contrast-agent 4.11.0 → 4.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/ext/cs__common/cs__common.c +19 -7
- data/ext/cs__common/cs__common.h +4 -2
- data/ext/cs__contrast_patch/cs__contrast_patch.c +32 -10
- data/ext/cs__contrast_patch/cs__contrast_patch.h +5 -2
- data/lib/contrast/agent/assess/contrast_event.rb +1 -1
- data/lib/contrast/agent/assess/contrast_object.rb +1 -1
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +2 -0
- data/lib/contrast/agent/assess/policy/preshift.rb +19 -6
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +2 -0
- data/lib/contrast/agent/assess/policy/trigger_node.rb +52 -19
- data/lib/contrast/agent/assess/property/tagged.rb +34 -25
- data/lib/contrast/agent/deadzone/policy/policy.rb +6 -0
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +0 -1
- data/lib/contrast/agent/patching/policy/method_policy.rb +54 -9
- data/lib/contrast/agent/patching/policy/patch.rb +12 -6
- data/lib/contrast/agent/patching/policy/patcher.rb +1 -1
- data/lib/contrast/agent/request_context.rb +24 -8
- data/lib/contrast/agent/rule_set.rb +2 -4
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/agent.rb +0 -1
- data/lib/contrast/components/assess.rb +7 -0
- data/lib/contrast/config/assess_configuration.rb +1 -0
- data/lib/contrast/utils/class_util.rb +60 -53
- data/lib/contrast/utils/lru_cache.rb +4 -2
- data/lib/contrast.rb +1 -1
- data/resources/assess/policy.json +12 -6
- data/resources/deadzone/policy.json +86 -5
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +9 -14
- data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -47
- data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -12
- data/ext/cs__protect_kernel/extconf.rb +0 -5
- data/lib/contrast/extension/protect/kernel.rb +0 -29
@@ -246,6 +246,7 @@ module Contrast
|
|
246
246
|
def patch_into_instance_methods module_data, module_policy
|
247
247
|
mod = module_data.mod
|
248
248
|
methods = all_instance_methods(mod, true)
|
249
|
+
methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
|
249
250
|
patch_into_methods(mod, methods, module_policy, true)
|
250
251
|
end
|
251
252
|
|
@@ -309,6 +310,5 @@ require 'contrast/extension/module'
|
|
309
310
|
require 'contrast/extension/assess'
|
310
311
|
require 'contrast/extension/inventory'
|
311
312
|
require 'contrast/extension/protect'
|
312
|
-
require 'contrast/extension/protect/kernel'
|
313
313
|
|
314
314
|
require 'cs__contrast_patch/cs__contrast_patch'
|
@@ -60,14 +60,10 @@ module Contrast
|
|
60
60
|
# generic holder for properties that can be set throughout this request
|
61
61
|
@_properties = {}
|
62
62
|
|
63
|
-
@sample = true
|
64
|
-
|
65
63
|
if ::Contrast::ASSESS.enabled?
|
66
|
-
@
|
64
|
+
@sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
|
67
65
|
end
|
68
66
|
|
69
|
-
@sample_response &&= ::Contrast::ASSESS.scan_response?
|
70
|
-
|
71
67
|
append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
|
72
68
|
end
|
73
69
|
end
|
@@ -77,11 +73,31 @@ module Contrast
|
|
77
73
|
end
|
78
74
|
|
79
75
|
def analyze_request?
|
80
|
-
|
76
|
+
analyze_request_assess? || analyze_req_res_protect?
|
81
77
|
end
|
82
78
|
|
83
79
|
def analyze_response?
|
84
|
-
|
80
|
+
analyze_response_assess? || analyze_req_res_protect?
|
81
|
+
end
|
82
|
+
|
83
|
+
def analyze_req_res_protect?
|
84
|
+
::Contrast::PROTECT.enabled?
|
85
|
+
end
|
86
|
+
|
87
|
+
def analyze_request_assess?
|
88
|
+
return false unless analyze_req_res_assess?
|
89
|
+
|
90
|
+
@sample_req
|
91
|
+
end
|
92
|
+
|
93
|
+
def analyze_response_assess?
