contrast-agent 4.11.0 → 4.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. checksums.yaml +4 -4
  2. data/ext/cs__common/cs__common.c +19 -7
  3. data/ext/cs__common/cs__common.h +4 -2
  4. data/ext/cs__contrast_patch/cs__contrast_patch.c +32 -10
  5. data/ext/cs__contrast_patch/cs__contrast_patch.h +5 -2
  6. data/lib/contrast/agent/assess/contrast_event.rb +1 -1
  7. data/lib/contrast/agent/assess/contrast_object.rb +1 -1
  8. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +2 -0
  9. data/lib/contrast/agent/assess/policy/preshift.rb +19 -6
  10. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +2 -0
  11. data/lib/contrast/agent/assess/policy/trigger_node.rb +52 -19
  12. data/lib/contrast/agent/assess/property/tagged.rb +34 -25
  13. data/lib/contrast/agent/deadzone/policy/policy.rb +6 -0
  14. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +0 -1
  15. data/lib/contrast/agent/patching/policy/method_policy.rb +54 -9
  16. data/lib/contrast/agent/patching/policy/patch.rb +12 -6
  17. data/lib/contrast/agent/patching/policy/patcher.rb +1 -1
  18. data/lib/contrast/agent/request_context.rb +24 -8
  19. data/lib/contrast/agent/rule_set.rb +2 -4
  20. data/lib/contrast/agent/version.rb +1 -1
  21. data/lib/contrast/agent.rb +0 -1
  22. data/lib/contrast/components/assess.rb +7 -0
  23. data/lib/contrast/config/assess_configuration.rb +1 -0
  24. data/lib/contrast/utils/class_util.rb +60 -53
  25. data/lib/contrast/utils/lru_cache.rb +4 -2
  26. data/lib/contrast.rb +1 -1
  27. data/resources/assess/policy.json +12 -6
  28. data/resources/deadzone/policy.json +86 -5
  29. data/service_executables/VERSION +1 -1
  30. data/service_executables/linux/contrast-service +0 -0
  31. data/service_executables/mac/contrast-service +0 -0
  32. metadata +9 -14
  33. data/ext/cs__protect_kernel/cs__protect_kernel.c +0 -47
  34. data/ext/cs__protect_kernel/cs__protect_kernel.h +0 -12
  35. data/ext/cs__protect_kernel/extconf.rb +0 -5
  36. data/lib/contrast/extension/protect/kernel.rb +0 -29
@@ -246,6 +246,7 @@ module Contrast
246
246
  def patch_into_instance_methods module_data, module_policy
247
247
  mod = module_data.mod
248
248
  methods = all_instance_methods(mod, true)
249
+ methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
249
250
  patch_into_methods(mod, methods, module_policy, true)
250
251
  end
251
252
 
@@ -309,6 +310,5 @@ require 'contrast/extension/module'
309
310
  require 'contrast/extension/assess'
310
311
  require 'contrast/extension/inventory'
311
312
  require 'contrast/extension/protect'
312
- require 'contrast/extension/protect/kernel'
313
313
 
314
314
  require 'cs__contrast_patch/cs__contrast_patch'
@@ -60,14 +60,10 @@ module Contrast
60
60
  # generic holder for properties that can be set throughout this request
61
61
  @_properties = {}
62
62
 
63
- @sample = true
64
-
65
63
  if ::Contrast::ASSESS.enabled?
66
- @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
64
+ @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
67
65
  end
68
66
 
69
- @sample_response &&= ::Contrast::ASSESS.scan_response?
70
-
71
67
  append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
72
68
  end
73
69
  end
@@ -77,11 +73,31 @@ module Contrast
77
73
  end
78
74
 
79
75
  def analyze_request?
80
- @sample_request
76
+ analyze_request_assess? || analyze_req_res_protect?
81
77
  end
82
78
 
83
79
  def analyze_response?
84
- @sample_response
80
+ analyze_response_assess? || analyze_req_res_protect?
81
+ end
82
+
83
+ def analyze_req_res_protect?
84
+ ::Contrast::PROTECT.enabled?
85
+ end
86
+
87
+ def analyze_request_assess?
88
+ return false unless analyze_req_res_assess?
89
+
90
+ @sample_req
91
+ end
92
+
93
+ def analyze_response_assess?
94
+ return false unless analyze_req_res_assess?
95
+
96
+ @sample_res &&= ::Contrast::ASSESS.scan_response?
97
+ end
98
+
99
+ def analyze_req_res_assess?
100
+ ::Contrast::ASSESS.enabled?
85
101
  end
86
102
 
