contrast-agent 4.10.0 → 4.13.1

data/lib/contrast/utils/assess/property/tagged_utils.rb

@@ -0,0 +1,142 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the Tagged property module
+      # and some other module methods from the same place, so we can ease the main module
+      # This module includes simple methods for the tags like
+      # adding tags, getting tags, deleting tags and similar
+      module TaggedUtils
+        # Given a tag name and range object, add a new tag to this
+        # collection. If the given range touches an existing tag,
+        # we'll combine the two, adjusting the existing one and
+        # dropping this new one.
+        #
+        # @param label [String] the name of the tag
+        # @param range [Range] the Range that the tag covers, inclusive to
+        #   exclusive
+        def add_tag label, range
+          length = range.end - range.begin
+          tag = Contrast::Agent::Assess::Tag.new(label, length, range.begin)
+          existing = fetch_tag(label)
+          tags[label] = Contrast::Utils::TagUtil.ordered_merge(existing, tag)
+        end
+
+        def set_tags label, tag_ranges
+          tags[label] = tag_ranges
+        end
+
+        # Returns a list of all current tags.
+        #
+        # @return [Hash<Contrast::Agent::Assess::Tag>]
+        def get_tags # rubocop:disable Naming/AccessorMethodName
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          tags
+        end
+
+        # We'll use this as a helper method to retrieve tags from the hash.
+        # Because the hash auto-populates an empty array when we try to
+        # access a tag in it, we cannot use the [] method without side
+        # effect. To get around this, we'll use a fetch work around.
+        #
+        # @param label [Symbol] the label to look up
+        # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+        #   that label
+        def fetch_tag label
+          get_tags.fetch(label, nil) if tracked?
+        end
+
+        # Remove all tags with a given label
+        def delete_tags label
+          tags.delete(label) if tracked?
+        end
+
+        # Reset the tag hash
+        def clear_tags
+          tags.clear if tracked?
+        end
+
+        # Returns a list of all current tag labels, most likely to be used for
+        # a splat operation
+        def tag_keys
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          tags.keys
+        end
+
+        # Calls merge to combine touching or overlapping tags
+        # Deletes empty tags
+        def cleanup_tags
+          return unless tracked?
+
+          Contrast::Utils::TagUtil.merge_tags(tags)
+          tags.delete_if { |_, value| value.empty? }
+        end
+
+        # Find all of the ranges that span a given index. This is used
+        # in propagation when we need to shift tags about. For instance, in
+        # the append method when we need to see if any tag at the end needs
+        # to be expanded out to the size of the new String.
+        #
+        # Note: Tags do not know their key, so this is only the range covered
+        #
+        # @param idx [Integer] the index to check for tags
+        # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
+        #   covering the given index. This is only the ranges, not the names.
+        def tags_at idx
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          at = []
+          tags.each_value do |tag_array|
+            tag_array.each do |tag|
+              if tag.covers?(idx)
+                at << tag
+              elsif tag.above?(idx)
+                break
+              end
+            end
+          end
+          at
+        end
+
+        # given a range, select all tags in that range the selected tags are
+        # shifted such that the start index of the new tag (0) aligns with
+        # the given start index in the range
+        #
+        # current tags: 5-15
+        # range       : 5-10
+        # result      : 0-05
+        #
+        # Note that we disable Lint/DuplicateBranch in this branch in order
+        # list out all tag range cases in the proper order to make this
+        # easier to understand
+        #
+        # @param range [Range] the span to check, inclusive to exclusive
+        # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
+        #   key to tags
+        def tags_at_range range
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          at = Hash.new { |h, k| h[k] = [] }
+          tags.each_pair do |key, value|
+            add = nil
+            value.each do |tag|
+              within_range = resize_to_range(tag, range)
+              if within_range
+                add ||= []
+                add << within_range
+              end
+            end
+            next unless add&.any?
+
+            at[key] = add
+          end
+          at
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/source_method_utils.rb

