contrast-agent 4.13.1 → 4.14.0

data/lib/contrast/utils/request_utils.rb

@@ -0,0 +1,88 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # used in Contrast::Agent::Request
+    module RequestUtils
+      # Return a flattened hash of params with realized paths for keys, in
+      # addition to a separate, valueless, entry for each nest key.
+      # See RUBY-621 for more details.
+      # { key : { nested_key : ['x','y','z' ] } }
+      # becomes
+      # {
+      #   key[nested_key][0] : 'x'
+      #   key[nested_key][1] : 'y'
+      #   key[nested_key][2] : 'z'
+      #   key :                ''
+      #   nested_key :         ''
+      # }
+      def normalize_params val, prefix: nil
+        # In non-recursive invocations, val should always be a Hash
+        # (rather than breaking this out into two methods)
+        case val
+        when Tempfile
+          # Skip if it's the auto-generated value from rails when it handles
+          # file uploads. The file name will still be sent to SR for analysis.
+          {}
+        when Hash
+          res = val.each_with_object({}) do |(k, v), hash|
+            k = Contrast::Utils::StringUtils.force_utf8(k)
+            nested_prefix = prefix.nil? ? k : "#{ prefix }[#{ k }]"
+            hash[k] = Contrast::Utils::ObjectShare::EMPTY_STRING
+            hash.merge! normalize_params(v, prefix: nested_prefix)
+          end
+          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
+          res
+        when Enumerable
+          idx = 0
+          res = {}
+          while idx < val.length
+            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
+            idx += 1
+          end
+          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
+          res
+        else
+          { prefix => Contrast::Utils::StringUtils.force_utf8(val) }
+        end
+      end
+
+      def read_body body
+        return body if body.is_a?(String)
+
+        begin
+          can_rewind = Contrast::Utils::DuckUtils.quacks_to?(body, :rewind)
+          # if we are after a middleware that failed to rewind
+          body.rewind if can_rewind
+          body.read
+        rescue StandardError => e
+          logger.error('Error in attempt to read body', message: e.message)
+          logger.trace('With Stack', e)
+          body.to_s
+        ensure
+          # be a good citizen and rewind
+          body.rewind if can_rewind
+        end
+      end
+
+      def traverse_parsed_multipart multipart_data, current_names
+        return current_names unless multipart_data
+
+        multipart_data.each_value do |data_value|
+          next unless data_value.is_a?(Hash)
+
+          tempfile = data_value[:tempfile]
+          if tempfile.nil?
+            traverse_parsed_multipart(data_value, current_names)
+          else
+            name = data_value[:name].to_s
+            file_name = data_value[:filename].to_s
+            current_names[name] = file_name
+          end
+        end
+        current_names
+      end
+    end
+  end
+end