87
103
  # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
@@ -171,7 +187,7 @@ module Contrast
171
187
  # that has been accumulated since the last request
172
188
  def extract_after rack_response
173
189
  @response = Contrast::Agent::Response.new(rack_response)
174
- activity.http_response = @response.dtm if @sample_response
190
+ activity.http_response = @response.dtm if @sample_res
175
191
  rescue StandardError => e
176
192
  logger.error('Unable to extract information after request', e)
177
193
  end
@@ -16,8 +16,7 @@ module Contrast
16
16
  # terminate requests on attack detection if set to block at perimeter
17
17
  def prefilter
18
18
  context = Contrast::Agent::REQUEST_TRACKER.current
19
- # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
20
- return unless context&.analyze_request? || ::Contrast::PROTECT.enabled?
19
+ return unless context&.analyze_request?
21
20
 
22
21
  logger.trace_with_time('Running prefilter...') do
23
22
  map { |rule| rule.prefilter(context) }
@@ -33,8 +32,7 @@ module Contrast
33
32
  # has been created. The main actions here are analyzing the response for unsafe state or actions.
34
33
  def postfilter
35
34
  context = Contrast::Agent::REQUEST_TRACKER.current
36
- # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
37
- return unless context&.analyze_response? || ::Contrast::PROTECT.enabled?
35
+ return unless context&.analyze_response?
38
36
 
39
37
  logger.trace_with_time('Running postfilter...') do
40
38
  map { |rule| rule.postfilter(context) }
@@ -3,6 +3,6 @@
3
3
 
4
4
  module Contrast
5
5
  module Agent
6
- VERSION = '4.11.0'
6
+ VERSION = '4.12.0'
7
7
  end
8
8
  end
@@ -20,7 +20,6 @@ require 'contrast/extension/delegator'
20
20
  require 'contrast/extension/inventory'
21
21
  require 'contrast/extension/module'
22
22
  require 'contrast/extension/protect'
23
- require 'contrast/extension/protect/kernel'
24
23
 
25
24
  require 'contrast/utils/object_share'
26
25
  require 'contrast/utils/string_utils'
@@ -88,6 +88,13 @@ module Contrast
88
88
  @_require_scan
89
89
  end
90
90
 
91
+ def require_dynamic_sources?
92
+ if @_require_dynamic_sources.nil?
93
+ @_require_dynamic_sources = !false?(::Contrast::CONFIG.root.assess.enable_dynamic_sources)
94
+ end
95
+ @_require_dynamic_sources
96
+ end
97
+
91
98
  def tags
92
99
  ::Contrast::CONFIG.root.assess&.tags
93
100
  end
@@ -10,6 +10,7 @@ module Contrast
10
10
  tags: EMPTY_VALUE,
11
11
  enable: EMPTY_VALUE,
12
12
  enable_scan_response: Contrast::Config::DefaultValue.new('true'),
13
+ enable_dynamic_sources: Contrast::Config::DefaultValue.new('true'),
13
14
  sampling: Contrast::Config::SamplingConfiguration,
14
15
  rules: Contrast::Config::AssessRulesConfiguration,
15
16
  stacktraces: Contrast::Config::DefaultValue.new('ALL')
@@ -9,17 +9,15 @@ module Contrast
9
9
  module Utils
10
10
  # Utility methods for exploring the complete space of Objects
11
11
  class ClassUtil
12
- @lru_cache = LRUCache.new
12
+ @lru_cache = LRUCache.new(300)
13
+ @string_cache = LRUCache.new(300)
13
14
  class << self
14
- # some classes have had things prepended to them, like Marshal in Rails
15
- # 5 and higher. Their ActiveSupport::MarshalWithAutoloading will break
16
- # our alias patching approach, as will any other prepend on something
17
- # that we touch. Prepend and Alias are inherently incompatible monkey
18
- # patching approaches. As such, we need to know if something has been
19
- # prepended to.
15
+ # some classes have had things prepended to them, like Marshal in Rails 5 and higher. Their
16
+ # ActiveSupport::MarshalWithAutoloading will break our alias patching approach, as will any other prepend on
17
+ # something that we touch. Prepend and Alias are inherently incompatible monkey patching approaches. As such,
18
+ # we need to know if something has been prepended to.
20
19
  #
21
- # @param mod [Module] the Module to check to see if it has had something
22
- # prepended
20
+ # @param mod [Module] the Module to check to see if it has had something prepended
23
21
  # @param ancestors [Array<Module>] the array of ancestors for the mod
24
22
  # @return [Boolean] if the mod has been prepended or not
25
23
  def prepended? mod, ancestors = nil
@@ -27,8 +25,13 @@ module Contrast
27
25
  ancestors[0] != mod
28
26
  end
29
27
 