@@ -0,0 +1,83 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the SourceMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module SourceMethodUtils
+        # Safely duplicate the target, or return nil
+        #
+        # @param target [Object] the thing to check for duplication
+        def safe_dup target
+          target.dup
+        rescue StandardError => _e
+          nil
+        end
+
+        # Find the name of the source
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
+        #   none provided by the node
+        def determine_source_name source_node, object, ret, *args
+          return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
+
+          source_node_source = source_node.sources[0]
+          case source_node_source
+          when nil
+            nil
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          else
+            args[source_node_source]
+          end
+        end
+
+        # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
+        # information to build the context of this invocation, we're not disabled, and we can't immediately
+        # determine the invocation was done safely.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+        #   method being called
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method should be analyzed
+        def analyze? method_policy, object, ret, args
+          return false unless method_policy&.source_node
+          return false unless ::Contrast::ASSESS.enabled?
+          return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+
+          !safe_invocation?(method_policy.source_node, object, ret, args)
+        end
+
+        # Determine if the method was invoked safely.
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param _object [Object] the Object on which the method was invoked
+        # @param _ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method was safe
+        def safe_invocation? source_node, _object, _ret, args
+          # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
+          # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
+          # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
+          # instance, uses action_dispatch. to store several values. Technically, you can't call
+          # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
+          source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
+              args&.any? &&
+              !args[0].to_s.start_with?('HTTP_')
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -0,0 +1,138 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations/appliers in the TriggerMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module TriggerMethodUtils
+        # A request is reportable if it is not from ActionController::Live
+        #
+        # @param env [Hash] the env of the Request
+        # @return [Boolean]
+        def reportable? env
+          !(defined?(ActionController::Live) &&
+            env &&
+            env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+        end
+
+        # Find the request for this finding. This assumes, for now, that if there is an active request, then that
+        # is the request to report. Otherwise, we'll use the first request found in the events of the
+        # source_object.
+        #
+        # @param source [Object,nil] some Object used as the source of a trigger event
+        # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
+        def find_request source
+          return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+          return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+
+          find_event_request(properties.event)
+        end
+
+        # Finds the first request along the left most tree of parent events
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent|Contrast::Agent::Assess::Events::SourceEvent]
+        # @return [Contrast::Agent::Request, nil]
+        def find_event_request event
+          return event.request if event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          idx = 0
+          while idx <= event.parent_events.length
+            found = find_event_request(event.parent_events[idx])
+            return found if found
+
+            idx += 1
+            return event.request if event.request
+          end
+          return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          event.request
+        end
+
+        # ===== APPLIERS =====
+        # This is our method that actually checks the taint on the object our trigger_node targets.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_trigger trigger_node, source, object, ret, *args
+          return unless trigger_node
+          return if trigger_node.rule_disabled?
+          return if trigger_node.dataflow? && source.nil?
+
+          if trigger_node.regexp_rule?
+            apply_regexp_rule(trigger_node, source, object, ret, *args)
+          elsif trigger_node.custom_trigger?
+            trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
+          elsif trigger_node.dataflow?
+            apply_dataflow_rule(trigger_node, source, object, ret, *args)
+          else # trigger rule - just calling the method is dangerous
+            build_finding(trigger_node, source, object, ret, *args)
+          end
+        rescue StandardError => e
+          logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
+        end
+
+        # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
+        # based rules.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_regexp_rule trigger_node, source, object, ret, *args
+          return unless source.is_a?(String)
+          return if trigger_node.good_value && source.match?(trigger_node.good_value)
+          return if trigger_node.bad_value && source !~ trigger_node.bad_value
+
+          build_finding(trigger_node, source, object, ret, *args)
+        end
+
+        # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
+        # based rules.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_dataflow_rule trigger_node, source, object, ret, *args
+          return unless source
+
+          if Contrast::Agent::Assess::Tracker.trackable?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+            return unless trigger_node.violated?(source)
+
+            build_finding(trigger_node, source, object, ret, *args)
+          elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            source.each_pair do |key, value|
+              apply_dataflow_rule(trigger_node, key, object, ret, *args)
+              apply_dataflow_rule(trigger_node, value, object, ret, *args)
+            end
+          elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            source.each do |value|
+              apply_dataflow_rule(trigger_node, value, object, ret, *args)
+            end
+          else
+            logger.debug('Trigger source is untrackable. Unable to inspect.',
+                         node_id: trigger_node.id,
+                         source_id: source.__id__,
+                         source_type: source.cs__class.cs__name,
+                         frozen: source.cs__frozen?)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/class_util.rb

@@ -3,21 +3,21 @@
 
 require 'contrast/extension/module'
 require 'contrast/utils/object_share'
+require 'contrast/utils/lru_cache'
 
 module Contrast
   module Utils
     # Utility methods for exploring the complete space of Objects
     class ClassUtil
+      @lru_cache = LRUCache.new(300)
+      @string_cache = LRUCache.new(300)
       class << self
-        # some classes have had things prepended to them, like Marshal in Rails
-        # 5 and higher. Their ActiveSupport::MarshalWithAutoloading will break
-        # our alias patching approach, as will any other prepend on something
-        # that we touch. Prepend and Alias are inherently incompatible monkey
-        # patching approaches. As such, we need to know if something has been
-        # prepended to.
+        # some classes have had things prepended to them, like Marshal in Rails 5 and higher. Their
+        # ActiveSupport::MarshalWithAutoloading will break our alias patching approach, as will any other prepend on
+        # something that we touch. Prepend and Alias are inherently incompatible monkey patching approaches. As such,
+        # we need to know if something has been prepended to.
         #
-        # @param mod [Module] the Module to check to see if it has had something
-        #   prepended
+        # @param mod [Module] the Module to check to see if it has had something prepended
         # @param ancestors [Array<Module>] the array of ancestors for the mod
         # @return [Boolean] if the mod has been prepended or not
         def prepended? mod, ancestors = nil
@@ -25,8 +25,13 @@ module Contrast
           ancestors[0] != mod
         end
 