|
94
|
+
return false unless analyze_req_res_assess?
|
95
|
+
|
96
|
+
@sample_res &&= ::Contrast::ASSESS.scan_response?
|
97
|
+
end
|
98
|
+
|
99
|
+
def analyze_req_res_assess?
|
100
|
+
::Contrast::ASSESS.enabled?
|
85
101
|
end
|
86
102
|
|
87
103
|
# Convert the discovered route for this request to appropriate forms and disseminate it to those locations
|
@@ -171,7 +187,7 @@ module Contrast
|
|
171
187
|
# that has been accumulated since the last request
|
172
188
|
def extract_after rack_response
|
173
189
|
@response = Contrast::Agent::Response.new(rack_response)
|
174
|
-
activity.http_response = @response.dtm if @
|
190
|
+
activity.http_response = @response.dtm if @sample_res
|
175
191
|
rescue StandardError => e
|
176
192
|
logger.error('Unable to extract information after request', e)
|
177
193
|
end
|
@@ -16,8 +16,7 @@ module Contrast
|
|
16
16
|
# terminate requests on attack detection if set to block at perimeter
|
17
17
|
def prefilter
|
18
18
|
context = Contrast::Agent::REQUEST_TRACKER.current
|
19
|
-
|
20
|
-
return unless context&.analyze_request? || ::Contrast::PROTECT.enabled?
|
19
|
+
return unless context&.analyze_request?
|
21
20
|
|
22
21
|
logger.trace_with_time('Running prefilter...') do
|
23
22
|
map { |rule| rule.prefilter(context) }
|
@@ -33,8 +32,7 @@ module Contrast
|
|
33
32
|
# has been created. The main actions here are analyzing the response for unsafe state or actions.
|
34
33
|
def postfilter
|
35
34
|
context = Contrast::Agent::REQUEST_TRACKER.current
|
36
|
-
|
37
|
-
return unless context&.analyze_response? || ::Contrast::PROTECT.enabled?
|
35
|
+
return unless context&.analyze_response?
|
38
36
|
|
39
37
|
logger.trace_with_time('Running postfilter...') do
|
40
38
|
map { |rule| rule.postfilter(context) }
|
data/lib/contrast/agent.rb
CHANGED
@@ -20,7 +20,6 @@ require 'contrast/extension/delegator'
|
|
20
20
|
require 'contrast/extension/inventory'
|
21
21
|
require 'contrast/extension/module'
|
22
22
|
require 'contrast/extension/protect'
|
23
|
-
require 'contrast/extension/protect/kernel'
|
24
23
|
|
25
24
|
require 'contrast/utils/object_share'
|
26
25
|
require 'contrast/utils/string_utils'
|
@@ -88,6 +88,13 @@ module Contrast
|
|
88
88
|
@_require_scan
|
89
89
|
end
|
90
90
|
|
91
|
+
def require_dynamic_sources?
|
92
|
+
if @_require_dynamic_sources.nil?
|
93
|
+
@_require_dynamic_sources = !false?(::Contrast::CONFIG.root.assess.enable_dynamic_sources)
|
94
|
+
end
|
95
|
+
@_require_dynamic_sources
|
96
|
+
end
|
97
|
+
|
91
98
|
def tags
|
92
99
|
::Contrast::CONFIG.root.assess&.tags
|
93
100
|
end
|
@@ -10,6 +10,7 @@ module Contrast
|
|
10
10
|
tags: EMPTY_VALUE,
|
11
11
|
enable: EMPTY_VALUE,
|
12
12
|
enable_scan_response: Contrast::Config::DefaultValue.new('true'),
|
13
|
+
enable_dynamic_sources: Contrast::Config::DefaultValue.new('true'),
|
13
14
|
sampling: Contrast::Config::SamplingConfiguration,
|
14
15
|
rules: Contrast::Config::AssessRulesConfiguration,
|
15
16
|
stacktraces: Contrast::Config::DefaultValue.new('ALL')
|
@@ -9,17 +9,15 @@ module Contrast
|
|
9
9
|
module Utils
|
10
10
|
# Utility methods for exploring the complete space of Objects
|
11
11
|
class ClassUtil
|
12
|
-
@lru_cache = LRUCache.new
|
12
|
+
@lru_cache = LRUCache.new(300)
|
13
|
+
@string_cache = LRUCache.new(300)