30
- # return true if the given method is overwritten by one of the ancestors
31
- # in the ancestor change that comes before the given module
28
+ # return true if the given method is overwritten by one of the ancestors in the ancestor change that comes
29
+ # before the given module
30
+ #
31
+ # @param mod [Module] the Module to check to see if it has had something prepended
32
+ # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that holds the method we
33
+ # need to check
34
+ # @return [Boolean] if this method specifically was prepended
32
35
  def prepended_method? mod, method_policy
33
36
  target_module = determine_target_class mod, method_policy.instance_method
34
37
  ancestors = target_module.ancestors
@@ -43,49 +46,49 @@ module Contrast
43
46
  false
44
47
  end
45
48
 
46
- # Return a String representing the object invoking this method in the
47
- # form expected by our dataflow events.
49
+ # Return a String representing the object invoking this method in the form expected by our dataflow events.
50
+ # After implementing the LRU Cache, we firstly need to check if already had that object cached and if we have
51
+ # it - we can return it directly; otherwise we'll calculate and store the result before returning.
52
+ #
53
+ # TODO: RUBY-1327
54
+ # Once we move to 2.7+, we can combine the caches using ID b/c the memory location stops being the id
48
55
  #
49
56
  # @param object [Object, nil] the entity to convert to a String
50
57
  # @return [String] the human readable form of the String, as defined by
51
58
  # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
52
-
53
59
  def to_contrast_string object
54
- # After implementing the LRU Cache, we firstly need to check if already had that object cached
55
- # and if we have it - we can return it directly
56
- return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
57
-
58
- # Only treat object like a string if it actually is a string+
59
- # some subclasses of String override string methods we depend on
60
- @lru_cache[object.__id__] = if object.cs__class == String
61
- cached = to_cached_string(object)
62
- return cached if cached
63
-
64
- object.dup
65
- elsif object.nil?
66
- Contrast::Utils::ObjectShare::NIL_STRING
67
- elsif object.cs__is_a?(Symbol)
68
- ":#{ object }"
69
- elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
70
- "#{ object.cs__name }@#{ object.__id__ }"
71
- elsif object.cs__is_a?(Regexp)
72
- object.source
73
- elsif use_to_s?(object)
74
- object.to_s
75
- else
76
- "#{ object.cs__class.cs__name }@#{ object.__id__ }"
77
- end
60
+ # Only treat object like a string if it actually is a string+ some subclasses of String override string
61
+ # methods we depend on
62
+ if object.cs__class == String
63
+ return @string_cache[object] if @string_cache.key? object
64
+
65
+ @string_cache[object] = to_cached_string(object) || object.dup
66
+ else
67
+ return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
68
+
69
+ @lru_cache[object.__id__] = if object.nil?
70
+ Contrast::Utils::ObjectShare::NIL_STRING
71
+ elsif object.cs__is_a?(Symbol)
72
+ ":#{ object }"
73
+ elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
74
+ "#{ object.cs__name }@#{ object.__id__ }"
75
+ elsif object.cs__is_a?(Regexp)
76
+ object.source
77
+ elsif use_to_s?(object)
78
+ object.to_s
79
+ else
80
+ "#{ object.cs__class.cs__name }@#{ object.__id__ }"
81
+ end
82
+ end
78
83
  end
79
84
 
