
     return _contrast_register_patch(module_name, method_name, c_fn,
-                                    IMPL_PREPEND);
+                                    IMPL_PREPEND_INSTANCE);
+}
+
+VALUE contrast_register_singleton_prepend_patch(const char *module_name,
+                              const char *method_name,
+                              VALUE(c_fn)(const int, VALUE *,
+                                          const VALUE)) {
+    return _contrast_register_patch(module_name, method_name, c_fn,
+                                    IMPL_PREPEND_SINGLETON);
 }
 
 static VALUE
@@ -122,8 +131,10 @@ _contrast_register_patch(const char *module_name, const char *method_name,
     case IMPL_ALIAS_SINGLETON:
         impl = ID2SYM(rb_sym_alias_singleton);
         break;
-    case IMPL_PREPEND:
-        impl = ID2SYM(rb_sym_prepend);
+    case IMPL_PREPEND_INSTANCE:
+        impl = ID2SYM(rb_sym_prepend_instance);
+    case IMPL_PREPEND_SINGLETON:
+         impl = ID2SYM(rb_sym_prepend_singleton);
         break;
     }
 
@@ -133,6 +144,11 @@ _contrast_register_patch(const char *module_name, const char *method_name,
     return SYM2ID(underlying_method_name);
 }
 
+int rb_ver_below_three() {
+  int ruby_version = FIX2INT(rb_funcall(rb_const_get(rb_cObject, rb_intern("RUBY_VERSION")), rb_intern("to_i"), 0));
+  return ruby_version < 3;
+}
+
 void Init_cs__common(void) {
     cs__send_method = rb_intern("send");
     cs__alias_method_sym = ID2SYM(rb_intern("alias_method"));
@@ -152,7 +168,8 @@ void Init_cs__common(void) {
     rb_sym_register_c_patch = rb_intern("register_c_patch");
     rb_sym_alias_instance = rb_intern("alias_instance");
     rb_sym_alias_singleton = rb_intern("alias_singleton");
-    rb_sym_prepend = rb_intern("prepend");
+    rb_sym_prepend_instance = rb_intern("prepend_instance");
+    rb_sym_prepend_singleton = rb_intern("prepend_singleton");
 
     /* Ensure definition of core Contrast instrumentation modules */
     contrast = rb_define_module("Contrast");

data/ext/cs__common/cs__common.h

@@ -6,7 +6,8 @@
 typedef enum {
     IMPL_ALIAS_INSTANCE,
     IMPL_ALIAS_SINGLETON,
-    IMPL_PREPEND
+    IMPL_PREPEND_INSTANCE,
+    IMPL_PREPEND_SINGLETON,
 } patch_impl;
 
 static VALUE cs__send_method;
@@ -30,7 +31,16 @@ static VALUE rb_sym_instance_method;
 static VALUE rb_sym_register_c_patch;
 static VALUE rb_sym_alias_instance;
 static VALUE rb_sym_alias_singleton;
-static VALUE rb_sym_prepend;
+static VALUE rb_sym_prepend_instance;
+static VALUE rb_sym_prepend_singleton;
+
+/*
+ * Check if ruby version is < 3.0.0.
+ * We are using this for handling ancestors of included modules.
+ * Since this is fixed after Ruby 3.0.0 we should remove this after
+ * dropping support for older versions, as no longer needed.
+ */
+int rb_ver_below_three();
 
 void patch_via_funchook(void *original_function, void *hook_function);
 