data/lib/contrast/utils/response_utils.rb

@@ -0,0 +1,97 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # used in Contrast::Agent::Response
+    module ResponseUtils
+      private
+
+      # From the dtm for normalized_response_headers:
+      #   Key is UPPERCASE_UNDERSCORE
+      #
+      #   Example: Content-Type: text/html; charset=utf-8
+      #   "CONTENT_TYPE" => Content-Type,["text/html; charset=utf8"]
+      def append_pair map, key, value
+        return unless key && value
+        return if value.is_a?(Hash)
+
+        safe_key = Contrast::Utils::StringUtils.force_utf8(key)
+        hash_key = Contrast::Utils::StringUtils.normalized_key(safe_key)
+        map[hash_key] ||= Contrast::Api::Dtm::Pair.new
+        map[hash_key].key = safe_key
+        map[hash_key].values << Contrast::Utils::StringUtils.force_utf8(value)
+      end
+
+      HTTP_PREFIX = /^[Hh][Tt][Tt][Pp][_-]/i.cs__freeze
+
+      # Given some holder of the content of the response's body, extract that
+      # content and return it as a String
+      #
+      # @param body [String, Rack::File, Rack::BodyProxy,
+      #   ActionDispatch::Response::RackBody, Rack::Response] Something that
+      #   holds, wraps, or is the body of the Response
+      # @return [nil, String] the content of the body
+      def extract_body body
+        return unless body
+        return if defined?(Rack::File) && body.is_a?(Rack::File)
+
+        case body
+        when Rack::BodyProxy
+          handle_rack_body_proxy(body)
+        when ActionDispatch::Response::RackBody
+          extract_body(body.body) if defined?(ActionDispatch::Response::RackBody)
+        when Rack::Response
+          extract_body(body.body)
+        when Contrast::Utils::DuckUtils.quacks_to?(body, :each)
+          acc = []
+          body.each { |tmp| acc << read_or_string(tmp) }
+          acc.compact.join(Contrast::Utils::ObjectShare::NEW_LINE)
+        when ActionView::OutputBuffer
+          # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
+          body.to_str
+        else
+          read_or_string(body)
+        end
+        # if body.is_a?(Rack::BodyProxy)
+        #   handle_rack_body_proxy(body)
+        # elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
+        #       body.is_a?(Rack::Response)
+        #
+        #   extract_body(body.body)
+        # elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
+        #   acc = []
+        #   body.each { |tmp| acc << read_or_string(tmp) }
+        #   acc.compact.join(Contrast::Utils::ObjectShare::NEW_LINE)
+        # elsif ActionView::OutputBuffer
+        #   # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
+        #   body.to_str
+        # else
+        #   read_or_string(body)
+        # end
+      end
+
+      def handle_rack_body_proxy body
+        next_body = body.instance_variable_get(:@body)
+        case next_body
+        when Array
+          extract_body(next_body[0])
+        else
+          extract_body(next_body)
+        end
+      end
+
+      def read_or_string obj
+        return unless obj
+
+        if Contrast::Utils::DuckUtils.quacks_to?(obj, :read)
+          tmp = obj.read
+          obj.rewind
+          tmp
+        else
+          obj.to_s
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/substitution_utils.rb

