contrast-agent 4.13.1 → 4.14.0

data/lib/contrast/configuration.rb

@@ -87,7 +87,7 @@ module Contrast
     def yaml_to_hash path
       if path && File.readable?(path)
         begin
-          yaml = IO.read(path)
+          yaml = File.read(path)
           yaml = ERB.new(yaml).result if defined?(ERB)
           return YAML.safe_load(yaml)
         rescue Psych::Exception => e
@@ -205,7 +205,6 @@ module Contrast
     # in the thing to convert and setting them in the given hash. For now, this
     # logs every possible key, whether set or not. If we want to change that
     # behavior, we can skip adding keys to the hash if the value is nil, blank,
-    # or Contrast::Config::DefaultValue depending on desired behavior
     #
     # @param hash [Hash] the hash to populate
     # @param convert [Contrast::Config::BaseConfiguration, Object] the level of

data/lib/contrast/extension/assess/array.rb

@@ -42,13 +42,11 @@ module Contrast
               shift = 0
               separator_length = separator.nil? ? 0 : separator.to_s.length
               parent_events = []
-              ary.each do |obj|
-                if obj # skip nil here
-                  properties.copy_from(obj, ret, shift)
-                  shift += obj.to_s.length
-                  parent_event = Contrast::Agent::Assess::Tracker.properties(obj)&.event
-                  parent_events << parent_event if parent_event
-                end
+              ary.compact.each do |obj|
+                properties.copy_from(obj, ret, shift)
+                shift += obj.to_s.length
+                parent_event = Contrast::Agent::Assess::Tracker.properties(obj)&.event
+                parent_events << parent_event if parent_event
                 shift += separator_length
               end
               return ret unless Contrast::Agent::Assess::Tracker.tracked?(ret)

data/lib/contrast/framework/manager.rb

@@ -9,12 +9,14 @@ require 'contrast/framework/rails/support'
 require 'contrast/framework/grape/support'
 require 'contrast/framework/sinatra/support'
 require 'contrast/utils/class_util'
+require 'contrast/framework/manager_extend'
 
 module Contrast
   module Framework
     # Allows access to framework specific information
     class Manager
       include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Framework::ManagerExtend
 
       # Order here does matter as the first framework listed will be the first one we pull information from Rack will
       # be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra do not
@@ -65,6 +67,10 @@ module Contrast
         Contrast::Framework::PlatformVersion.from_string(framework_version)
       end
 
+      def platform_version_string
+        first_framework_result :version, ''
+      end
+
       def server_type
         first_framework_result :server_type, 'rack'
       end
@@ -116,7 +122,8 @@ module Contrast
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
       def get_route_dtm request
-        @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
+        @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.
+            reject(&:nil?).first
       end
 
       # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect
@@ -149,37 +156,6 @@ module Contrast
       rescue StandardError => e
         logger.warn('Unable to register a late framework', e, module: mod.cs__name)
       end
-
-      private
-
-      def enable_framework_support? klass
-        Contrast::Utils::ClassUtil.truly_defined?(klass)
-      end
-
-      def routes_for_all_frameworks
-        data_for_all_frameworks :collect_routes
-      end
-
-      # This returns an array of all data from each framework in a flat, no-nil values array
-      #
-      # @param method_name [Symbol] the method to call on each FrameworkSupport class
-      # @return [Array]
-      def data_for_all_frameworks method_name
-        @_frameworks.flat_map { |framework| framework.send(method_name) }.compact
-      end
-
-      # This returns a single object from the first framework to successfully respond
-      #
-      # @param method_name [Symbol] the method to call on each FrameworkSupport class
-      # @return [Object] - Determined by method to be invoked
-      def first_framework_result method_name, default_value
-        result = nil
-        @_frameworks.each do |framework|
-          result = framework.send(method_name)
-          break if result
-        end
-        result || default_value
-      end
     end
   end
 end