-        # return true if the given method is overwritten by one of the ancestors
-        # in the ancestor change that comes before the given module
+        # return true if the given method is overwritten by one of the ancestors in the ancestor change that comes
+        # before the given module
+        #
+        # @param mod [Module] the Module to check to see if it has had something prepended
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that holds the method we
+        #   need to check
+        # @return [Boolean] if this method specifically was prepended
         def prepended_method? mod, method_policy
           target_module = determine_target_class mod, method_policy.instance_method
           ancestors = target_module.ancestors
@@ -41,44 +46,49 @@ module Contrast
           false
         end
 
-        # Return a String representing the object invoking this method in the
-        # form expected by our dataflow events.
+        # Return a String representing the object invoking this method in the form expected by our dataflow events.
+        # After implementing the LRU Cache, we firstly need to check if already had that object cached and if we have
+        # it - we can return it directly; otherwise we'll calculate and store the result before returning.
+        #
+        # TODO: RUBY-1327
+        # Once we move to 2.7+, we can combine the caches using ID b/c the memory location stops being the id
         #
         # @param object [Object, nil] the entity to convert to a String
         # @return [String] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
         def to_contrast_string object
-          # Only treat object like a string if it actually is a string
-          # some subclasses of String override string methods we depend on
+          # Only treat object like a string if it actually is a string+ some subclasses of String override string
+          # methods we depend on
           if object.cs__class == String
-            cached = to_cached_string(object)
-            return cached if cached
-
-            object.dup
-          elsif object.nil?
-            Contrast::Utils::ObjectShare::NIL_STRING
-          elsif object.cs__is_a?(Symbol)
-            ":#{ object }"
-          elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
-            "#{ object.cs__name }@#{ object.__id__ }"
-          elsif object.cs__is_a?(Regexp)
-            object.source
-          elsif use_to_s?(object)
-            object.to_s
+            return @string_cache[object] if @string_cache.key? object
+
+            @string_cache[object] = to_cached_string(object) || object.dup
           else
-            "#{ object.cs__class.cs__name }@#{ object.__id__ }"
+            return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
+
+            @lru_cache[object.__id__] = if object.nil?
+                                          Contrast::Utils::ObjectShare::NIL_STRING
+                                        elsif object.cs__is_a?(Symbol)
+                                          ":#{ object }"
+                                        elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
+                                          "#{ object.cs__name }@#{ object.__id__ }"
+                                        elsif object.cs__is_a?(Regexp)
+                                          object.source
+                                        elsif use_to_s?(object)
+                                          object.to_s
+                                        else
+                                          "#{ object.cs__class.cs__name }@#{ object.__id__ }"
+                                        end
           end
         end
 
-        # The method const_defined? can cause autoload, which is bad for us.
-        # The method autoload? doesn't traverse namespaces. This method lets us
-        # provide a constant, as a String, and parse it to determine if it has
-        # been truly truly defined, meaning it existed before this method was
-        # invoked, not as a result of it.
+        # The method const_defined? can cause autoload, which is bad for us. The method autoload? doesn't traverse
+        # namespaces. This method lets us provide a constant, as a String, and parse it to determine if it has been
+        # truly truly defined, meaning it existed before this method was invoked, not as a result of it.
         #
-        # This is required to handle a bug in Ruby prior to 2.7.0. When we drop
-        # support for 2.6.X, we should remove this code.
-        # https://bugs.ruby-lang.org/issues/10741
+        # TODO: RUBY-1326
+        # This is required to handle a bug in Ruby prior to 2.7.0. When we drop support for 2.6.X, we should remove
+        # this code. https://bugs.ruby-lang.org/issues/10741
         # @param name [String] the name of the constant to look up
         # @return [Boolean]
         def truly_defined? name
@@ -101,7 +111,8 @@ module Contrast
         private
 
         # Some objects have nice to_s that we can use to make them human readable. If they do, we should leverage them.
-        # We used to do this by default, but this opened us up to danger, so we're instead using an allow list approach.
+        # We used to do this by default, but this opened us up to danger, so we're instead using an allow list
+        # approach.
         #
         # @param object [Object] something that may have a safe to_s method
         # @return [Boolean] if we should invoke to_s to represent the object
@@ -112,6 +123,11 @@ module Contrast
           false
         end
 
+        # Find the target class based on the instance, or module, provided. If a module, return it.
+        #
+        # @param mod [Module] the Module, or instance of a Module, that we need to check
+        # @param is_instance [Boolean] is the object provided an instance of a class, requiring lookup by class
+        # @return [Module]
         def determine_target_class mod, is_instance
           return mod if mod.singleton_class?
 