|
13
14
|
class << self
|
14
|
-
# some classes have had things prepended to them, like Marshal in Rails
|
15
|
-
#
|
16
|
-
#
|
17
|
-
#
|
18
|
-
# patching approaches. As such, we need to know if something has been
|
19
|
-
# prepended to.
|
15
|
+
# some classes have had things prepended to them, like Marshal in Rails 5 and higher. Their
|
16
|
+
# ActiveSupport::MarshalWithAutoloading will break our alias patching approach, as will any other prepend on
|
17
|
+
# something that we touch. Prepend and Alias are inherently incompatible monkey patching approaches. As such,
|
18
|
+
# we need to know if something has been prepended to.
|
20
19
|
#
|
21
|
-
# @param mod [Module] the Module to check to see if it has had something
|
22
|
-
# prepended
|
20
|
+
# @param mod [Module] the Module to check to see if it has had something prepended
|
23
21
|
# @param ancestors [Array<Module>] the array of ancestors for the mod
|
24
22
|
# @return [Boolean] if the mod has been prepended or not
|
25
23
|
def prepended? mod, ancestors = nil
|
@@ -27,8 +25,13 @@ module Contrast
|
|
27
25
|
ancestors[0] != mod
|
28
26
|
end
|
29
27
|
|
30
|
-
# return true if the given method is overwritten by one of the ancestors
|
31
|
-
#
|
28
|
+
# return true if the given method is overwritten by one of the ancestors in the ancestor change that comes
|
29
|
+
# before the given module
|
30
|
+
#
|
31
|
+
# @param mod [Module] the Module to check to see if it has had something prepended
|
32
|
+
# @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that holds the method we
|
33
|
+
# need to check
|
34
|
+
# @return [Boolean] if this method specifically was prepended
|
32
35
|
def prepended_method? mod, method_policy
|
33
36
|
target_module = determine_target_class mod, method_policy.instance_method
|
34
37
|
ancestors = target_module.ancestors
|
@@ -43,49 +46,49 @@ module Contrast
|
|
43
46
|
false
|
44
47
|
end
|
45
48
|
|
46
|
-
# Return a String representing the object invoking this method in the
|
47
|
-
#
|
49
|
+
# Return a String representing the object invoking this method in the form expected by our dataflow events.
|
50
|
+
# After implementing the LRU Cache, we firstly need to check if already had that object cached and if we have
|
51
|
+
# it - we can return it directly; otherwise we'll calculate and store the result before returning.
|
52
|
+
#
|
53
|
+
# TODO: RUBY-1327
|
54
|
+
# Once we move to 2.7+, we can combine the caches using ID b/c the memory location stops being the id
|
48
55
|
#
|
49
56
|
# @param object [Object, nil] the entity to convert to a String
|
50
57
|
# @return [String] the human readable form of the String, as defined by
|
51
58
|
# https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
|
52
|
-
|
53
59
|
def to_contrast_string object
|
54
|
-
#
|
55
|
-
#
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
end
|
60
|
+
# Only treat object like a string if it actually is a string+ some subclasses of String override string
|
61
|
+
# methods we depend on
|
62
|
+
if object.cs__class == String
|
63
|
+
return @string_cache[object] if @string_cache.key? object
|
64
|
+
|
65
|
+
@string_cache[object] = to_cached_string(object) || object.dup
|
66
|
+
else
|
67
|
+
return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
|
68
|
+
|
69
|
+
@lru_cache[object.__id__] = if object.nil?