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -43,7 +43,7 @@ VALUE contrast_patch_call_original(const VALUE *args) {
         if (rb_block_given_p()) {
             return rb_funcall_with_block_kw(object, method_id, argc, params, rb_block_proc(), RB_PASS_CALLED_KEYWORDS);
         } else {
-            return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS); 
+            return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS);
         }
     /* Ruby < 2.7 */
     #else
@@ -182,7 +182,8 @@ VALUE contrast_run_patches(const VALUE *wrapped_args) {
                                   contrast_patch_call_rescue,
                                   (VALUE)rescue_args, rb_eException, 0);
         break;
-    case IMPL_PREPEND:
+    case IMPL_PREPEND_INSTANCE:
+    case IMPL_PREPEND_SINGLETON:
         original_ret = rb_rescue2(contrast_call_super, original_args,
                                   contrast_patch_call_rescue,
                                   (VALUE)rescue_args, rb_eException, 0);
@@ -247,10 +248,14 @@ VALUE contrast_patch_dispatch(const int argc, const VALUE *argv,
      */
     switch (impl) {
     case IMPL_ALIAS_INSTANCE:
-    case IMPL_PREPEND:
+    case IMPL_PREPEND_INSTANCE:
         known =
             rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qtrue);
         break;
+    case IMPL_PREPEND_SINGLETON:
+       known =
+           rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qfalse);
+       break;
     case IMPL_ALIAS_SINGLETON:
         known = rb_funcall(patch_status, rb_sym_info_for, 3, object, method,
                            Qfalse);
@@ -323,7 +328,8 @@ call_original:
     case IMPL_ALIAS_INSTANCE:
     case IMPL_ALIAS_SINGLETON:
         return contrast_patch_call_original(original_args);
-    case IMPL_PREPEND:
+    case IMPL_PREPEND_INSTANCE:
+    case IMPL_PREPEND_SINGLETON:
         return contrast_call_super(original_args);
     };
 }
@@ -338,9 +344,14 @@ VALUE contrast_alias_singleton_patch(const int argc, const VALUE *argv,
     return contrast_patch_dispatch(argc, argv, IMPL_ALIAS_SINGLETON, object);
 }
 
-VALUE contrast_prepend_patch(const int argc, const VALUE *argv,
+VALUE contrast_prepend_instance_patch(const int argc, const VALUE *argv,
                              const VALUE object) {
-    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND, object);
+    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND_INSTANCE, object);
+}
+
+VALUE contrast_prepend_singleton_patch(const int argc, const VALUE *argv,
+                             const VALUE object) {
+    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND_SINGLETON, object);
 }
 
 VALUE contrast_patch_define_method(const VALUE self, const VALUE clazz, const VALUE method_policy,
@@ -403,29 +414,55 @@ VALUE contrast_patch_define_method(const VALUE self, const VALUE clazz, const VA
 VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule,
                              const VALUE method_policy) {
 
+    const VALUE instance = Qtrue;
+    const VALUE singleton = Qfalse;
     const VALUE original_method_name =
         rb_funcall(method_policy, rb_sym_method_name, 0);
     const VALUE is_private =
         rb_funcall(method_policy, rb_sym_private_method, 0);
     const VALUE is_instance_method =
         rb_funcall(method_policy, rb_sym_instance_method, 0);
-    rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
-               original_method_name, method_policy, Qtrue, Qnil);
+
+// Set the value for instance or singleton method
+    if (RTEST(is_instance_method)){
+        rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
+                   original_method_name, method_policy, instance, Qnil);
+
+    } else {
+        rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
+                   original_method_name, method_policy, singleton, Qnil);
+    }
+
     VALUE module = rb_define_module_under(originalModule, "ContrastPrepend");
     VALUE str = rb_funcall(original_method_name, rb_sym_cs_to_s, 0);
     char *cMethodName = StringValueCStr(str);
     if (RTEST(is_instance_method)) {
         if (RTEST(is_private)) {
             rb_define_private_method(module, cMethodName,
-                                     contrast_prepend_patch, -1);
+                                     contrast_prepend_instance_patch, -1);
         } else {
-            rb_define_method(module, cMethodName, contrast_prepend_patch, -1);
+            rb_define_method(module, cMethodName, contrast_prepend_instance_patch, -1);
         }
     } else {
-        rb_define_singleton_method(module, cMethodName, contrast_prepend_patch,
+        rb_define_singleton_method(module, cMethodName, contrast_prepend_singleton_patch,
                                    -1);
     }
     rb_prepend_module(originalModule, module);
+
+    if (rb_ver_below_three()) {
+        VALUE module_at;
+        VALUE rb_incl_in_mod_ary = rb_funcall(originalModule, rb_intern("included_in"), 0);
+        if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
+            int i = 0;
+            int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+            for (i = 0; i < size; ++i) {
+                module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
+                if (RB_TYPE_P(module_at, T_MODULE)) {
+                    rb_include_module(module_at, module);
+                }
+            }
+        }
+   }
     return Qtrue;
 }
 

