contrast-agent 4.12.0 → 4.13.0

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -0,0 +1,138 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations/appliers in the TriggerMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module TriggerMethodUtils
+        # A request is reportable if it is not from ActionController::Live
+        #
+        # @param env [Hash] the env of the Request
+        # @return [Boolean]
+        def reportable? env
+          !(defined?(ActionController::Live) &&
+            env &&
+            env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+        end
+
+        # Find the request for this finding. This assumes, for now, that if there is an active request, then that
+        # is the request to report. Otherwise, we'll use the first request found in the events of the
+        # source_object.
+        #
+        # @param source [Object,nil] some Object used as the source of a trigger event
+        # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
+        def find_request source
+          return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+          return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+
+          find_event_request(properties.event)
+        end
+
+        # Finds the first request along the left most tree of parent events
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent|Contrast::Agent::Assess::Events::SourceEvent]
+        # @return [Contrast::Agent::Request, nil]
+        def find_event_request event
+          return event.request if event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          idx = 0
+          while idx <= event.parent_events.length
+            found = find_event_request(event.parent_events[idx])
+            return found if found
+
+            idx += 1
+            return event.request if event.request
+          end
+          return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          event.request
+        end
+
+        # ===== APPLIERS =====
+        # This is our method that actually checks the taint on the object our trigger_node targets.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_trigger trigger_node, source, object, ret, *args
+          return unless trigger_node
+          return if trigger_node.rule_disabled?
+          return if trigger_node.dataflow? && source.nil?
+
+          if trigger_node.regexp_rule?
+            apply_regexp_rule(trigger_node, source, object, ret, *args)
+          elsif trigger_node.custom_trigger?
+            trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
+          elsif trigger_node.dataflow?
+            apply_dataflow_rule(trigger_node, source, object, ret, *args)
+          else # trigger rule - just calling the method is dangerous
+            build_finding(trigger_node, source, object, ret, *args)
+          end
+        rescue StandardError => e
+          logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
+        end
+
+        # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
+        # based rules.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_regexp_rule trigger_node, source, object, ret, *args
+          return unless source.is_a?(String)
+          return if trigger_node.good_value && source.match?(trigger_node.good_value)
+          return if trigger_node.bad_value && source !~ trigger_node.bad_value
+
+          build_finding(trigger_node, source, object, ret, *args)
+        end
+
+        # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
+        # based rules.
+        #
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        def apply_dataflow_rule trigger_node, source, object, ret, *args
+          return unless source
+
+          if Contrast::Agent::Assess::Tracker.trackable?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+            return unless trigger_node.violated?(source)
+
+            build_finding(trigger_node, source, object, ret, *args)
+          elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            source.each_pair do |key, value|
+              apply_dataflow_rule(trigger_node, key, object, ret, *args)
+              apply_dataflow_rule(trigger_node, value, object, ret, *args)
+            end
+          elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
+            return unless Contrast::Agent::Assess::Tracker.tracked?(source)
+
+            source.each do |value|
+              apply_dataflow_rule(trigger_node, value, object, ret, *args)
+            end
+          else
+            logger.debug('Trigger source is untrackable. Unable to inspect.',
+                         node_id: trigger_node.id,
+                         source_id: source.__id__,
+                         source_type: source.cs__class.cs__name,
+                         frozen: source.cs__frozen?)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/exclude_key.rb

@@ -0,0 +1,20 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Determine if configuration keys is excluded from logging
+    module ExcludeKey
+      EXCLUDE_FROM_LOG = %w[api api_key url service_key user_name].cs__freeze
+      class << self
+        # Check if a config key can be logged or not
+        #
+        # @param key [String] key to check
+        # @return[Boolean] true | false
+        def excludable? key
+          EXCLUDE_FROM_LOG.any? { |exclude_key| key.include? exclude_key }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/metrics_hash.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # This is the MetricsHash, which will take data type, so we now what is introduced/included
+    # in the TelemetryEvent
+    class MetricsHash < Hash
+      include Contrast::Components::Logger::InstanceMethods
+
+      attr_reader :data_type
+
+      ERROR_MESSAGES = [
+        'The key is not string or does not meet the requirements.',
+        'The key extends the allowed length.',
+        'VThe provided value is not the right data type'
+      ].cs__freeze
+      KEY_REGEXP = /[a-zA-Z0-9_-]{1,63}/.cs__freeze
+
+      def initialize data_type, *several_variants
+        super
+        @data_type = data_type
+      end
+
+      def []= key, value
+        key_val = key.dup
+        value_val = value.dup
+        key_val.strip! if key_val.cs__is_a?(String)
+        value_val.strip! if value_val.cs__is_a?(String)
+        return unless valid_pair? key_val, value_val
+
+        key_val.downcase!
+        key_val.strip!
+        super(key_val, value_val)
+      end
+
+      def valid_pair? key, value
+        if !key.cs__is_a?(String) || (KEY_REGEXP =~ key).nil?
+          logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[0])
+          return false
+        end
+        unless key.length <= 28
+          logger.warn('The following key will be omitted', key: key, error: ERROR_MESSAGES[1])
+          return false
+        end
+        unless value.cs__is_a?(data_type)
+          logger.warn('The following key will be omitted', value: value, error: ERROR_MESSAGES[2])
+          return false
+        end
+        return false if value.cs__is_a?(String) && value.empty?
+        return false if value.cs__is_a?(String) && value.length > 200
+
+        true
+      end
+    end
+  end
+end