@@ -120,13 +136,11 @@ module Contrast
           mod
         end
 
-        # If the String matches a common String in our ObjectShare, return that
-        # rather that for use as the representation of the String rather than
-        # forcing a duplication of the String.
+        # If the String matches a common String in our ObjectShare, return that rather that for use as the
+        # representation of the String rather than forcing a duplication of the String.
         #
-        # @param string [String] some string of which we want a Contrast
-        #   representation.
-        # @return [String,nil] the ObjectShare version of the String or nil
+        # @param string [String] some string of which we want a Contrast representation.
+        # @return [String, nil] the ObjectShare version of the String or nil
         def to_cached_string string
           return Contrast::Utils::ObjectShare::EMPTY_STRING if string.empty?
           return Contrast::Utils::ObjectShare::SLASH if string == Contrast::Utils::ObjectShare::SLASH

data/lib/contrast/utils/exclude_key.rb

@@ -0,0 +1,20 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Determine if configuration keys is excluded from logging
+    module ExcludeKey
+      EXCLUDE_FROM_LOG = %w[api api_key url service_key user_name].cs__freeze
+      class << self
+        # Check if a config key can be logged or not
+        #
+        # @param key [String] key to check
+        # @return[Boolean] true | false
+        def excludable? key
+          EXCLUDE_FROM_LOG.any? { |exclude_key| key.include? exclude_key }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/io_util.rb

@@ -9,40 +9,48 @@ module Contrast
     module IOUtil
       extend Contrast::Components::Logger::InstanceMethods
 
-      # We're only going to call rewind on things that we believe are safe to
-      # call it on. This method white lists those cases and returns false in
-      # all others.
-      def self.should_rewind? potential_io
-        return true if potential_io.is_a?(StringIO)
-        return false unless io?(potential_io)
-
-        should_rewind_io?(potential_io)
-      rescue StandardError => e
-        logger.debug('Encountered an issue determining if rewindable', e, module: potential_io.cs__class.cs__name)
-        false
-      end
-
-      # IO cannot be used with streams such as pipes, ttys, and sockets.
-      def self.should_rewind_io? io
-        return false if io.tty?
-
-        status = io.stat
-        return false unless status
-        return false if status.pipe?
-        return false if status.socket?
-
-        true
-      end
-
-      # A class is IO if it is a decedent or delegate of IO
-      def self.io? object
-        return true if object.is_a?(IO)
-
-        # DelegateClass, which is a Delegator, defines __getobj__ as a way to
-        # get the object that the class wraps around (delegates to)
-        return false unless object.is_a?(Delegator)
-
-        object.__getobj__.is_a?(IO)
+      class << self
+        # We're only going to call rewind on things that we believe are safe to
+        # call it on. This method white lists those cases and returns false in
+        # all others.
+        def should_rewind? potential_io
+          return true if potential_io.is_a?(StringIO)
+          return false unless io?(potential_io)
+
+          should_rewind_io?(potential_io)
+        rescue StandardError => e
+          logger.debug('Encountered an issue determining if rewindable', e, module: potential_io.cs__class.cs__name)
+          false
+        end
+
+        # A class is IO if it is a decedent or delegate of IO
+        def io? object
+          return true if object.is_a?(IO)
+
+          # DelegateClass, which is a Delegator, defines __getobj__ as a way to
+          # get the object that the class wraps around (delegates to)
+          return false unless object.is_a?(Delegator)
+
+          object.__getobj__.is_a?(IO)
+        end
+
+        private
+
+        # IO rewind cannot be used with streams such as pipes, ttys, and sockets or for ones which have been closed.
+        #
+        # @param io [IO] the input to check for the ability to rewind
+        # @return [Boolean] if the given IO can be rewound
+        def should_rewind_io? io
+          return false if io.closed?
+          return false if io.tty?
+
+          status = io.stat
+          return false unless status
+          return false if status.pipe?
+          return false if status.socket?
+
+          true
+        end
       end
     end
   end