contrast-agent 4.12.0 → 4.13.0

data/lib/contrast/configuration.rb

@@ -7,6 +7,7 @@ require 'fileutils'
 require 'contrast/config'
 require 'contrast/utils/object_share'
 require 'contrast/components/scope'
+require 'contrast/utils/exclude_key'
 
 module Contrast
   # This is how we read in the local settings for the Agent, both ENV/ CMD line
@@ -218,6 +219,8 @@ module Contrast
       case convert
       when Contrast::Config::BaseConfiguration
         convert.cs__class::KEYS.each_key do |key|
+          next if Contrast::Utils::ExcludeKey.excludable? key.to_s
+
           hash[key] = convert_to_hash(convert.send(key), {})
         end
         hash

data/lib/contrast/framework/manager.rb

@@ -16,9 +16,9 @@ module Contrast
     class Manager
       include Contrast::Components::Logger::InstanceMethods
 
-      # Order here does matter as the first framework listed will be the first one we pull information from
-      # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
-      # do not exist
+      # Order here does matter as the first framework listed will be the first one we pull information from Rack will
+      # be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra do not
+      # exist
       SUPPORTED_FRAMEWORKS = [
         Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
         Contrast::Framework::Grape::Support, Contrast::Framework::Rack::Support
@@ -34,9 +34,8 @@ module Contrast
         @_frameworks.compact!
       end
 
-      # Patches that have to be applied as early as possible to catch calls
-      # that happen prior to the first Request, typically those around
-      # configuration.
+      # Patches that have to be applied as early as possible to catch calls that happen prior to the first Request,
+      # typically those around configuration.
       def before_load_patches!
         @_before_load_patches ||= begin
           SUPPORTED_FRAMEWORKS.each(&:before_load_patches!)
@@ -81,8 +80,8 @@ module Contrast
 
       # Build a request from the provided env, based on the framework(s) we're currently supporting.
       #
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
-      # of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
         # If we're mounted on Rails, use Rails.
@@ -99,8 +98,8 @@ module Contrast
         logger.warn('Unable to retrieve_request', e)
       end
 
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
       def streaming? env
         result = false
@@ -111,8 +110,8 @@ module Contrast
         result
       end
 
-      # Iterate through current frameworks and return the current request's route. This will be the first
-      # non-nil result.
+      # Iterate through current frameworks and return the current request's route. This will be the first non-nil
+      # result.
       #
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
@@ -125,6 +124,9 @@ module Contrast
       # have support enabled, we'll enable it now. We'll also need to catch up on any other startup actions that we've
       # missed. Most likely, this is only necessary for those applications which have applications mounted on them.
       #
+      # TODO: RUBY-1354
+      # TODO: RUBY-1356
+      #
       # @param mod [Module] the module or class that was just loaded
       def register_late_framework mod
         return unless mod

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -5,10 +5,14 @@ module Contrast
   module Framework
     module Rails
       module Patch
-        # This class acts as our patch into the ActionController::Live::Buffer
-        # class, allowing us to track the close event on streamed responses.
+        # This class acts as our patch into the ActionController::Live::Buffer class, allowing us to track the close
+        # event on streamed responses.
         module ActionControllerLiveBuffer
           class << self
+            # TODO: RUBY-1353
+            # TODO: RUBY-1355
+            # TODO: RUBY-1357
+            # TODO: RUBY-1357
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
@@ -20,10 +24,9 @@ module Contrast
             def instrument
               @_instrument ||= begin
                 ::ActionController::Live::Buffer.class_eval do
-                  # normally pre->in->post filters are applied however, in a streamed response
-                  # we can run into a case where it's pre -> in -> post -> more infilters
-                  # in order to submit anything found during the infilters after the response has
-                  # been written we need to explicitly send them
+                  # normally pre->in->post filters are applied however, in a streamed response we can run into a case
+                  # where it's pre -> in -> post -> more infilters in order to submit anything found during the
+                  # infilters after the response has been written we need to explicitly send them
                   alias_method :cs__close, :close
                   def close
                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages

data/lib/contrast/framework/rails/patch/support.rb

@@ -38,37 +38,39 @@ module Contrast
                                     instrumenting_module:
                                       'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
                               ])
-            if RUBY_VERSION < '2.6.0'
-              patches.merge([
-                              # TODO: RUBY-714 remove w/ EOL of 2.5
-                              #
-                              # @deprecated  Everything past here is used for Rewriting and can
-                              #   be removed once we no longer support 2.5.
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActionController::Railties::Helper::ClassMethods',
-                                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::Scoping::Named::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_named',
-                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
-                            ])
-            end
+            patches.merge(special_after_load_patches) if RUBY_VERSION < '2.6.0'
             patches
           end
+
+          def special_after_load_patches
+            [
+              # TODO: RUBY-714 remove w/ EOL of 2.5
+              #
+              # @deprecated  Everything past here is used for Rewriting and can
+              #   be removed once we no longer support 2.5.
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActionController::Railties::Helper::ClassMethods',
+                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::Scoping::Named::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_named',
+                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
+            ]
+          end
         end
       end
     end

data/lib/contrast/logger/application.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/exclude_key'
+
 module Contrast
   module Logger
     # Our decorator for the Ougai logger allowing for the logging of the
@@ -29,6 +31,8 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
+          next if Contrast::Utils::ExcludeKey.excludable? env_key.to_s
+
           env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the PropagationMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module PropagationMethodUtils
+        APPEND_ACTION = 'APPEND'
+        CENTER_ACTION = 'CENTER'
+        INSERT_ACTION = 'INSERT'
+        KEEP_ACTION = 'KEEP'
+        NEXT_ACTION = 'NEXT'
+        NOOP_ACTION = 'NOOP'
+        PREPEND_ACTION = 'PREPEND'
+        REPLACE_ACTION = 'REPLACE'
+        REMOVE_ACTION = 'REMOVE'
+        REVERSE_ACTION = 'REVERSE'
+        SPLAT_ACTION = 'SPLAT'
+        SPLIT_ACTION = 'SPLIT'
+        DB_WRITE_ACTION = 'DB_WRITE'
+        CUSTOM_ACTION = 'CUSTOM'
+
+        ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
+
+        PROPAGATION_ACTIONS = {
+            APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
+            CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
+            INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
+            KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
+            NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            NOOP_ACTION => nil,
+            PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
+            REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
+            REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
+            REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
+            SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
+        }.cs__freeze
+
+        def determine_target propagation_node, ret, object, args
+          target = propagation_node.targets[0]
+          case target
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            args[target]
+          end
+        end
+
+        # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+        # about the target based on the context with which the method was called. As such, defer determining if the
+        # target is valid to that method.
+        #
+        # In all other cases, a target is valid for propagation if it is not nil
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @return [Boolean]
+        def valid_target? target, propagation_node
+          return true if propagation_node.action == CUSTOM_ACTION
+
+          !!target
+        end
+
+        # If the action required needs a length and the target does not have one, the length is not valid
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param action [String] the name of the action taken during this propagation
+        # @return [Boolean]
+        def valid_length? target, action
+          return true if ZERO_LENGTH_ACTIONS.include?(action)
+
+          if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
+            target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
+          else
+            !target.to_s.empty?
+          end
+        end
+
+        # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+        # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+        #   the invocation of the patched method.
+        # @param target [Object] the thing to which to propagate
+        # @return [Boolean]
+        def can_propagate? propagation_node, preshift, target
+          return false unless appropriate_target?(propagation_node, target)
+          return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          return false unless preshift
+
+          propagation_node.sources.each do |source|
+            case source
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
+            else
+              # has to be P, there's no ret source type (yet? ever?)
+              return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
+            end
+          end
+          false
+        end
+
+        # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+        # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+        # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+        # do.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param target [Object] the Target to which to propagate.
+        # @return [Boolean] if the target can be propagated to
+        def appropriate_target? propagation_node, target
+          # special handle Returns b/c we can do unfreezing magic during propagation
+          return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+          Contrast::Agent::Assess::Tracker.trackable?(target)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/property/tagged_utils.rb