data/ext/cs__contrast_patch/cs__contrast_patch.h

@@ -146,8 +146,11 @@ VALUE contrast_alias_instance_patch(const int argc, const VALUE *argv,
 VALUE contrast_alias_singleton_patch(const int argc, const VALUE *argv,
                                      const VALUE object);
 
-VALUE contrast_prepend_patch(const int argc, const VALUE *argv,
-                             const VALUE object);
+VALUE contrast_prepend_instance_patch(const int argc, const VALUE *argv,
+                                    const VALUE object);
+
+VALUE contrast_prepend_singleton_patch(const int argc, const VALUE *argv,
+                                     const VALUE object);
 
 /*
  * Patches a module's method by prepend:

data/ext/cs__os_information/cs__os_information.c

@@ -0,0 +1,31 @@
+/* Copyright (c) 2021 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__os_information.h"
+#include <dlfcn.h>
+#include <ruby.h>
+#include <sys/utsname.h>
+
+VALUE contrast, utils, os;
+
+VALUE contrast_get_system_information()
+{
+    struct utsname uname_pointer;
+
+    uname (&uname_pointer);
+
+    VALUE rb_data_hash = rb_hash_new();
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_type"), rb_str_new2(uname_pointer.sysname));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_version"), rb_str_new2(uname_pointer.release));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_complete_version"), rb_str_new2(uname_pointer.version));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_arch"), rb_str_new2(uname_pointer.machine));
+    return rb_data_hash;
+}
+
+void Init_cs__os_information(void)
+{
+    contrast = rb_define_module("Contrast");
+    utils = rb_define_module_under(contrast, "Utils");
+    os = rb_define_module_under(utils, "OS");
+    rb_define_module_function(os, "get_system_information", contrast_get_system_information, 0);
+}

data/ext/cs__os_information/cs__os_information.h

@@ -0,0 +1,7 @@
+#include <ruby.h>
+
+extern VALUE contrast, utils, os;
+
+VALUE contrast_get_system_information();
+
+void Init_cs__os_information(void);

data/lib/contrast/agent/assess/contrast_event.rb

@@ -54,7 +54,7 @@ module Contrast
 
           # These methods rely on the above being set. Don't move them!
           @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
-          @tags = Contrast::Agent::Assess::Tracker.properties(tagged)&.tags
+          @tags = Contrast::Agent::Assess::Tracker.properties(tagged)&.get_tags
           find_parent_events!(policy_node, object, ret, args)
           snapshot!(object, ret, args)
           capture_stacktrace!

data/lib/contrast/agent/assess/contrast_object.rb

@@ -35,10 +35,7 @@ module Contrast
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
             @object_type = object.cs__class.cs__name
-            # TODO: RUBY-1084 determine if we need to copy these tags to
-            #   restore immutability. For instance, if these tags were on a
-            #   String that was then #reverse!'d, would our tags be wrong?
-            @tags = Contrast::Agent::Assess::Tracker.properties(object)&.tags
+            @tags = Contrast::Agent::Assess::Tracker.properties(object)&.get_tags
           else
             @object = Contrast::Utils::ObjectShare::NIL_STRING
             @object_type = nil.cs__class.cs__name