|
70
|
+
Contrast::Utils::ObjectShare::NIL_STRING
|
71
|
+
elsif object.cs__is_a?(Symbol)
|
72
|
+
":#{ object }"
|
73
|
+
elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
|
74
|
+
"#{ object.cs__name }@#{ object.__id__ }"
|
75
|
+
elsif object.cs__is_a?(Regexp)
|
76
|
+
object.source
|
77
|
+
elsif use_to_s?(object)
|
78
|
+
object.to_s
|
79
|
+
else
|
80
|
+
"#{ object.cs__class.cs__name }@#{ object.__id__ }"
|
81
|
+
end
|
82
|
+
end
|
78
83
|
end
|
79
84
|
|
80
|
-
# The method const_defined? can cause autoload, which is bad for us.
|
81
|
-
#
|
82
|
-
#
|
83
|
-
# been truly truly defined, meaning it existed before this method was
|
84
|
-
# invoked, not as a result of it.
|
85
|
+
# The method const_defined? can cause autoload, which is bad for us. The method autoload? doesn't traverse
|
86
|
+
# namespaces. This method lets us provide a constant, as a String, and parse it to determine if it has been
|
87
|
+
# truly truly defined, meaning it existed before this method was invoked, not as a result of it.
|
85
88
|
#
|
86
|
-
#
|
87
|
-
# support for 2.6.X, we should remove
|
88
|
-
# https://bugs.ruby-lang.org/issues/10741
|
89
|
+
# TODO: RUBY-1326
|
90
|
+
# This is required to handle a bug in Ruby prior to 2.7.0. When we drop support for 2.6.X, we should remove
|
91
|
+
# this code. https://bugs.ruby-lang.org/issues/10741
|
89
92
|
# @param name [String] the name of the constant to look up
|
90
93
|
# @return [Boolean]
|
91
94
|
def truly_defined? name
|
@@ -108,7 +111,8 @@ module Contrast
|
|
108
111
|
private
|
109
112
|
|
110
113
|
# Some objects have nice to_s that we can use to make them human readable. If they do, we should leverage them.
|
111
|
-
# We used to do this by default, but this opened us up to danger, so we're instead using an allow list
|
114
|
+
# We used to do this by default, but this opened us up to danger, so we're instead using an allow list
|
115
|
+
# approach.
|
112
116
|
#
|
113
117
|
# @param object [Object] something that may have a safe to_s method
|
114
118
|
# @return [Boolean] if we should invoke to_s to represent the object
|
@@ -119,6 +123,11 @@ module Contrast
|
|
119
123
|
false
|
120
124
|
end
|
121
125
|
|
126
|
+
# Find the target class based on the instance, or module, provided. If a module, return it.
|
127
|
+
#
|
128
|
+
# @param mod [Module] the Module, or instance of a Module, that we need to check
|
129
|
+
# @param is_instance [Boolean] is the object provided an instance of a class, requiring lookup by class
|
130
|
+
# @return [Module]
|
122
131
|
def determine_target_class mod, is_instance
|
123
132
|
return mod if mod.singleton_class?
|
124
133
|
|
@@ -127,13 +136,11 @@ module Contrast
|
|
127
136
|
mod
|
128
137
|
end
|
129
138
|
|
130
|
-
# If the String matches a common String in our ObjectShare, return that
|
131
|
-
#
|
132
|
-
# forcing a duplication of the String.
|
139
|
+
# If the String matches a common String in our ObjectShare, return that rather that for use as the
|
140
|
+
# representation of the String rather than forcing a duplication of the String.
|
133
141
|
#
|
134
|
-
# @param string [String] some string of which we want a Contrast
|
135
|
-
#
|
136
|
-
# @return [String,nil] the ObjectShare version of the String or nil
|
142
|
+
# @param string [String] some string of which we want a Contrast representation.
|
143
|
+
# @return [String, nil] the ObjectShare version of the String or nil
|
137
144
|
def to_cached_string string
|
138
145
|
return Contrast::Utils::ObjectShare::EMPTY_STRING if string.empty?