data/lib/contrast/framework/manager_extend.rb

@@ -0,0 +1,50 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/extension/module'
+require 'contrast/framework/platform_version'
+require 'contrast/framework/rack/support'
+require 'contrast/framework/rails/support'
+require 'contrast/framework/grape/support'
+require 'contrast/framework/sinatra/support'
+require 'contrast/utils/class_util'
+
+module Contrast
+  module Framework
+    # Allows access to framework specific information
+    module ManagerExtend
+      private
+
+      def enable_framework_support? klass
+        Contrast::Utils::ClassUtil.truly_defined?(klass)
+      end
+
+      def routes_for_all_frameworks
+        data_for_all_frameworks :collect_routes
+      end
+
+      # This returns an array of all data from each framework in a flat, no-nil values array
+      #
+      # @param method_name [Symbol] the method to call on each FrameworkSupport class
+      # @return [Array]
+      def data_for_all_frameworks method_name
+        @_frameworks.flat_map { |framework| framework.send(method_name) }.
+            compact
+      end
+
+      # This returns a single object from the first framework to successfully respond
+      #
+      # @param method_name [Symbol] the method to call on each FrameworkSupport class
+      # @return [Object] - Determined by method to be invoked
+      def first_framework_result method_name, default_value
+        result = nil
+        @_frameworks.each do |framework|
+          result = framework.send(method_name)
+          break if result
+        end
+        result || default_value
+      end
+    end
+  end
+end

data/lib/contrast/framework/rails/railtie.rb

@@ -14,7 +14,7 @@ module Contrast
         initializer 'Contrast Ruby Agent Initializer' do |app|
           log_rails = defined?(Rails) && defined?(Rails.logger)
 
-          Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if log_rails
+          Rails.logger.debug { "In railtie ::#{ app.middleware.inspect }" } if log_rails
 
           if ::Contrast::APP_CONTEXT.instrument_middleware_stack?
             ::Contrast::AGENT.insert_middleware(app)

data/lib/contrast/framework/sinatra/support.rb

@@ -106,7 +106,8 @@ module Contrast
           def _route_recurse controller, method, route
             return if controller.nil? || controller.cs__class == NilClass
 
-            route_patterns = controller.routes.fetch(method) { [] }.map(&:first)
+            route_patterns = controller.routes.fetch(method) { [] }.
+                map(&:first)
             route_pattern = route_patterns&.find do |matcher|
               matcher.params(route) # ::Mustermann::Sinatra match.
             end

data/lib/contrast/logger/log.rb

@@ -11,6 +11,7 @@ require 'contrast/logger/format'
 require 'contrast/logger/request'
 require 'contrast/logger/time'
 require 'contrast/components/config'
+require 'contrast/utils/log_utils'
 
 module Contrast
   # This module allows us to dynamically weave timing into our code, so that only when the time is actually needed do
@@ -26,9 +27,9 @@ module Contrast
     # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
     # logger set to TRACE.
     #
-    # @params: clazz [Class] the class of the method to time.
-    # @params: method [Symbol] the method to time.
-    # @params: method [String] optional custom logging message.
+    # @param: clazz [Class] the class of the method to time.
+    # @param: method [Symbol] the method to time.
+    # @param: method [String] optional custom logging message.
     def add_method_to_trace_timing clazz, method, msg = nil
       methods_to_time.append(METHOD_INFO.new(clazz, method, msg, false))
       enable_trace_timing if logger.level == ::Ougai::Logging::TRACE
@@ -37,9 +38,9 @@ module Contrast
     # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
     # logger set to TRACE.
     #
-    # @params: method_spec [METHOD_INFO] specs about the method to be timed.
-    # @params: class_method [Boolean] whether this is or isn't a class/module method.
-    def trace_time_class_method meth_spec, class_method
+    # @param: meth_spec [METHOD_INFO] specs about the method to be timed.
+    # @param: class_method [Boolean] whether this is or isn't a class/module method.
+    def trace_time_class_method meth_spec, class_method # rubocop:disable Metrics/AbcSize
       untimed_func_symbol = "untimed_#{ meth_spec.method_name }".to_sym
       send_to = class_method ? meth_spec.clazz.cs__singleton_class : meth_spec.clazz
       meth_spec.clazz.class_eval do
@@ -105,12 +106,7 @@ module Contrast
     class Log
       include Singleton
       include ::Contrast::TraceTiming
-
-      DEFAULT_NAME     = 'contrast.log'
-      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
-      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
-      STDOUT_STR       = 'STDOUT'
-      STDERR_STR       = 'STDERR'
+      include Contrast::Utils::LogUtils
 