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -24,6 +24,8 @@ module Contrast
             #   the name of the method to taint, mapped to the properties it
             #   should apply
             def create_sources klass, tainted_columns
+              return unless Contrast::ASSESS.require_dynamic_sources?
+
               class_name = klass.cs__name
               instance_methods = klass.instance_methods
               instance_methods.concat(klass.private_instance_methods)

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/utils/lru_cache'
 
 module Contrast
   module Agent
@@ -12,6 +13,7 @@ module Contrast
         include Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Logger::InstanceMethods
 
+        @lru_cache = Contrast::Utils::LRUCache.new
         UNDUPLICABLE_MODULES = [
           Enumerator # dup'ing results in 'can't copy execution context'
         ].cs__freeze
@@ -70,32 +72,44 @@ module Contrast
 
           def append_object_details preshift, initializing, object
             can = can_dup?(initializing, object)
-            preshift.object = can ? object.dup : object
+            preshift.object = if @lru_cache.key?(object.__id__) && !Contrast::Agent::Assess::Tracker.tracked?(object)
+                                @lru_cache[object.__id__]
+                              else
+                                can ? object.dup : object
+                              end
             preshift.object_length = if Contrast::Utils::DuckUtils.quacks_to?(preshift.object, :length)
                                        object.length
                                      else
                                        0
                                      end
+
             return unless can
+
             return unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
             Contrast::Agent::Assess::Tracker.copy(object, preshift.object)
+            @lru_cache[object.__id__] = object
           end
 
           def append_arg_details preshift, args
-            preshift.args = args.dup
+            args_length = args.length
+            preshift.args = Array.new(args_length)
+            preshift.arg_lengths = Array.new(args_length)
             idx = 0
-            while idx < preshift.args.size
-              original_arg = args[idx]
-              p_arg = preshift.args[idx]
+            while idx < args_length
+              or_arg = args[idx]
+              p_arg = if @lru_cache.key?(or_arg.__id__)
+                        @lru_cache[or_arg.__id__]
+                      else
+                        can_dup?(false, or_arg) ? or_arg.dup : or_arg
+                      end
+              preshift.args[idx] = p_arg
+              preshift.arg_lengths[idx] = Contrast::Utils::DuckUtils.quacks_to?(p_arg, :length) ? p_arg.length : 0
               idx += 1
-              next if p_arg.__id__ == original_arg.__id__
-              next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
+              next if p_arg.__id__ == or_arg.__id__
 
-              Contrast::Agent::Assess::Tracker.copy(original_arg, p_arg)
-            end
-            preshift.arg_lengths = preshift.args.map do |preshift_arg|
-              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
+              Contrast::Agent::Assess::Tracker.copy(or_arg, p_arg)
+              @lru_cache[p_arg.__id__] = p_arg
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -7,6 +7,7 @@ require 'contrast/agent/assess/policy/propagator'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/propagation_method_utils'
 
 module Contrast
   module Agent
@@ -16,35 +17,9 @@ module Contrast
         # untrusted value. In general, these methods work on the String class or a holder of Strings.
         module PropagationMethod
           extend Contrast::Components::Logger::InstanceMethods
-
-          APPEND_ACTION = 'APPEND'
-          CENTER_ACTION = 'CENTER'
-          INSERT_ACTION = 'INSERT'
-          KEEP_ACTION = 'KEEP'
-          NEXT_ACTION = 'NEXT'
-          NOOP_ACTION = 'NOOP'
-          PREPEND_ACTION = 'PREPEND'
-          REPLACE_ACTION = 'REPLACE'
-          REMOVE_ACTION = 'REMOVE'
-          REVERSE_ACTION = 'REVERSE'
-          SPLAT_ACTION = 'SPLAT'
-          SPLIT_ACTION = 'SPLIT'
-          DB_WRITE_ACTION = 'DB_WRITE'
-          CUSTOM_ACTION = 'CUSTOM'
+          extend Contrast::Utils::Assess::PropagationMethodUtils
 
           class << self
-            def determine_target propagation_node, ret, object, args
-              target = propagation_node.targets[0]
-              case target
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              else
-                args[target]
-              end
-            end
-
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that governs the
             #   patches to this method
             # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
@@ -65,21 +40,6 @@ module Contrast
               PropagationMethod.apply_propagator(propagation_node, preshift, target, object, ret, args, block)
             end
 