80
- # The method const_defined? can cause autoload, which is bad for us.
81
- # The method autoload? doesn't traverse namespaces. This method lets us
82
- # provide a constant, as a String, and parse it to determine if it has
83
- # been truly truly defined, meaning it existed before this method was
84
- # invoked, not as a result of it.
85
+ # The method const_defined? can cause autoload, which is bad for us. The method autoload? doesn't traverse
86
+ # namespaces. This method lets us provide a constant, as a String, and parse it to determine if it has been
87
+ # truly truly defined, meaning it existed before this method was invoked, not as a result of it.
85
88
  #
86
- # This is required to handle a bug in Ruby prior to 2.7.0. When we drop
87
- # support for 2.6.X, we should remove this code.
88
- # https://bugs.ruby-lang.org/issues/10741
89
+ # TODO: RUBY-1326
90
+ # This is required to handle a bug in Ruby prior to 2.7.0. When we drop support for 2.6.X, we should remove
91
+ # this code. https://bugs.ruby-lang.org/issues/10741
89
92
  # @param name [String] the name of the constant to look up
90
93
  # @return [Boolean]
91
94
  def truly_defined? name
@@ -108,7 +111,8 @@ module Contrast
108
111
  private
109
112
 
110
113
  # Some objects have nice to_s that we can use to make them human readable. If they do, we should leverage them.
111
- # We used to do this by default, but this opened us up to danger, so we're instead using an allow list approach.
114
+ # We used to do this by default, but this opened us up to danger, so we're instead using an allow list
115
+ # approach.
112
116
  #
113
117
  # @param object [Object] something that may have a safe to_s method
114
118
  # @return [Boolean] if we should invoke to_s to represent the object
@@ -119,6 +123,11 @@ module Contrast
119
123
  false
120
124
  end
121
125
 
126
+ # Find the target class based on the instance, or module, provided. If a module, return it.
127
+ #
128
+ # @param mod [Module] the Module, or instance of a Module, that we need to check
129
+ # @param is_instance [Boolean] is the object provided an instance of a class, requiring lookup by class
130
+ # @return [Module]
122
131
  def determine_target_class mod, is_instance
123
132
  return mod if mod.singleton_class?
124
133
 
@@ -127,13 +136,11 @@ module Contrast
127
136
  mod
128
137
  end
129
138
 
130
- # If the String matches a common String in our ObjectShare, return that
131
- # rather that for use as the representation of the String rather than
132
- # forcing a duplication of the String.
139
+ # If the String matches a common String in our ObjectShare, return that rather that for use as the
140
+ # representation of the String rather than forcing a duplication of the String.
133
141
  #
134
- # @param string [String] some string of which we want a Contrast
135
- # representation.
136
- # @return [String,nil] the ObjectShare version of the String or nil
142
+ # @param string [String] some string of which we want a Contrast representation.
143
+ # @return [String, nil] the ObjectShare version of the String or nil
137
144
  def to_cached_string string
138
145
  return Contrast::Utils::ObjectShare::EMPTY_STRING if string.empty?
139
146
  return Contrast::Utils::ObjectShare::SLASH if string == Contrast::Utils::ObjectShare::SLASH
@@ -1,8 +1,6 @@
1
1
  # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
2
  # frozen_string_literal: true
3
3
 
4
- require 'contrast/components/logger'
5
-
6
4
  module Contrast
7
5
  module Utils
8
6
  # A LRU(Least Recently Used) Cache store.
@@ -38,6 +36,10 @@ module Contrast
38
36
  def values
39
37
  @cache.values
40
38
  end
39
+
40
+ def clear
41
+ @cache.clear
42
+ end
41
43
  end
42
44
  end
43
45
  end
data/lib/contrast.rb CHANGED
@@ -23,7 +23,7 @@ end
23
23
 