       attr_reader :previous_path, :previous_level
 
@@ -167,97 +163,6 @@ module Contrast
         dir_name = File.dirname(File.absolute_path(path))
         File.writable?(dir_name)
       end
-
-      private
-
-      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
-        logger = case path
-                 when STDOUT_STR, STDERR_STR
-                   ::Ougai::Logger.new(Object.cs__const_get(path))
-                 else
-                   ::Ougai::Logger.new(path)
-                 end
-        add_contrast_loggers(logger)
-        logger.progname = 'Contrast Agent'
-        logger.level = level_const
-        logger.formatter = Contrast::Logger::Format.new
-        logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
-        logger
-      end
-
-      def add_contrast_loggers logger
-        logger.extend(Contrast::Logger::Application)
-        logger.extend(Contrast::Logger::Request)
-        logger.extend(Contrast::Logger::Time)
-      end
-
-      # Determine the valid path to which to log, given the precedence of config > settings > default.
-      #
-      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
-      #   TeamServer.
-      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
-      def find_valid_path log_file
-        config = ::Contrast::CONFIG.root.agent.logger
-        config_path = config&.path&.length.to_i.positive? ? config.path : nil
-        valid_path(config_path || log_file)
-      end
-
-      def valid_path path
-        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
-        return path if path == STDOUT_STR
-        return path if path == STDERR_STR
-
-        path = DEFAULT_NAME if path.empty?
-        if write_permission?(path)
-          path
-        elsif write_permission?(DEFAULT_NAME)
-          # Log once when the path is invalid. We'll change to this path, so no
-          # need to log again.
-          if previous_path != DEFAULT_NAME
-            puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
-          end
-          DEFAULT_NAME
-        else
-          # Log once when the path is invalid. We'll change to this path, so no
-          # need to log again.
-          puts "[!] Unable to write to '#{ path }'. Writing to standard out instead." if previous_path != STDOUT_STR
-          STDOUT_STR
-        end
-      end
-
-      # Determine the valid level to which to log, given the precedence of config > settings > default.
-      #
-      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
-      #   TeamServer.
-      # @return [::Ougai::Logging::Severity] the level at which to log
-      def find_valid_level log_level
-        config = ::Contrast::CONFIG.root.agent.logger
-        config_level = config&.level&.length&.positive? ? config.level : nil
-
-        valid_level(config_level || log_level)
-      end
-
-      def valid_level level
-        level ||= DEFAULT_LEVEL
-        level = level.upcase
-        if VALID_LEVELS.include?(level)
-          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
-        else
-          DEFAULT_LEVEL
-        end
-      rescue StandardError
-        DEFAULT_LEVEL
-      end
-
-      # Log that the Agent log has changed and include some default information at the start of the log.
-      def log_update
-        logger.debug('Initialized new contrast agent logger')
-        logger.debug_with_time('middleware: log environment') do
-          logger.application_environment
-          logger.application_configuration
-          logger.application_libraries
-        end
-      end
     end
   end
 end

data/lib/contrast/utils/assess/property/tagged_utils.rb

@@ -9,6 +9,29 @@ module Contrast
       # This module includes simple methods for the tags like
       # adding tags, getting tags, deleting tags and similar
       module TaggedUtils
+        # Is the given tag present?
+        # Used in testing, so found by `be_tagged`, if you're grepping for it
+        #
+        # @param label [Symbol] the tag to check for
+        # @return [Boolean]
+        def tagged? label
+          tracked? && tags.key?(label)
+        end
+
+        # Similar to #tracked?, but limited to a given range.
+        #
+        # @param start [Integer] the inclusive start index to check.
+        # @param finish [Integer] the exclusive end index to check.
+        # @return [Boolean]
+        def any_tags_between? start, finish
+          return false unless tracked?
+
+          tags.each_value do |tag_array|
+            return true if tag_array.any? { |tag| tag.overlaps?(start, finish) }
+          end
+          false
+        end
+
         # Given a tag name and range object, add a new tag to this
         # collection. If the given range touches an existing tag,
         # we'll combine the two, adjusting the existing one and

data/lib/contrast/utils/assess/tracking_util.rb

@@ -50,14 +50,9 @@ module Contrast
 
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
-              obj.each_pair do |k, v|
-                return true if _tracked?(k, idx) || _tracked?(v, idx)
-              end
-              false
+              handle_hash obj, idx
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
-              obj.any? do |ele|
-                _tracked?(ele, idx) unless obj == ele
-              end
+              handle_enumerable obj, idx
             else
               Contrast::Agent::Assess::Tracker.tracked?(obj)
             end
@@ -84,15 +79,9 @@ module Contrast
 