@@ -0,0 +1,167 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # used in Contrast::Agent::Assesss::Policy::Propagator::Substitution
+    module SubstitutionUtils
+      CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
+      CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze
+
+      private
+
+      def substitution_tagger patcher, preshift, ret, block, global = true
+        return ret unless ret
+
+        begin
+          source = preshift.object
+          self_tracked = Contrast::Agent::Assess::Tracker.tracked?(source)
+          args = preshift.args[1]
+          incoming_tracked = args && determine_tracked(args)
+          return ret unless self_tracked || incoming_tracked
+
+          parent_events = []
+          if block
+            block_sub(self_tracked, source, ret)
+          elsif args.is_a?(String)
+            string_sub(parent_events, self_tracked, preshift, ret, args, incoming_tracked, global)
+          elsif args.is_a?(Hash)
+            hash_sub(self_tracked, source, ret)
+          else # Enumerator, only for gsub
+            pattern_gsub(parent_events, preshift, ret)
+          end
+
+          self_tracked_handle self_tracked, source, parent_events
+          string_build_event(parent_events, patcher, preshift, ret)
+        rescue StandardError => e
+          logger.error('Unable to apply gsub propagator', e)
+        end
+        ret
+      end
+
+      def self_tracked_handle self_tracked, source, parent_events
+        return unless self_tracked
+
+        source_properties = Contrast::Agent::Assess::Tracker.properties(source)
+        parent_event = source_properties&.event
+        parent_events.prepend(parent_event) if parent_event
+      end
+
+      def determine_tracked args
+        # if there's no arg, it can't be tracked
+        return false unless args
+
+        # if it's a string, just ask if it's tracked
+        case args
+        when String
+          Contrast::Agent::Assess::Tracker.tracked?(args)
+          # if it's a hash, ask if it has a tracked string
+        when Hash
+          args.values.any? { |value| value.is_a?(String) && Contrast::Agent::Assess::Tracker.tracked?(value) }
+          # this should never happen
+        else
+          false
+        end
+      end
+
+      def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
+        return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
+
+        incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
+        parent_events << incoming_properties&.event if incoming_properties&.event
+
+        source = preshift.object
+
+        # We can't efficiently find the places that things were
+        # copied from regexp / captures. Trading accuracy for
+        # performance
+        if incoming.match?(CAPTURE_GROUP_REGEXP) || incoming.match?(CAPTURE_NAME_REGEXP)
+          properties.splat_from(source, ret) if self_tracked
+          return
+        end
+
+        # if it's just a straight insert, that we can do
+        # Copy the tags from us to the return
+        ranges = find_string_sub_insert(properties, preshift, incoming, ret, global)
+
+        properties.delete_tags_at_ranges(ranges)
+        properties.shift_tags(ranges)
+        return unless incoming_tracked
+        return unless incoming_properties
+
+        tags = incoming_properties.tag_keys
+        ranges.each do |range|
+          tags.each do |tag|
+            properties.add_tag(tag, range)
+          end
+        end
+      end
+
+      # Find the points at which the new String was placed into the original
+      #
+      # @param properties [Contrast::Agent::Assess::Properties] the Properties of the ret
+      # @param preshift [Contrast::Agent::Assess::PreShift] the capture of the state of the code just prior to
+      #   the invocation of the patched method
+      # @param incoming [String] the new String going into the substitution
+      # @param ret [String] the result of the substitution
+      # @param global [Boolean] if this was a global or single substitution
+      # @return [Array<Range>] the Ranges where substitution occurred
+      def find_string_sub_insert properties, preshift, incoming, ret, global
+        pattern = preshift.args[0]
+        source = preshift.object
+
+        properties.copy_from(source, ret)
+        # Figure out where inserts occurred
+        last_idx = 0
+        ranges = []
+        # For each insert, move the tag ranges
+        while last_idx
+          idx = source.index(pattern, last_idx)
+          break unless idx
+
+          last_idx = idx ? idx + 1 : nil
+          start_index = idx
+          end_index = idx + incoming.length
+          ranges << (start_index...end_index)
+          break unless global
+        end
+        ranges
+      end
+
+      def block_sub self_tracked, source, ret
+        return unless self_tracked
+
+        properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+        properties&.splat_from(source, ret)
+      end
+
+      def hash_sub self_tracked, source, ret
+        return unless self_tracked
+
+        properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+        properties&.splat_from(source, ret)
+      end
+
+      def pattern_gsub parent_events, preshift, ret
+        source = preshift.object
+        return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
+        return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
+
+        source_properties.tag_keys.each do |key|
+          properties.add_tag(key, 0...1)
+        end
+        parent_event = source_properties.event
+        parent_events << parent_event if parent_event
+      end
+
+      def string_build_event parent_events, patcher, preshift, ret
+        return unless Contrast::Agent::Assess::Tracker.tracked?(ret)
+
+        properties = Contrast::Agent::Assess::Tracker.properties(ret)
+        args = preshift.args
+        properties.build_event(patcher, ret, preshift.object, ret, args, 2)
+        properties.event.instance_variable_set(:@_parent_events, parent_events)
+      end
+    end
+  end
+end

data/lib/contrast/utils/tag_util.rb

@@ -56,20 +56,20 @@ module Contrast
         # Any overlapping ranges are merged before returning
         #
         # arr: the array of tags to which we are adding
-        # new_arr: misnomer. either an array of or a single Tag to be added
-        def ordered_merge arr, new_arr
+        # add_arr:  array of Tags or a single Tag to be added
+        def ordered_merge arr, add_arr
           # [Contrast::Agent::Assess::Tag, ...]
-          if new_arr.is_a?(Array)
-            return arr unless new_arr.any?
-            return new_arr unless arr&.any?
+          if add_arr.is_a?(Array)
+            return arr unless add_arr.any?
+            return add_arr unless arr&.any?
 