-            PROPAGATION_ACTIONS = {
-                APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
-                CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
-                INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
-                KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
-                NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
-                NOOP_ACTION => nil,
-                PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
-                REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
-                REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
-                REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
-                SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
-                SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
-            }.cs__freeze
-
             # I lied above. We had to figure out what the target of the propagation was. Now that we know, we'll
             # actually do things to it. Note that the return of this method will replace the original return of the
             # patched function unless it is nil, so be sure you're returning what you intend.
@@ -116,80 +76,6 @@ module Contrast
               nil
             end
 
-            # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
-            # about the target based on the context with which the method was called. As such, defer determining if the
-            # target is valid to that method.
-            #
-            # In all other cases, a target is valid for propagation if it is not nil
-            #
-            # @param target [Object] the thing to which to propagate
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
-            #   propagation event.
-            # @return [Boolean]
-            def valid_target? target, propagation_node
-              return true if propagation_node.action == CUSTOM_ACTION
-
-              !!target
-            end
-
-            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
-            # If the action required needs a length and the target does not have one, the length is not valid
-            #
-            # @param target [Object] the thing to which to propagate
-            # @param action [String] the name of the action taken during this propagation
-            # @return [Boolean]
-            def valid_length? target, action
-              return true if ZERO_LENGTH_ACTIONS.include?(action)
-
-              if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
-                target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
-              else
-                !target.to_s.empty?
-              end
-            end
-
-            # Before we do any work, we should check if we even need to. If the source and target of this patcher are
-            # not tracked, there's no need to do anything. A copy of nothing is still nothing.
-            #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
-            #   propagation event.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
-            #   the invocation of the patched method.
-            # @param target [Object] the thing to which to propagate
-            # @return [Boolean]
-            def can_propagate? propagation_node, preshift, target
-              return false unless appropriate_target?(propagation_node, target)
-              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
-              return false unless preshift
-
-              propagation_node.sources.each do |source|
-                case source
-                when Contrast::Utils::ObjectShare::OBJECT_KEY
-                  return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
-                else
-                  # has to be P, there's no ret source type (yet? ever?)
-                  return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
-                end
-              end
-              false
-            end
-
-            # We cannot propagate to frozen things that have not been updated to work with our property tracking,
-            # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
-            # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
-            # do.
-            #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
-            #   propagation event.
-            # @param target [Object] the Target to which to propagate.
-            # @return [Boolean] if the target can be propagated to
-            def appropriate_target? propagation_node, target
-              # special handle Returns b/c we can do unfreezing magic during propagation
-              return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-
-              Contrast::Agent::Assess::Tracker.trackable?(target)
-            end
-
             # If this patcher has tags, apply them to the entire target
             # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
             #   propagation event.

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -95,8 +95,8 @@ module Contrast
 
           def needs_object?
             if @_needs_object.nil?
-              @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
-                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+              @_needs_object = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
+                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                   sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
                   targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
@@ -105,8 +105,8 @@ module Contrast
 
           def needs_args?
             if @_needs_args.nil?
-              @_needs_args = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
-                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+              @_needs_args = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
+                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                   sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
                   targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
             end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -13,6 +13,8 @@ module Contrast
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
               def propagate propagation_node, preshift, target
+                return unless Contrast::ASSESS.require_dynamic_sources?
+
                 class_type = preshift.object.cs__class
                 class_name = class_type.cs__name
                 tainted_columns = {}