|
139
146
|
return Contrast::Utils::ObjectShare::SLASH if string == Contrast::Utils::ObjectShare::SLASH
|
@@ -1,8 +1,6 @@
|
|
1
1
|
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require 'contrast/components/logger'
|
5
|
-
|
6
4
|
module Contrast
|
7
5
|
module Utils
|
8
6
|
# A LRU(Least Recently Used) Cache store.
|
@@ -38,6 +36,10 @@ module Contrast
|
|
38
36
|
def values
|
39
37
|
@cache.values
|
40
38
|
end
|
39
|
+
|
40
|
+
def clear
|
41
|
+
@cache.clear
|
42
|
+
end
|
41
43
|
end
|
42
44
|
end
|
43
45
|
end
|
data/lib/contrast.rb
CHANGED
@@ -23,7 +23,7 @@ end
|
|
23
23
|
|
24
24
|
if RUBY_VERSION >= '3.0.0'
|
25
25
|
# This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
|
26
|
-
# a JSON helper on protobuf load. String.instance_method(:+) is one of the most
|
26
|
+
# a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
|
27
27
|
# TODO: RUBY-1132 Remove this once Ruby 3 is fixed.
|
28
28
|
# See bug here: https://bugs.ruby-lang.org/issues/17725
|
29
29
|
class Class
|
@@ -50,7 +50,7 @@
|
|
50
50
|
"target": "R",
|
51
51
|
"type": "COOKIE",
|
52
52
|
"tags":["NO_NEWLINES", "CROSS_SITE"]
|
53
|
-
},
|
53
|
+
}, {
|
54
54
|
"class_name":"Rack::Request::Helpers",
|
55
55
|
"instance_method": true,
|
56
56
|
"method_visibility": "public",
|
@@ -200,8 +200,15 @@
|
|
200
200
|
"source": "O",
|
201
201
|
"target": "R",
|
202
202
|
"action": "KEEP"
|
203
|
-
},
|
204
|
-
|
203
|
+
}, {
|
204
|
+
"class_name": "String",
|
205
|
+
"instance_method": true,
|
206
|
+
"method_visibility": "public",
|
207
|
+
"method_name": "force_encoding",
|
208
|
+
"source": "O",
|
209
|
+
"target": "R",
|
210
|
+
"action": "SPLAT"
|
211
|
+
}, {
|
205
212
|
"class_name": "String",
|
206
213
|
"instance_method": true,
|
207
214
|
"method_visibility": "public",
|
@@ -209,8 +216,7 @@
|
|
209
216
|
"source": "O",
|
210
217
|
"target": "R",
|
211
218
|
"action": "KEEP"
|
212
|
-
},
|
213
|
-
{
|
219
|
+
}, {
|
214
220
|
"class_name": "String",
|
215
221
|
"instance_method": true,
|
216
222
|
"method_visibility": "public",
|
@@ -218,7 +224,7 @@
|
|
218
224
|
"source": "O,P0",
|
219
225
|
"target": "R",
|
220
226
|
"action": "SPLIT"
|
221
|
-
},{
|
227
|
+
}, {
|
222
228
|
"class_name": "String",
|
223
229
|
"instance_method": true,
|
224
230
|
"method_visibility": "public",
|
@@ -1,11 +1,6 @@
|
|
1
1
|
{
|
2
2
|
"deadzones":[
|
3
3
|
{
|
4
|
-
"class_name":"Rspec::Core::BacktraceFormatter",
|
5
|
-
"instance_method":true,
|
6
|
-
"method_visibility": "private",
|
7
|
-
"method_name":"matches?"