-            new_arr.each { |new_element| single_ordered_merge(arr, new_element) }
+            add_arr.each { |new_element| single_ordered_merge(arr, new_element) }
           # Contrast::Agent::Assess::Tag
           else
-            return arr unless new_arr
-            return [new_arr] unless arr
+            return arr unless add_arr
+            return [add_arr] unless arr
 
-            single_ordered_merge(arr, new_arr)
+            single_ordered_merge(arr, add_arr)
           end
           smallerize(arr)
         end

data/lib/contrast/utils/telemetry.rb

@@ -19,8 +19,10 @@ module Contrast
             "collects usage data in order to help us improve compatibility\n" \
             "and security coverage. The data is anonymous and does not contain application data. It is collected\n" \
             "by Contrast and is never shared. You can opt-out of telemetry by setting the\n" \
-            "'CONTRAST_AGENT_TELEMETRY_OPTOUT' environment variable to '1' or 'true'.\n\n" \
-          "===================================================================================================\n\n"
+            "'CONTRAST_AGENT_TELEMETRY_OPTOUT' environment variable to '1' or 'true'.\n" \
+            'Read more about [Contrast Security] [Ruby Agent] telemetry: ' \
+            "https://docs.contrastsecurity.com/en/ruby-telemetry.html \n\n" \
+            "===================================================================================================\n\n"
       }.cs__freeze
 
       # Here we create the .telemetry file. If the file exist we do nothing.

data/lib/contrast/utils/telemetry_client.rb

@@ -0,0 +1,90 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'net/http'
+require 'contrast/utils/net_http_base'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'contrast/agent/version'
+require 'json'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client and initiates a connection to the provided result
+    class TelemetryClient < NetHttpBase
+      ENDPOINT = 'api/v1/telemetry/metrics' # /TelemetryEvent.path
+      SERVICE_NAME = 'Telemetry'
+      include Contrast::Components::Logger::InstanceMethods
+      # This method initializes the Net::HTTP client we'll need. it will validate
+      # the connection and make the first request. If connection is valid and response
+      # is available then the open connection is returned.
+      #
+      # @param url [String]
+      # @return [Net::HTTP, nil] Return open connection or nil
+      def initialize_connection url
+        super(SERVICE_NAME, url, false, false)
+      end
+
+      # This method will be responsible for building the request. Because the telemetry collector expects to receive
+      # multiple events in a single request, we must always wrap the event in an array, even if there is only one.
+      #
+      # @param event [Contrast::Agent::TelemetryEvent,Contrast::Agent::StartupMetricsTelemetryEvent]
+      # @return [Net::HTTP::Post]
+      def build_request event
+        return unless valid_event? event
+
+        string_body = [event.to_hash].to_json
+        header = {
+            'User-Agent' => "<#{ Contrast::Utils::ObjectShare::RUBY }>-<#{ Contrast::Agent::VERSION }>",
+            'Content-Type' => 'application/json'
+        }
+        request = Net::HTTP::Post.new(build_path(event.path), header)
+        request.body = string_body
+        request
+      end
+
+      # This method will create the actual request and send it
+      # @param event[Contrast::Agent::TelemetryEvent]
+      # @param connection[Net::HTTP]
+      def send_request event, connection
+        return if connection.nil? || event.nil?
+        return unless valid_event? event
+
+        req = build_request event
+        connection.request req
+      end
+
+      # This method will handle the response from the tenant
+      # @param res [Net::HTTPResponse]
+      # @return sleep_time [Integer, nil]
+      def handle_response res
+        status_code = res.code.to_i
+        ready_after = if res.to_hash.keys.map(&:downcase).include?('ready-after')
+                        res['Ready-After']
+                      else
+                        60
+                      end
+        ready_after if status_code == 429
+      end
+
+      # This method will be responsible for validating the event
+      # @param event[Contrast::Agent::TelemetryEvent,Contrast::Agent::StartupMetricsTelemetryEvent]
+      def valid_event? event
+        return true if event.cs__is_a?(Contrast::Agent::TelemetryEvent)
+        return true if event.cs__is_a?(Contrast::Agent::StartupMetricsTelemetryEvent)
+
+        false
+      end
+
+      private
+
+      # The telemetry instance accepts any path to #{ Contrast::Agent::Telemetry::URL }#{ ENDPOINT }, using the
+      # remainder of the path to segregate messages.
+      #
+      # @return [String] the fully qualified path to send the request
+      def build_path event_path
+        "#{ Contrast::Agent::Telemetry::URL }#{ ENDPOINT }#{ event_path }"
+      end
+    end
+  end
+end

