contrast-agent 4.12.0 → 4.14.1

data/lib/contrast/framework/sinatra/support.rb

@@ -106,7 +106,8 @@ module Contrast
           def _route_recurse controller, method, route
             return if controller.nil? || controller.cs__class == NilClass
 
-            route_patterns = controller.routes.fetch(method) { [] }.map(&:first)
+            route_patterns = controller.routes.fetch(method) { [] }.
+                map(&:first)
             route_pattern = route_patterns&.find do |matcher|
               matcher.params(route) # ::Mustermann::Sinatra match.
             end

data/lib/contrast/logger/application.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/exclude_key'
+
 module Contrast
   module Logger
     # Our decorator for the Ougai logger allowing for the logging of the
@@ -29,6 +31,8 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
+          next if Contrast::Utils::ExcludeKey.excludable? env_key.to_s
+
           env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/logger/log.rb

@@ -11,6 +11,7 @@ require 'contrast/logger/format'
 require 'contrast/logger/request'
 require 'contrast/logger/time'
 require 'contrast/components/config'
+require 'contrast/utils/log_utils'
 
 module Contrast
   # This module allows us to dynamically weave timing into our code, so that only when the time is actually needed do
@@ -26,9 +27,9 @@ module Contrast
     # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
     # logger set to TRACE.
     #
-    # @params: clazz [Class] the class of the method to time.
-    # @params: method [Symbol] the method to time.
-    # @params: method [String] optional custom logging message.
+    # @param: clazz [Class] the class of the method to time.
+    # @param: method [Symbol] the method to time.
+    # @param: method [String] optional custom logging message.
     def add_method_to_trace_timing clazz, method, msg = nil
       methods_to_time.append(METHOD_INFO.new(clazz, method, msg, false))
       enable_trace_timing if logger.level == ::Ougai::Logging::TRACE
@@ -37,9 +38,9 @@ module Contrast
     # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
     # logger set to TRACE.
     #
-    # @params: method_spec [METHOD_INFO] specs about the method to be timed.
-    # @params: class_method [Boolean] whether this is or isn't a class/module method.
-    def trace_time_class_method meth_spec, class_method
+    # @param: meth_spec [METHOD_INFO] specs about the method to be timed.
+    # @param: class_method [Boolean] whether this is or isn't a class/module method.
+    def trace_time_class_method meth_spec, class_method # rubocop:disable Metrics/AbcSize
       untimed_func_symbol = "untimed_#{ meth_spec.method_name }".to_sym
       send_to = class_method ? meth_spec.clazz.cs__singleton_class : meth_spec.clazz
       meth_spec.clazz.class_eval do
@@ -105,12 +106,7 @@ module Contrast
     class Log
       include Singleton
       include ::Contrast::TraceTiming
-
-      DEFAULT_NAME     = 'contrast.log'
-      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
-      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
-      STDOUT_STR       = 'STDOUT'
-      STDERR_STR       = 'STDERR'
+      include Contrast::Utils::LogUtils
 