|
8
|
-
},{
|
9
4
|
"class_name":"Rspec::Core::Example",
|
10
5
|
"instance_method":true,
|
11
6
|
"method_visibility": "private",
|
@@ -205,6 +200,92 @@
|
|
205
200
|
"method_visibility": "public",
|
206
201
|
"method_name":"exists?",
|
207
202
|
"code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/request/session.rb#L201"
|
203
|
+
},{
|
204
|
+
"class_name": "RSpec::Matchers::BuiltIn::BaseMatcher"
|
205
|
+
},{
|
206
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeAKindOf"
|
207
|
+
},{
|
208
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeAnInstanceOf"
|
209
|
+
},{
|
210
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeBetween"
|
211
|
+
},{
|
212
|
+
"class_name": "RSpec::Matchers::BuiltIn::Be"
|
213
|
+
},{
|
214
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeComparedTo"
|
215
|
+
},{
|
216
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeFalsey"
|
217
|
+
},{
|
218
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeHelpers"
|
219
|
+
},{
|
220
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeNil"
|
221
|
+
},{
|
222
|
+
"class_name": "RSpec::Matchers::BuiltIn::BePredicate"
|
223
|
+
},{
|
224
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeTruthy"
|
225
|
+
},{
|
226
|
+
"class_name": "RSpec::Matchers::BuiltIn::BeWithin"
|
227
|
+
},{
|
228
|
+
"class_name": "RSpec::Matchers::BuiltIn::Change"
|
229
|
+
},{
|
230
|
+
"class_name": "RSpec::Matchers::BuiltIn::ChangeRelatively"
|
231
|
+
},{
|
232
|
+
"class_name": "RSpec::Matchers::BuiltIn::SpecificValuesChange"
|
233
|
+
},{
|
234
|
+
"class_name": "RSpec::Matchers::BuiltIn::Compound"
|
235
|
+
},{
|
236
|
+
"class_name": "RSpec::Matchers::BuiltIn::Compound::And"
|
237
|
+
}, {
|
238
|
+
"class_name": "RSpec::Matchers::BuiltIn::Compound::Or"
|
239
|
+
},{
|
240
|
+
"class_name": "RSpec::Matchers::BuiltIn::ContainExactly"
|
241
|
+
},{
|
242
|
+
"class_name": "RSpec::Matchers::BuiltIn::Cover"
|
243
|
+
},{
|
244
|
+
"class_name": "RSpec::Matchers::BuiltIn::EndWith"
|
245
|
+
},{
|
246
|
+
"class_name": "RSpec::Matchers::BuiltIn::Eq"
|
247
|
+
},{
|
248
|
+
"class_name": "RSpec::Matchers::BuiltIn::Eql"
|
249
|
+
},{
|
250
|
+
"class_name": "RSpec::Matchers::BuiltIn::Equal"
|
251
|
+
},{
|
252
|
+
"class_name": "RSpec::Matchers::BuiltIn::Exist"
|
253
|
+
},{
|
254
|
+
"class_name": "RSpec::Matchers::BuiltIn::Has"
|
255
|
+
},{
|
256
|
+
"class_name": "RSpec::Matchers::BuiltIn::HaveAttributes"
|
257
|
+
},{
|
258
|
+
"class_name": "RSpec::Matchers::BuiltIn::All"
|
259
|
+
},{
|
260
|
+
"class_name": "RSpec::Matchers::BuiltIn::Match"
|
261
|
+
},{
|
262
|
+
"class_name": "RSpec::Matchers::BuiltIn::NegativeOperatorMatcher"
|
263
|
+
},{
|
264
|
+
"class_name": "RSpec::Matchers::BuiltIn::OperatorMatcher"
|
265
|
+
},{
|
266
|
+
"class_name": "RSpec::Matchers::BuiltIn::Output"
|
267
|
+
},{
|
268
|
+
"class_name": "RSpec::Matchers::BuiltIn::PositiveOperatorMatcher"
|
269
|
+
},{
|
270
|
+
"class_name": "RSpec::Matchers::BuiltIn::RaiseError"
|
271
|
+
},{
|
272
|
+
"class_name": "RSpec::Matchers::BuiltIn::RespondTo"
|
273
|
+
},{
|
274
|
+
"class_name": "RSpec::Matchers::BuiltIn::Satisfy"
|
275
|
+
},{
|
276
|
+
"class_name": "RSpec::Matchers::BuiltIn::StartWith"
|
277
|
+
},{
|
278
|
+
"class_name": "RSpec::Matchers::BuiltIn::ThrowSymbol"
|
279
|
+
},{
|
280
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldControl"
|
281
|
+
},{
|
282
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldSuccessiveArgs"
|
283
|
+
},{
|
284
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldWithArgs"
|
285
|
+
},{
|
286
|
+
"class_name": "RSpec::Matchers::BuiltIn::YieldWithNoArgs"
|
287
|
+
},{
|
288
|
+
"class_name": "SimpleCov"
|
208
289
|
}
|
209
290
|
]
|
210
291
|
}
|
data/service_executables/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.