24
24
  if RUBY_VERSION >= '3.0.0'
25
25
  # This fixes Ruby 3.0 issues with Module#(some instance method) patching by preventing the prepending of
26
- # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticable.
26
+ # a JSON helper on protobuf load. String.instance_method(:+) is one of the most noticeable.
27
27
  # TODO: RUBY-1132 Remove this once Ruby 3 is fixed.
28
28
  # See bug here: https://bugs.ruby-lang.org/issues/17725
29
29
  class Class
@@ -50,7 +50,7 @@
50
50
  "target": "R",
51
51
  "type": "COOKIE",
52
52
  "tags":["NO_NEWLINES", "CROSS_SITE"]
53
- }, {
53
+ }, {
54
54
  "class_name":"Rack::Request::Helpers",
55
55
  "instance_method": true,
56
56
  "method_visibility": "public",
@@ -200,8 +200,15 @@
200
200
  "source": "O",
201
201
  "target": "R",
202
202
  "action": "KEEP"
203
- },
204
- {
203
+ }, {
204
+ "class_name": "String",
205
+ "instance_method": true,
206
+ "method_visibility": "public",
207
+ "method_name": "force_encoding",
208
+ "source": "O",
209
+ "target": "R",
210
+ "action": "SPLAT"
211
+ }, {
205
212
  "class_name": "String",
206
213
  "instance_method": true,
207
214
  "method_visibility": "public",
@@ -209,8 +216,7 @@
209
216
  "source": "O",
210
217
  "target": "R",
211
218
  "action": "KEEP"
212
- },
213
- {
219
+ }, {
214
220
  "class_name": "String",
215
221
  "instance_method": true,
216
222
  "method_visibility": "public",
@@ -218,7 +224,7 @@
218
224
  "source": "O,P0",
219
225
  "target": "R",
220
226
  "action": "SPLIT"
221
- },{
227
+ }, {
222
228
  "class_name": "String",
223
229
  "instance_method": true,
224
230
  "method_visibility": "public",
@@ -1,11 +1,6 @@
1
1
  {
2
2
  "deadzones":[
3
3
  {
4
- "class_name":"Rspec::Core::BacktraceFormatter",
5
- "instance_method":true,
6
- "method_visibility": "private",
7
- "method_name":"matches?"
8
- },{
9
4
  "class_name":"Rspec::Core::Example",
10
5
  "instance_method":true,
11
6
  "method_visibility": "private",
@@ -205,6 +200,92 @@
205
200
  "method_visibility": "public",
206
201
  "method_name":"exists?",
207
202
  "code": "https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_dispatch/request/session.rb#L201"
203
+ },{
204
+ "class_name": "RSpec::Matchers::BuiltIn::BaseMatcher"
205
+ },{
206
+ "class_name": "RSpec::Matchers::BuiltIn::BeAKindOf"
207
+ },{
208
+ "class_name": "RSpec::Matchers::BuiltIn::BeAnInstanceOf"
209
+ },{
210
+ "class_name": "RSpec::Matchers::BuiltIn::BeBetween"
211
+ },{
212
+ "class_name": "RSpec::Matchers::BuiltIn::Be"
213
+ },{
214
+ "class_name": "RSpec::Matchers::BuiltIn::BeComparedTo"
215
+ },{
216
+ "class_name": "RSpec::Matchers::BuiltIn::BeFalsey"
217
+ },{
218
+ "class_name": "RSpec::Matchers::BuiltIn::BeHelpers"
219
+ },{
220
+ "class_name": "RSpec::Matchers::BuiltIn::BeNil"
221
+ },{
222
+ "class_name": "RSpec::Matchers::BuiltIn::BePredicate"
223
+ },{
224
+ "class_name": "RSpec::Matchers::BuiltIn::BeTruthy"
225
+ },{
226
+ "class_name": "RSpec::Matchers::BuiltIn::BeWithin"
227
+ },{
228
+ "class_name": "RSpec::Matchers::BuiltIn::Change"
229
+ },{
230
+ "class_name": "RSpec::Matchers::BuiltIn::ChangeRelatively"
231
+ },{
232
+ "class_name": "RSpec::Matchers::BuiltIn::SpecificValuesChange"
233
+ },{
234
+ "class_name": "RSpec::Matchers::BuiltIn::Compound"
235
+ },{
236
+ "class_name": "RSpec::Matchers::BuiltIn::Compound::And"
237
+ }, {
238
+ "class_name": "RSpec::Matchers::BuiltIn::Compound::Or"
239
+ },{
240
+ "class_name": "RSpec::Matchers::BuiltIn::ContainExactly"
241
+ },{
242
+ "class_name": "RSpec::Matchers::BuiltIn::Cover"