       attr_reader :previous_path, :previous_level
 
@@ -167,97 +163,6 @@ module Contrast
         dir_name = File.dirname(File.absolute_path(path))
         File.writable?(dir_name)
       end
-
-      private
-
-      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
-        logger = case path
-                 when STDOUT_STR, STDERR_STR
-                   ::Ougai::Logger.new(Object.cs__const_get(path))
-                 else
-                   ::Ougai::Logger.new(path)
-                 end
-        add_contrast_loggers(logger)
-        logger.progname = 'Contrast Agent'
-        logger.level = level_const
-        logger.formatter = Contrast::Logger::Format.new
-        logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
-        logger
-      end
-
-      def add_contrast_loggers logger
-        logger.extend(Contrast::Logger::Application)
-        logger.extend(Contrast::Logger::Request)
-        logger.extend(Contrast::Logger::Time)
-      end
-
-      # Determine the valid path to which to log, given the precedence of config > settings > default.
-      #
-      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
-      #   TeamServer.
-      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
-      def find_valid_path log_file
-        config = ::Contrast::CONFIG.root.agent.logger
-        config_path = config&.path&.length.to_i.positive? ? config.path : nil
-        valid_path(config_path || log_file)
-      end
-
-      def valid_path path
-        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
-        return path if path == STDOUT_STR
-        return path if path == STDERR_STR
-
-        path = DEFAULT_NAME if path.empty?
-        if write_permission?(path)
-          path
-        elsif write_permission?(DEFAULT_NAME)
-          # Log once when the path is invalid. We'll change to this path, so no
-          # need to log again.
-          if previous_path != DEFAULT_NAME
-            puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
-          end
-          DEFAULT_NAME
-        else
-          # Log once when the path is invalid. We'll change to this path, so no
-          # need to log again.
-          puts "[!] Unable to write to '#{ path }'. Writing to standard out instead." if previous_path != STDOUT_STR
-          STDOUT_STR
-        end
-      end
-
-      # Determine the valid level to which to log, given the precedence of config > settings > default.
-      #
-      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
-      #   TeamServer.
-      # @return [::Ougai::Logging::Severity] the level at which to log
-      def find_valid_level log_level
-        config = ::Contrast::CONFIG.root.agent.logger
-        config_level = config&.level&.length&.positive? ? config.level : nil
-
-        valid_level(config_level || log_level)
-      end
-
-      def valid_level level
-        level ||= DEFAULT_LEVEL
-        level = level.upcase
-        if VALID_LEVELS.include?(level)
-          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
-        else
-          DEFAULT_LEVEL
-        end
-      rescue StandardError
-        DEFAULT_LEVEL
-      end
-
-      # Log that the Agent log has changed and include some default information at the start of the log.
-      def log_update
-        logger.debug('Initialized new contrast agent logger')
-        logger.debug_with_time('middleware: log environment') do
-          logger.application_environment
-          logger.application_configuration
-          logger.application_libraries
-        end
-      end
     end
   end
 end

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the PropagationMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module PropagationMethodUtils
+        APPEND_ACTION = 'APPEND'
+        CENTER_ACTION = 'CENTER'
+        INSERT_ACTION = 'INSERT'
+        KEEP_ACTION = 'KEEP'
+        NEXT_ACTION = 'NEXT'
+        NOOP_ACTION = 'NOOP'
+        PREPEND_ACTION = 'PREPEND'
+        REPLACE_ACTION = 'REPLACE'
+        REMOVE_ACTION = 'REMOVE'
+        REVERSE_ACTION = 'REVERSE'
+        SPLAT_ACTION = 'SPLAT'
+        SPLIT_ACTION = 'SPLIT'
+        DB_WRITE_ACTION = 'DB_WRITE'
+        CUSTOM_ACTION = 'CUSTOM'
+
+        ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
+
+        PROPAGATION_ACTIONS = {
+            APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
+            CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
+            INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
+            KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
+            NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            NOOP_ACTION => nil,
+            PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
+            REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
+            REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
+            REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
+            SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
+        }.cs__freeze
+
+        def determine_target propagation_node, ret, object, args
+          target = propagation_node.targets[0]
+          case target
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            args[target]
+          end
+        end
+
+        # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+        # about the target based on the context with which the method was called. As such, defer determining if the
+        # target is valid to that method.
+        #
+        # In all other cases, a target is valid for propagation if it is not nil
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @return [Boolean]
+        def valid_target? target, propagation_node
+          return true if propagation_node.action == CUSTOM_ACTION
+
+          !!target
+        end
+
+        # If the action required needs a length and the target does not have one, the length is not valid
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param action [String] the name of the action taken during this propagation
+        # @return [Boolean]
+        def valid_length? target, action
+          return true if ZERO_LENGTH_ACTIONS.include?(action)
+
+          if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
+            target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
+          else
+            !target.to_s.empty?
+          end
+        end
+
+        # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+        # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+        #   the invocation of the patched method.
+        # @param target [Object] the thing to which to propagate
+        # @return [Boolean]
+        def can_propagate? propagation_node, preshift, target
+          return false unless appropriate_target?(propagation_node, target)
+          return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          return false unless preshift
+
+          propagation_node.sources.each do |source|
+            case source
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
+            else
+              # has to be P, there's no ret source type (yet? ever?)
+              return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
+            end
+          end
+          false
+        end
+
+        # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+        # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+        # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+        # do.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param target [Object] the Target to which to propagate.
+        # @return [Boolean] if the target can be propagated to
+        def appropriate_target? propagation_node, target
+          # special handle Returns b/c we can do unfreezing magic during propagation
+          return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+          Contrast::Agent::Assess::Tracker.trackable?(target)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/property/tagged_utils.rb