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
-              obj.each_pair do |k, v|
-                return true if _trackable?(k, idx)
-                return true if _trackable?(v, idx)
-              end
-              false
+              handle_hash obj, idx
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
-              obj.any? do |ele|
-                _trackable?(ele, idx) unless obj == ele
-              end
+              handle_enumerable obj, idx
             else
               Contrast::Agent::Assess::Tracker.trackable?(obj)
             end
@@ -103,6 +92,22 @@ module Contrast
             logger.warn('Failed to determine trackable', e, module: obj.cs__class)
             false
           end
+
+          def handle_hash obj, idx
+            caller_method = caller(1..1).first[/`.*'/][1..-2].to_sym
+            obj.each_pair do |k, v|
+              return true if send(caller_method, k, idx)
+              return true if send(caller_method, v, idx)
+            end
+            false
+          end
+
+          def handle_enumerable obj, idx
+            caller_method = caller(1..1).first[/`.*'/][1..-2].to_sym
+            obj.any? do |ele|
+              send(caller_method, ele, idx) unless obj == ele
+            end
+          end
         end
       end
     end

data/lib/contrast/utils/assess/trigger_method_utils.rb

@@ -103,7 +103,7 @@ module Contrast
         # @param object [Object] the Object on which the method was invoked
         # @param ret [Object] the Return of the invoked method
         # @param args [Array<Object>] the Arguments with which the method was invoked
-        def apply_dataflow_rule trigger_node, source, object, ret, *args
+        def apply_dataflow_rule trigger_node, source, object, ret, *args # rubocop:disable Metrics/PerceivedComplexity
           return unless source
 
           if Contrast::Agent::Assess::Tracker.trackable?(source)

data/lib/contrast/utils/class_util.rb

@@ -54,7 +54,7 @@ module Contrast
         # Once we move to 2.7+, we can combine the caches using ID b/c the memory location stops being the id
         #
         # @param object [Object, nil] the entity to convert to a String
-        # @return [String] the human readable form of the String, as defined by
+        # @return [String, Object] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
         def to_contrast_string object
           # Only treat object like a string if it actually is a string+ some subclasses of String override string
@@ -66,19 +66,23 @@ module Contrast
           else
             return @lru_cache[object.__id__] if @lru_cache.key? object.__id__
 
-            @lru_cache[object.__id__] = if object.nil?
-                                          Contrast::Utils::ObjectShare::NIL_STRING
-                                        elsif object.cs__is_a?(Symbol)
-                                          ":#{ object }"
-                                        elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
-                                          "#{ object.cs__name }@#{ object.__id__ }"
-                                        elsif object.cs__is_a?(Regexp)
-                                          object.source
-                                        elsif use_to_s?(object)
-                                          object.to_s
-                                        else
-                                          "#{ object.cs__class.cs__name }@#{ object.__id__ }"
-                                        end
+            @lru_cache[object.__id__] = convert_object object
+          end
+        end
+
+        def convert_object object
+          if object.nil?
+            Contrast::Utils::ObjectShare::NIL_STRING
+          elsif object.cs__is_a?(Symbol)
+            ":#{ object }"
+          elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
+            "#{ object.cs__name }@#{ object.__id__ }"
+          elsif object.cs__is_a?(Regexp)
+            object.source
+          elsif use_to_s?(object)
+            object.to_s
+          else
+            "#{ object.cs__class.cs__name }@#{ object.__id__ }"
           end
         end
 