data/lib/contrast/utils/os.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/scope'
+require 'cs__os_information/cs__os_information'
 
 module Contrast
   module Utils
@@ -31,6 +32,28 @@ module Contrast
             zombie_pid_list.split("\n")
           end
         end
+
+        # Check current OS type
+        # returns true if check is correct or false if not
+        def windows?
+          (/cygwin|mswin|mingw|bccwin|wince|emx/ =~ RUBY_PLATFORM) != nil
+        end
+
+        def mac?
+          RUBY_PLATFORM.include? 'darwin'
+        end
+
+        def unix?
+          !windows?
+        end
+
+        def linux?
+          unix? and !mac?
+        end
+
+        def jruby?
+          RUBY_ENGINE == 'jruby'
+        end
       end
     end
   end

data/lib/contrast/utils/patching/policy/patch_utils.rb

@@ -0,0 +1,232 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Patching
+      # This module will include all methods for different patch applies from Patch module
+      # and some other module methods from the same place, so we can ease the main module
+      module PatchUtils
+        # Method to choose which replaced return from the post_patch to
+        # actually return
+        #
+        # @param propagated_ret [Object, nil] The replaced return from the
+        #   propagation patch.
+        # @param source_ret [Object, nil] The replaced return from the
+        #   source patch.
+        # @param ret [Object, nil] The original return of the patched
+        #   method.
+        # @return [Object, nil] The thing to return from the post patch.
+        def handle_return propagated_ret, source_ret, ret
+          safe_return = propagated_ret || source_ret || ret
+          safe_return.rewind if Contrast::Utils::IOUtil.should_rewind?(safe_return)
+          safe_return
+        end
+
+        # Given a module and method, construct an expected name for the
+        # alias by which Contrast will reference the original.
+        #
+        # @param patched_class [Module] the module being patched
+        # @param patched_method [Symbol] the method being patched
+        # @return [Symbol]
+        def build_method_name patched_class, patched_method
+          (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
+            patched_class.cs__name.gsub('::', '_').downcase +
+            Contrast::Utils::ObjectShare::UNDERSCORE +
+            patched_method.to_s).to_sym
+        end
+
+        # Given a method, return a symbol in the format
+        # <method_start>_unbound_<method_name>
+        def build_unbound_method_name patcher_method
+          (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
+            'unbound' +
+            Contrast::Utils::ObjectShare::UNDERSCORE +
+            patcher_method.to_s).to_sym
+        end
+
+        # ===== PATCH APPLIERS =====
+        # THIS IS CALLED FROM C. Do not change the signature lightly.
+        #
+        # This method functions to call the infilter methods from our
+        # patches, allowing for analysis and reporting at the point just
+        # before the patched code is invoked.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_pre_patch method_policy, method, exception, object, args
+          apply_protect(method_policy, method, exception, object, args)
+          apply_inventory(method_policy, method, exception, object, args)
+        rescue Contrast::SecurityException => e
+          # We were told to block something, so we gotta. Don't catch this
+          # one, let it get back to our Middleware or even all the way out to
+          # the framework
+          raise e
+        rescue StandardError => e
+          # Anything else was our bad and we gotta catch that to allow for
+          # normal application flow
+          logger.error('Unable to apply pre patch to method.', e)
+        rescue Exception => e # rubocop:disable Lint/RescueException
+          # This is something like NoMemoryError that we can't
+          # hope to handle.  Nonetheless, shouldn't leak scope.
+          exit_contrast_scope!
+          raise e
+        end
+
+        # THIS IS CALLED FROM C. Do not change the signature lightly.
+        #
+        # This method functions to call the infilter methods from our
+        # patches, allowing for analysis and reporting at the point just
+        # after the patched code is invoked
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture
+        #   of the state of the code just prior to the invocation of the
+        #   patched method.
+        # @param object [Object] The object on which the method was
+        #   invoked, typically what would be returned by self.
+        # @param ret [Object] The return of the method that was invoked.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        # @param block [Proc] The block passed to the method that was
+        #   invoked.
+        def apply_post_patch method_policy, preshift, object, ret, args, block
+          apply_assess(method_policy, preshift, object, ret, args, block)
+        rescue StandardError => e
+          logger.error('Unable to apply post patch to method.', e)
+        end
+
+        # Apply the Protect patch which applies to the given method.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_protect method_policy, method, exception, object, args
+          return unless ::Contrast::AGENT.enabled?
+          return unless ::Contrast::PROTECT.enabled?
+
+          apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
+        end
+
+        # Apply the Inventory patch which applies to the given method.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_inventory method_policy, method, exception, object, args
+          return unless ::Contrast::INVENTORY.enabled?
+
+          apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
+        end
+
+        # Apply the Assess patches which apply to the given method.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture
+        #   of the state of the code just prior to the invocation of the
+        #   patched method.
+        # @param object [Object] The object on which the method was
+        #   invoked, typically what would be returned by self.
+        # @param ret [Object] The return of the method that was invoked.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        # @param block [Proc] The block passed to the method that was
+        #   invoked.
+        def apply_assess method_policy, preshift, object, ret, args, block
+          source_ret = nil
+          propagated_ret = nil
+          return ret unless method_policy && ::Contrast::ASSESS.enabled?
+
+          current_context = Contrast::Agent::REQUEST_TRACKER.current
+          return ret if current_context && !current_context.analyze_request?
+
+          trigger_node = method_policy.trigger_node
+          if trigger_node
+            Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
+          end
+          if method_policy.source_node
+            # If we were given a frozen return, and it was the target of a
+            # source, and we have frozen sources enabled, we'll need to
+            # replace the return. Note, this is not the default case.
+            source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret, args)
+          end
+          if method_policy.propagation_node
+            propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
+                method_policy,
+                preshift,
+                object,
+                source_ret || ret,
+                args,
+                block)
+          end
+          handle_return(propagated_ret, source_ret, ret)
+        rescue StandardError => e
+          logger.error('Unable to assess method call.', e)
+          handle_return(propagated_ret, source_ret, ret)
+        rescue Exception => e # rubocop:disable Lint/RescueException
+          logger.error('Unable to assess method call.', e)
+          handle_return(propagated_ret, source_ret, ret)
+          raise e
+        end
+
+        # Generic invocation of the Inventory or Protect patch which apply
+        # to the given method.
+        #
+        # @param trigger_node [Contrast::Agent::Inventory::Policy::TriggerNode]
+        #   Mapping of the specific trigger on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_trigger_only trigger_node, method, exception, object, args
+          return unless trigger_node
+
+          # If that rule only applies in the case of an exception being
+          # thrown and there's no exception here, move along, or vice versa
+          return if trigger_node.on_exception && !exception
+          return if !trigger_node.on_exception && exception
+
+          # Each patch has an applicator that handles logic for it. Think
+          # of this as being similar to propagator actions, most closely
+          # resembling CUSTOM - they all have a common interface but their
+          # own logic based on what's in the method(s) they've been patched
+          # into.
+          # Each patch also knows the method of its applicator. Some
+          # things, like AppliesXxeRule, have different methods depending
+          # on the library patched. This lets us handle the boilerplate of
+          # patching while still allowing for custom handling of the
+          # methods.
+          applicator_method = trigger_node.applicator_method
+          # By calling send like this, we can reuse all the patching.
+          # We `send` to the given method of the given class
+          # (applicator) since they all accept the same inputs
+          trigger_node.applicator.send(applicator_method, method, exception, trigger_node.properties, object, args)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/patching/policy/patcher_utils.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Patching
+      # This module will include patch methods from Patcher module
+      # in case of need to add new logic to the Patcher
+      # please do it here
+      module PatcherUtils
+        # This method is called by TracePointHook to instrument a specific class during a require
+        # or eval of dynamic class definition
+        def patch_specific_module mod
+          with_contrast_scope do
+            mod_name = mod.cs__name
+            return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
+            return if ::Contrast::AGENT.skip_instrumentation?(mod_name)
+
+            load_patches_for_module(mod_name)
+
+            return if all_module_names.none?(mod_name)
+
+            module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
+            patch_into_module(module_data)
+            all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
+          rescue StandardError => e
+            logger.error('Unable to patch module', e, module: mod_name)
+          end
+        end
+
+        # We did it, team. We found a patcher(s) that applies to the given
+        # class (or module) and the given method. Time to do some tracking.
+        #
+        # @param mod [Module] the module in which the patch should be
+        #   placed.
+        # @param methods [Array(Symbol)] all the instance or singleton
+        #   methods in this mod.
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   the policy that applies to the given method_name.
+        # @return [Boolean] if patched, either by this invocation or a
+        #   previous, or not
+        def patch_method mod, methods, method_policy
+          return false unless methods&.any? # don't even build the name if there are no methods
+
+          if Contrast::Utils::ClassUtil.prepended_method?(mod, method_policy)
+            Contrast::Agent::Patching::Policy::Patch.instrument_with_prepend(mod, method_policy)
+          else
+            Contrast::Agent::Patching::Policy::Patch.instrument_with_alias(mod, methods, method_policy)
+          end
+        end
+      end
+    end
+  end
+end