@@ -0,0 +1,142 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the Tagged property module
+      # and some other module methods from the same place, so we can ease the main module
+      # This module includes simple methods for the tags like
+      # adding tags, getting tags, deleting tags and similar
+      module TaggedUtils
+        # Given a tag name and range object, add a new tag to this
+        # collection. If the given range touches an existing tag,
+        # we'll combine the two, adjusting the existing one and
+        # dropping this new one.
+        #
+        # @param label [String] the name of the tag
+        # @param range [Range] the Range that the tag covers, inclusive to
+        #   exclusive
+        def add_tag label, range
+          length = range.end - range.begin
+          tag = Contrast::Agent::Assess::Tag.new(label, length, range.begin)
+          existing = fetch_tag(label)
+          tags[label] = Contrast::Utils::TagUtil.ordered_merge(existing, tag)
+        end
+
+        def set_tags label, tag_ranges
+          tags[label] = tag_ranges
+        end
+
+        # Returns a list of all current tags.
+        #
+        # @return [Hash<Contrast::Agent::Assess::Tag>]
+        def get_tags # rubocop:disable Naming/AccessorMethodName
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          tags
+        end
+
+        # We'll use this as a helper method to retrieve tags from the hash.
+        # Because the hash auto-populates an empty array when we try to
+        # access a tag in it, we cannot use the [] method without side
+        # effect. To get around this, we'll use a fetch work around.
+        #
+        # @param label [Symbol] the label to look up
+        # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+        #   that label
+        def fetch_tag label
+          get_tags.fetch(label, nil) if tracked?
+        end
+
+        # Remove all tags with a given label
+        def delete_tags label
+          tags.delete(label) if tracked?
+        end
+
+        # Reset the tag hash
+        def clear_tags
+          tags.clear if tracked?
+        end
+
+        # Returns a list of all current tag labels, most likely to be used for
+        # a splat operation
+        def tag_keys
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          tags.keys
+        end
+
+        # Calls merge to combine touching or overlapping tags
+        # Deletes empty tags
+        def cleanup_tags
+          return unless tracked?
+
+          Contrast::Utils::TagUtil.merge_tags(tags)
+          tags.delete_if { |_, value| value.empty? }
+        end
+
+        # Find all of the ranges that span a given index. This is used
+        # in propagation when we need to shift tags about. For instance, in
+        # the append method when we need to see if any tag at the end needs
+        # to be expanded out to the size of the new String.
+        #
+        # Note: Tags do not know their key, so this is only the range covered
+        #
+        # @param idx [Integer] the index to check for tags
+        # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
+        #   covering the given index. This is only the ranges, not the names.
+        def tags_at idx
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          at = []
+          tags.each_value do |tag_array|
+            tag_array.each do |tag|
+              if tag.covers?(idx)
+                at << tag
+              elsif tag.above?(idx)
+                break
+              end
+            end
+          end
+          at
+        end
+
+        # given a range, select all tags in that range the selected tags are
+        # shifted such that the start index of the new tag (0) aligns with
+        # the given start index in the range
+        #
+        # current tags: 5-15
+        # range       : 5-10
+        # result      : 0-05
+        #
+        # Note that we disable Lint/DuplicateBranch in this branch in order
+        # list out all tag range cases in the proper order to make this
+        # easier to understand
+        #
+        # @param range [Range] the span to check, inclusive to exclusive
+        # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
+        #   key to tags
+        def tags_at_range range
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          at = Hash.new { |h, k| h[k] = [] }
+          tags.each_pair do |key, value|
+            add = nil
+            value.each do |tag|
+              within_range = resize_to_range(tag, range)
+              if within_range
+                add ||= []
+                add << within_range
+              end
+            end
+            next unless add&.any?
+
+            at[key] = add
+          end
+          at
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/source_method_utils.rb

@@ -0,0 +1,83 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the SourceMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module SourceMethodUtils
+        # Safely duplicate the target, or return nil
+        #
+        # @param target [Object] the thing to check for duplication
+        def safe_dup target
+          target.dup
+        rescue StandardError => _e
+          nil
+        end
+
+        # Find the name of the source
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
+        #   none provided by the node
+        def determine_source_name source_node, object, ret, *args
+          return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
+
+          source_node_source = source_node.sources[0]
+          case source_node_source
+          when nil
+            nil
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          else
+            args[source_node_source]
+          end
+        end
+
+        # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
+        # information to build the context of this invocation, we're not disabled, and we can't immediately
+        # determine the invocation was done safely.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+        #   method being called
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method should be analyzed
+        def analyze? method_policy, object, ret, args
+          return false unless method_policy&.source_node
+          return false unless ::Contrast::ASSESS.enabled?
+          return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+
+          !safe_invocation?(method_policy.source_node, object, ret, args)
+        end
+
+        # Determine if the method was invoked safely.
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param _object [Object] the Object on which the method was invoked
+        # @param _ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method was safe
+        def safe_invocation? source_node, _object, _ret, args
+          # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
+          # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
+          # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
+          # instance, uses action_dispatch. to store several values. Technically, you can't call
+          # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
+          source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
+              args&.any? &&
+              !args[0].to_s.start_with?('HTTP_')
+        end
+      end
+    end
+  end
+end