|
1
|
+
2.26.0
|
Binary file
|
Binary file
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: contrast-agent
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.12.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- galen.palmer@contrastsecurity.com
|
@@ -13,7 +13,7 @@ authors:
|
|
13
13
|
autorequire:
|
14
14
|
bindir: exe
|
15
15
|
cert_chain: []
|
16
|
-
date: 2021-
|
16
|
+
date: 2021-10-14 00:00:00.000000000 Z
|
17
17
|
dependencies:
|
18
18
|
- !ruby/object:Gem::Dependency
|
19
19
|
name: bundler
|
@@ -618,19 +618,18 @@ executables:
|
|
618
618
|
extensions:
|
619
619
|
- ext/cs__common/extconf.rb
|
620
620
|
- ext/cs__assess_array/extconf.rb
|
621
|
-
- ext/cs__assess_regexp/extconf.rb
|
622
|
-
- ext/cs__protect_kernel/extconf.rb
|
623
|
-
- ext/cs__assess_marshal_module/extconf.rb
|
624
|
-
- ext/cs__assess_yield_track/extconf.rb
|
625
|
-
- ext/cs__assess_string_interpolation26/extconf.rb
|
626
621
|
- ext/cs__assess_fiber_track/extconf.rb
|
622
|
+
- ext/cs__assess_marshal_module/extconf.rb
|
623
|
+
- ext/cs__assess_active_record_named/extconf.rb
|
624
|
+
- ext/cs__assess_basic_object/extconf.rb
|
627
625
|
- ext/cs__assess_string/extconf.rb
|
626
|
+
- ext/cs__assess_string_interpolation26/extconf.rb
|
628
627
|
- ext/cs__assess_hash/extconf.rb
|
628
|
+
- ext/cs__assess_module/extconf.rb
|
629
|
+
- ext/cs__assess_regexp/extconf.rb
|
629
630
|
- ext/cs__assess_kernel/extconf.rb
|
630
631
|
- ext/cs__contrast_patch/extconf.rb
|
631
|
-
- ext/
|
632
|
-
- ext/cs__assess_module/extconf.rb
|
633
|
-
- ext/cs__assess_active_record_named/extconf.rb
|
632
|
+
- ext/cs__assess_yield_track/extconf.rb
|
634
633
|
extra_rdoc_files: []
|
635
634
|
files:
|
636
635
|
- ".clang-format"
|
@@ -688,9 +687,6 @@ files:
|
|
688
687
|
- ext/cs__contrast_patch/cs__contrast_patch.c
|
689
688
|
- ext/cs__contrast_patch/cs__contrast_patch.h
|
690
689
|
- ext/cs__contrast_patch/extconf.rb
|
691
|
-
- ext/cs__protect_kernel/cs__protect_kernel.c
|
692
|
-
- ext/cs__protect_kernel/cs__protect_kernel.h
|
693
|
-
- ext/cs__protect_kernel/extconf.rb
|
694
690
|
- ext/extconf_common.rb
|
695
691
|
- funchook/LICENSE
|
696
692
|
- funchook/Makefile.in
|
@@ -1039,7 +1035,6 @@ files:
|
|
1039
1035
|
- lib/contrast/extension/kernel.rb
|
1040
1036
|
- lib/contrast/extension/module.rb
|
1041
1037
|
- lib/contrast/extension/protect.rb
|
1042
|
-
- lib/contrast/extension/protect/kernel.rb
|
1043
1038
|
- lib/contrast/extension/protect/psych.rb
|
1044
1039
|
- lib/contrast/extension/thread.rb
|
1045
1040
|
- lib/contrast/framework/base_support.rb
|
@@ -1,47 +0,0 @@
|
|
1
|
-
/* Copyright (c) 2021 Contrast Security, Inc. See
|
2
|
-
* https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
|
3
|
-
|
4
|
-
#include "cs__protect_kernel.h"
|
5
|
-
#include "../cs__common/cs__common.h"
|
6
|
-
#include <ruby.h>
|
7
|
-
|
8
|
-
static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
|
9
|
-
const VALUE self) {
|
10
|
-
VALUE ret;
|
11
|
-
if (rb_block_given_p()) {
|
12
|
-
/* We call our hook, but it's a little complicated.