@@ -0,0 +1,165 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the Tagged property module
+      # and some other module methods from the same place, so we can ease the main module
+      # This module includes simple methods for the tags like
+      # adding tags, getting tags, deleting tags and similar
+      module TaggedUtils
+        # Is the given tag present?
+        # Used in testing, so found by `be_tagged`, if you're grepping for it
+        #
+        # @param label [Symbol] the tag to check for
+        # @return [Boolean]
+        def tagged? label
+          tracked? && tags.key?(label)
+        end
+
+        # Similar to #tracked?, but limited to a given range.
+        #
+        # @param start [Integer] the inclusive start index to check.
+        # @param finish [Integer] the exclusive end index to check.
+        # @return [Boolean]
+        def any_tags_between? start, finish
+          return false unless tracked?
+
+          tags.each_value do |tag_array|
+            return true if tag_array.any? { |tag| tag.overlaps?(start, finish) }
+          end
+          false
+        end
+
+        # Given a tag name and range object, add a new tag to this
+        # collection. If the given range touches an existing tag,
+        # we'll combine the two, adjusting the existing one and
+        # dropping this new one.
+        #
+        # @param label [String] the name of the tag
+        # @param range [Range] the Range that the tag covers, inclusive to
+        #   exclusive
+        def add_tag label, range
+          length = range.end - range.begin
+          tag = Contrast::Agent::Assess::Tag.new(label, length, range.begin)
+          existing = fetch_tag(label)
+          tags[label] = Contrast::Utils::TagUtil.ordered_merge(existing, tag)
+        end
+
+        def set_tags label, tag_ranges
+          tags[label] = tag_ranges
+        end
+
+        # Returns a list of all current tags.
+        #
+        # @return [Hash<Contrast::Agent::Assess::Tag>]
+        def get_tags # rubocop:disable Naming/AccessorMethodName
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          tags
+        end
+
+        # We'll use this as a helper method to retrieve tags from the hash.
+        # Because the hash auto-populates an empty array when we try to
+        # access a tag in it, we cannot use the [] method without side
+        # effect. To get around this, we'll use a fetch work around.
+        #
+        # @param label [Symbol] the label to look up
+        # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+        #   that label
+        def fetch_tag label
+          get_tags.fetch(label, nil) if tracked?
+        end
+
+        # Remove all tags with a given label
+        def delete_tags label
+          tags.delete(label) if tracked?
+        end
+
+        # Reset the tag hash
+        def clear_tags
+          tags.clear if tracked?
+        end
+
+        # Returns a list of all current tag labels, most likely to be used for
+        # a splat operation
+        def tag_keys
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          tags.keys
+        end
+
+        # Calls merge to combine touching or overlapping tags
+        # Deletes empty tags
+        def cleanup_tags
+          return unless tracked?
+
+          Contrast::Utils::TagUtil.merge_tags(tags)
+          tags.delete_if { |_, value| value.empty? }
+        end
+
+        # Find all of the ranges that span a given index. This is used
+        # in propagation when we need to shift tags about. For instance, in
+        # the append method when we need to see if any tag at the end needs
+        # to be expanded out to the size of the new String.
+        #
+        # Note: Tags do not know their key, so this is only the range covered
+        #
+        # @param idx [Integer] the index to check for tags
+        # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
+        #   covering the given index. This is only the ranges, not the names.
+        def tags_at idx
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          at = []
+          tags.each_value do |tag_array|
+            tag_array.each do |tag|
+              if tag.covers?(idx)
+                at << tag
+              elsif tag.above?(idx)
+                break
+              end
+            end
+          end
+          at
+        end
+
+        # given a range, select all tags in that range the selected tags are
+        # shifted such that the start index of the new tag (0) aligns with
+        # the given start index in the range
+        #
+        # current tags: 5-15
+        # range       : 5-10
+        # result      : 0-05
+        #
+        # Note that we disable Lint/DuplicateBranch in this branch in order
+        # list out all tag range cases in the proper order to make this
+        # easier to understand
+        #
+        # @param range [Range] the span to check, inclusive to exclusive
+        # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
+        #   key to tags
+        def tags_at_range range
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          at = Hash.new { |h, k| h[k] = [] }
+          tags.each_pair do |key, value|
+            add = nil
+            value.each do |tag|
+              within_range = resize_to_range(tag, range)
+              if within_range
+                add ||= []
+                add << within_range
+              end
+            end
+            next unless add&.any?
+
+            at[key] = add
+          end
+          at
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/source_method_utils.rb