243
+ },{
244
+ "class_name": "RSpec::Matchers::BuiltIn::EndWith"
245
+ },{
246
+ "class_name": "RSpec::Matchers::BuiltIn::Eq"
247
+ },{
248
+ "class_name": "RSpec::Matchers::BuiltIn::Eql"
249
+ },{
250
+ "class_name": "RSpec::Matchers::BuiltIn::Equal"
251
+ },{
252
+ "class_name": "RSpec::Matchers::BuiltIn::Exist"
253
+ },{
254
+ "class_name": "RSpec::Matchers::BuiltIn::Has"
255
+ },{
256
+ "class_name": "RSpec::Matchers::BuiltIn::HaveAttributes"
257
+ },{
258
+ "class_name": "RSpec::Matchers::BuiltIn::All"
259
+ },{
260
+ "class_name": "RSpec::Matchers::BuiltIn::Match"
261
+ },{
262
+ "class_name": "RSpec::Matchers::BuiltIn::NegativeOperatorMatcher"
263
+ },{
264
+ "class_name": "RSpec::Matchers::BuiltIn::OperatorMatcher"
265
+ },{
266
+ "class_name": "RSpec::Matchers::BuiltIn::Output"
267
+ },{
268
+ "class_name": "RSpec::Matchers::BuiltIn::PositiveOperatorMatcher"
269
+ },{
270
+ "class_name": "RSpec::Matchers::BuiltIn::RaiseError"
271
+ },{
272
+ "class_name": "RSpec::Matchers::BuiltIn::RespondTo"
273
+ },{
274
+ "class_name": "RSpec::Matchers::BuiltIn::Satisfy"
275
+ },{
276
+ "class_name": "RSpec::Matchers::BuiltIn::StartWith"
277
+ },{
278
+ "class_name": "RSpec::Matchers::BuiltIn::ThrowSymbol"
279
+ },{
280
+ "class_name": "RSpec::Matchers::BuiltIn::YieldControl"
281
+ },{
282
+ "class_name": "RSpec::Matchers::BuiltIn::YieldSuccessiveArgs"
283
+ },{
284
+ "class_name": "RSpec::Matchers::BuiltIn::YieldWithArgs"
285
+ },{
286
+ "class_name": "RSpec::Matchers::BuiltIn::YieldWithNoArgs"
287
+ },{
288
+ "class_name": "SimpleCov"
208
289
  }
209
290
  ]
210
291
  }
@@ -1 +1 @@
1
- 2.21.2
1
+ 2.26.0
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: contrast-agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.11.0
4
+ version: 4.12.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: exe
15
15
  cert_chain: []
16
- date: 2021-09-23 00:00:00.000000000 Z
16
+ date: 2021-10-14 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: bundler
@@ -618,19 +618,18 @@ executables:
618
618
  extensions:
619
619
  - ext/cs__common/extconf.rb
620
620
  - ext/cs__assess_array/extconf.rb
621
- - ext/cs__assess_regexp/extconf.rb
622
- - ext/cs__protect_kernel/extconf.rb
623
- - ext/cs__assess_marshal_module/extconf.rb
624
- - ext/cs__assess_yield_track/extconf.rb
625
- - ext/cs__assess_string_interpolation26/extconf.rb
626
621
  - ext/cs__assess_fiber_track/extconf.rb
622
+ - ext/cs__assess_marshal_module/extconf.rb
623
+ - ext/cs__assess_active_record_named/extconf.rb
624
+ - ext/cs__assess_basic_object/extconf.rb
627
625
  - ext/cs__assess_string/extconf.rb
626
+ - ext/cs__assess_string_interpolation26/extconf.rb
628
627
  - ext/cs__assess_hash/extconf.rb
628
+ - ext/cs__assess_module/extconf.rb
629
+ - ext/cs__assess_regexp/extconf.rb
629
630
  - ext/cs__assess_kernel/extconf.rb
630
631
  - ext/cs__contrast_patch/extconf.rb
631
- - ext/cs__assess_basic_object/extconf.rb
632
- - ext/cs__assess_module/extconf.rb
633
- - ext/cs__assess_active_record_named/extconf.rb
632
+ - ext/cs__assess_yield_track/extconf.rb
634
633
  extra_rdoc_files: []
635
634
  files:
636
635
  - ".clang-format"
@@ -688,9 +687,6 @@ files:
688
687
  - ext/cs__contrast_patch/cs__contrast_patch.c
689
688
  - ext/cs__contrast_patch/cs__contrast_patch.h
690
689
  - ext/cs__contrast_patch/extconf.rb
691
- - ext/cs__protect_kernel/cs__protect_kernel.c
692
- - ext/cs__protect_kernel/cs__protect_kernel.h
693
- - ext/cs__protect_kernel/extconf.rb
694
690