|
13
|
-
* We wrap the fork block with our own lambda in
|
14
|
-
* order to instrument it. There are no public
|
15
|
-
* methods in the Ruby C API to set the prevailing
|
16
|
-
* block, so we have to use rb_funcall_with_block.
|
17
|
-
* Also, rb_funcall_with_block does a public call,
|
18
|
-
* and our method is private.
|
19
|
-
* So we (as a hack) temporarily set it to public.
|
20
|
-
*/
|
21
|
-
VALUE wrapper;
|
22
|
-
wrapper =
|
23
|
-
rb_funcall_with_block(kernel_protect, rb_sym_protect_kernel_wrapper,
|
24
|
-
0, NULL, rb_block_proc());
|
25
|
-
rb_funcall(rb_mKernel, rb_intern("public"), 1,
|
26
|
-
ID2SYM(rb_sym_protect_kernel_fork));
|
27
|
-
ret = rb_funcall_with_block(self, rb_sym_protect_kernel_fork, argc,
|
28
|
-
argv, wrapper);
|
29
|
-
rb_funcall(rb_mKernel, rb_intern("private"), 1,
|
30
|
-
ID2SYM(rb_sym_protect_kernel_fork));
|
31
|
-
} else {
|
32
|
-
ret = rb_funcall2(self, rb_sym_protect_kernel_fork, argc, argv);
|
33
|
-
}
|
34
|
-
return ret;
|
35
|
-
}
|
36
|
-
|
37
|
-
void Init_cs__protect_kernel(void) {
|
38
|
-
VALUE core_protect = rb_define_module_under(core_extensions, "Protect");
|
39
|
-
kernel_protect = rb_define_module_under(core_protect, "Kernel");
|
40
|
-
rb_sym_protect_kernel_wrapper = rb_intern("build_wrapper");
|
41
|
-
|
42
|
-
rb_sym_protect_kernel_fork =
|
43
|
-
contrast_register_patch("Kernel", "fork", &contrast_protect_fork);
|
44
|
-
|
45
|
-
rb_sym_protect_kernel_fork = contrast_register_singleton_patch(
|
46
|
-
"Kernel", "fork", &contrast_protect_fork);
|
47
|
-
}
|
@@ -1,12 +0,0 @@
|
|
1
|
-
#include <ruby.h>
|
2
|
-
|
3
|
-
extern VALUE rb_vm_top_self(void);
|
4
|
-
|
5
|
-
static VALUE kernel_protect;
|
6
|
-
static VALUE rb_sym_protect_kernel_fork;
|
7
|
-
static VALUE rb_sym_protect_kernel_wrapper;
|
8
|
-
|
9
|
-
static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
|
10
|
-
const VALUE self);
|
11
|
-
|
12
|
-
void Init_cs__protect_kernel(void);
|
@@ -1,29 +0,0 @@
|
|
1
|
-
# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
2
|
-
# frozen_string_literal: true
|
3
|
-
|
4
|
-
module Contrast
|
5
|
-
module Extension
|
6
|
-
module Protect
|
7
|
-
# This Module functions as our patch into the Kernel class for Protect,
|
8
|
-
# allowing us to track activity as it crosses spawned processes.
|
9
|
-
module Kernel
|
10
|
-
class << self
|
11
|
-
def build_wrapper
|
12
|
-
lambda {
|
13
|
-
proc_start
|
14
|
-
yield
|
15
|
-
# AtExitHook handles sending any messages generated in the new forked process
|
16
|
-
}
|
17
|
-
end
|
18
|
-
|
19
|
-
def proc_start
|
20
|
-
context = Contrast::Agent::REQUEST_TRACKER.current
|
21
|
-
return unless context
|
22
|
-
|
23
|
-
context.reset_activity
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|