data/lib/contrast/utils/findings.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    # Utility for saving raw findings for later
+    class Findings
+      include Contrast::Components::Logger::InstanceMethods
+
+      def initialize
+        @_collection = []
+      end
+
+      def collection
+        @_collection ||= []
+      end
+
+      def push trigger_node, source, object, ret, *args
+        return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless trigger_node.collectable?
+
+        @_collection << { trigger_node: trigger_node, source: source, object: object, ret: ret, args: args }
+      end
+
+      # Some rules requires response to be available before validating them correctly,
+      # so we check if trigger_node.rule_id is collectable and then save them for
+      # later report, when we have the response.
+      #
+      # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+      # trigger event
+      # @param source [Object] the source of the Trigger Event
+      # @param object [Object] the Object on which the method was invoked
+      # @param ret [Object] the Return of the invoked method
+      # @param args [Array<Object>] the Arguments with which the method was invoked
+      def collect_finding trigger_node, source, object, ret, *args
+        push trigger_node, source, object, ret, args
+        logger.trace('Finding collected', node_id: trigger_node.id,
+                                          source_id: source.__id__,
+                                          rule: trigger_node.rule_id)
+      end
+
+      # Build and report all collected findings for the collectable rules.
+      #
+      # We make sure the content-type is present before reporting, because some
+      # findings do require it for validation.
+      def report_collected_findings
+        return if Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type.nil?
+        return if @_collection.empty?
+
+        while @_collection.any?
+          finding = @_collection.pop
+          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding finding[:trigger_node],
+                                                                       finding[:source],
+                                                                       finding[:object],
+                                                                       finding[:ret],
+                                                                       finding[:args]
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/hash_digest.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'digest'
+require 'contrast/utils/hash_digest_extend'
 
 module Contrast
   module Utils
@@ -13,6 +14,7 @@ module Contrast
     # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
     class HashDigest < Digest::Class
       include Digest::Instance
+      extend Contrast::Utils::HashDigestExtend
 
       CONTENT_LENGTH_HEADER = 'Content-Length'
       CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
@@ -21,76 +23,6 @@ module Contrast
       CLASS_SOURCE_KEY = 'source'
       CLASS_CONSTANT_NAME_KEY = 'name'
       CLASS_LINE_NO_KEY = 'lineNo'
-      class << self
-        def generate_request_hash request
-          hash = new
-          hash.update(request.request_method)
-          hash.update(request.normalized_uri)
-          request.parameters.each_key do |name|
-            hash.update(name)
-          end
-          cl = request.headers[CONTENT_LENGTH_HEADER]
-          hash.update_on_content_length(cl) if cl
-          hash.finish
-        end
-
-        def generate_event_hash finding, source, request
-          return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
-
-          id = finding.rule_id
-          return generate_crypto_hash(finding, source, request) if CRYPTO_RULES.include?(id)
-
-          generate_trigger_hash(finding, request)
-        end
-
-        def generate_config_hash finding
-          hash = new
-          hash.update(finding.rule_id)
-          path = finding.properties[CONFIG_PATH_KEY]
-          hash.update(path)
-          method = finding.properties[CONFIG_SESSION_ID_KEY]
-          hash.update(method)
-          hash.finish
-        end
-
-        def generate_class_scanning_hash finding
-          hash = new
-          hash.update(finding.rule_id)
-          module_name = finding.properties[CLASS_SOURCE_KEY]
-          hash.update(module_name)
-          # We're not currently collecting this. 30/7/19 HM
-          line_no = finding.properties[CLASS_LINE_NO_KEY]
-          hash.update(line_no)
-          field = finding.properties[CLASS_CONSTANT_NAME_KEY]
-          hash.update(field)
-          hash.finish
-        end
-
-        private
-
-        def generate_crypto_hash finding, algorithm, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update(algorithm)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-
-        def generate_dataflow_hash finding, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update_on_sources(finding.events)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-
-        def generate_trigger_hash finding, request
-          hash = new
-          hash.update(finding.rule_id)
-          hash.update_on_request(finding, request)
-          hash.finish
-        end
-      end
 
       def update_on_request finding, request
         if (route = finding.routes[0])
@@ -106,9 +38,14 @@ module Contrast
         return unless events&.any?
 
         events.each do |event|
-          event.event_sources.each do |source|
-            update(source.type)
-            update(source.name) # rubocop:disable Security/Module/Name -- API attribute.
+          if event.cs__is_a?(Contrast::Api::Dtm::TraceEvent)
+            event.event_sources&.each do |source|
+              update(source.type)
+              update(source.name) # rubocop:disable Security/Module/Name
+            end
+          elsif event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+            update(event.source_type)
+            update(event.source_name)
           end
         end
       end