@@ -0,0 +1,83 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the SourceMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module SourceMethodUtils
+        # Safely duplicate the target, or return nil
+        #
+        # @param target [Object] the thing to check for duplication
+        def safe_dup target
+          target.dup
+        rescue StandardError => _e
+          nil
+        end
+
+        # Find the name of the source
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
+        #   none provided by the node
+        def determine_source_name source_node, object, ret, *args
+          return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
+
+          source_node_source = source_node.sources[0]
+          case source_node_source
+          when nil
+            nil
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          else
+            args[source_node_source]
+          end
+        end
+
+        # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
+        # information to build the context of this invocation, we're not disabled, and we can't immediately
+        # determine the invocation was done safely.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+        #   method being called
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method should be analyzed
+        def analyze? method_policy, object, ret, args
+          return false unless method_policy&.source_node
+          return false unless ::Contrast::ASSESS.enabled?
+          return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+
+          !safe_invocation?(method_policy.source_node, object, ret, args)
+        end
+
+        # Determine if the method was invoked safely.
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param _object [Object] the Object on which the method was invoked
+        # @param _ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method was safe
+        def safe_invocation? source_node, _object, _ret, args
+          # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
+          # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
+          # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
+          # instance, uses action_dispatch. to store several values. Technically, you can't call
+          # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
+          source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
+              args&.any? &&
+              !args[0].to_s.start_with?('HTTP_')
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/tracking_util.rb

@@ -50,14 +50,9 @@ module Contrast
 
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
-              obj.each_pair do |k, v|
-                return true if _tracked?(k, idx) || _tracked?(v, idx)
-              end
-              false
+              handle_hash obj, idx
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
-              obj.any? do |ele|
-                _tracked?(ele, idx) unless obj == ele
-              end
+              handle_enumerable obj, idx
             else
               Contrast::Agent::Assess::Tracker.tracked?(obj)
             end
@@ -84,15 +79,9 @@ module Contrast
 
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
-              obj.each_pair do |k, v|
-                return true if _trackable?(k, idx)
-                return true if _trackable?(v, idx)
-              end
-              false
+              handle_hash obj, idx
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
-              obj.any? do |ele|
-                _trackable?(ele, idx) unless obj == ele
-              end
+              handle_enumerable obj, idx
             else
               Contrast::Agent::Assess::Tracker.trackable?(obj)
             end
@@ -103,6 +92,22 @@ module Contrast
             logger.warn('Failed to determine trackable', e, module: obj.cs__class)
             false
           end
+
+          def handle_hash obj, idx
+            caller_method = caller(1..1).first[/`.*'/][1..-2].to_sym
+            obj.each_pair do |k, v|
+              return true if send(caller_method, k, idx)
+              return true if send(caller_method, v, idx)
+            end
+            false
+          end
+
+          def handle_enumerable obj, idx
+            caller_method = caller(1..1).first[/`.*'/][1..-2].to_sym
+            obj.any? do |ele|
+              send(caller_method, ele, idx) unless obj == ele
+            end
+          end
         end
       end
     end