  - ext/extconf_common.rb
695
691
  - funchook/LICENSE
696
692
  - funchook/Makefile.in
@@ -1039,7 +1035,6 @@ files:
1039
1035
  - lib/contrast/extension/kernel.rb
1040
1036
  - lib/contrast/extension/module.rb
1041
1037
  - lib/contrast/extension/protect.rb
1042
- - lib/contrast/extension/protect/kernel.rb
1043
1038
  - lib/contrast/extension/protect/psych.rb
1044
1039
  - lib/contrast/extension/thread.rb
1045
1040
  - lib/contrast/framework/base_support.rb
@@ -1,47 +0,0 @@
1
- /* Copyright (c) 2021 Contrast Security, Inc. See
2
- * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
3
-
4
- #include "cs__protect_kernel.h"
5
- #include "../cs__common/cs__common.h"
6
- #include <ruby.h>
7
-
8
- static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
9
- const VALUE self) {
10
- VALUE ret;
11
- if (rb_block_given_p()) {
12
- /* We call our hook, but it's a little complicated.
13
- * We wrap the fork block with our own lambda in
14
- * order to instrument it. There are no public
15
- * methods in the Ruby C API to set the prevailing
16
- * block, so we have to use rb_funcall_with_block.
17
- * Also, rb_funcall_with_block does a public call,
18
- * and our method is private.
19
- * So we (as a hack) temporarily set it to public.
20
- */
21
- VALUE wrapper;
22
- wrapper =
23
- rb_funcall_with_block(kernel_protect, rb_sym_protect_kernel_wrapper,
24
- 0, NULL, rb_block_proc());
25
- rb_funcall(rb_mKernel, rb_intern("public"), 1,
26
- ID2SYM(rb_sym_protect_kernel_fork));
27
- ret = rb_funcall_with_block(self, rb_sym_protect_kernel_fork, argc,
28
- argv, wrapper);
29
- rb_funcall(rb_mKernel, rb_intern("private"), 1,
30
- ID2SYM(rb_sym_protect_kernel_fork));
31
- } else {
32
- ret = rb_funcall2(self, rb_sym_protect_kernel_fork, argc, argv);
33
- }
34
- return ret;
35
- }
36
-
37
- void Init_cs__protect_kernel(void) {
38
- VALUE core_protect = rb_define_module_under(core_extensions, "Protect");
39
- kernel_protect = rb_define_module_under(core_protect, "Kernel");
40
- rb_sym_protect_kernel_wrapper = rb_intern("build_wrapper");
41
-
42
- rb_sym_protect_kernel_fork =
43
- contrast_register_patch("Kernel", "fork", &contrast_protect_fork);
44
-
45
- rb_sym_protect_kernel_fork = contrast_register_singleton_patch(
46
- "Kernel", "fork", &contrast_protect_fork);
47
- }
@@ -1,12 +0,0 @@
1
- #include <ruby.h>
2
-
3
- extern VALUE rb_vm_top_self(void);
4
-
5
- static VALUE kernel_protect;
6
- static VALUE rb_sym_protect_kernel_fork;
7
- static VALUE rb_sym_protect_kernel_wrapper;
8
-
9
- static VALUE contrast_protect_fork(const int argc, const VALUE *argv,
10
- const VALUE self);
11
-
12
- void Init_cs__protect_kernel(void);
@@ -1,5 +0,0 @@
1
- # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- $TO_MAKE = File.basename(__dir__)
5
- require_relative '../extconf_common'
@@ -1,29 +0,0 @@
1
- # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
2
- # frozen_string_literal: true
3
-
4
- module Contrast
5
- module Extension
6
- module Protect
7
- # This Module functions as our patch into the Kernel class for Protect,
8
- # allowing us to track activity as it crosses spawned processes.
9
- module Kernel
10
- class << self
11
- def build_wrapper
12
- lambda {
13
- proc_start
14
- yield
15
- # AtExitHook handles sending any messages generated in the new forked process
16
- }
17
- end
18
-
19
- def proc_start
20
- context = Contrast::Agent::REQUEST_TRACKER.current
21
- return unless context
22
-
23
- context.reset_activity
24
- end
25
- end
26
- end
27
- end
28
- end
29
- end