data/lib/contrast/utils/telemetry_identifier.rb

@@ -34,11 +34,8 @@ module Contrast
         # @return [String, nil] MAC address of the primary network interface or
         # the first available one, or nil if nothing found
         def self.mac
-          @_mac = find_mac MAC_OS_PRIMARY if Contrast::Utils::OS.mac? && @_mac.nil?
-          @_mac = find_mac LINUX_PRIMARY if Contrast::Utils::OS.linux? && @_mac.nil?
-          # or find any available
-          @_mac = find_mac if @_mac.nil?
-          @_mac
+          primary = Contrast::Utils::OS.mac? ? MAC_OS_PRIMARY : LINUX_PRIMARY
+          @_mac = find_mac(primary) || find_mac
         end
 
         class << self
@@ -60,13 +57,15 @@ module Contrast
             while idx < interfaces.length
               addr = interfaces[idx].addr
               name = interfaces[idx].name # rubocop:disable Security/Module/Name
-              # retrieving MAC address from primary network interface or first available
-              mac = retrieve_mac name, addr, primary
               idx += 1
+              next if primary && !name.include?(primary)
+
+              # retrieving MAC address from primary network interface or first available
+              mac = retrieve_mac addr
               next unless mac
 
               result = mac if mac && (mac.match? MAC_REGEX)
-              break if result && !primary
+              break if result
             end
             result
           end
@@ -74,35 +73,26 @@ module Contrast
           # Retrieves MAC address for primary or any network interface.
           # This is OS dependent search.
           #
-          # @param name [Sting] interface name of ifaddr
           # @param addr [String] address info
           # example: #<Addrinfo: LINK[en0 aa:bb:cc:00:11:22]>
-          # @param primary [nil, String] optional param if set look only for primary
-          # network adapter's name
           # @return mac [nil, String] MAC address of primary network interface,
           # any network interface, or nil if no interface is found.
-          def retrieve_mac name, addr, primary
-            mac = nil
+          def retrieve_mac addr
             # Mac OS allow us to use getnameinfo(sockaddr [, flags]) => [hostname, servicename]
             #
             # returned address:
             # <Socket::Ifaddr en0 UP,BROADCAST,RUNNING,NOTRAILERS,SIMPLEX,MULTICAST LINK[en0 aa:bb:cc:00:11:22]>
-            if Contrast::Utils::OS.mac?
-              mac = addr.getnameinfo[0] unless primary
-              mac = addr.getnameinfo[0] if primary && name.include?(primary)
-            end
+            return addr.getnameinfo[0] if Contrast::Utils::OS.mac?
+
             # In Linux using Socket::addr#getnameinfo results in ai_family not supported exception.
             # In this case we are relying on match filtering of addresses.
             #
             # returned address:
             # #<Socket::Ifaddr eth0 UP,BROADCAST,RUNNING,MULTICAST,0x10000
             # PACKET[protocol=0 eth0 hatype=1 HOST hwaddr=aa:bb:cc:00:11:22]>
-            if primary && Contrast::Utils::OS.linux?
-              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG && name.include?(primary)
-            elsif primary.nil? && Contrast::Utils::OS.linux?
-              mac = Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG
-            end
-            mac
+            return Regexp.last_match(1) if addr.inspect =~ LINUX_OS_REG
+
+            nil
           end
 
           # Returns array of network interfaces.
@@ -111,7 +101,10 @@ module Contrast
           # @return interfaces [Array] Returns an array of interface addresses.
           # Socket::Ifaddr - represents a result of getifaddrs().
           def interfaces
-            @_interfaces = []
+            @_interfaces ||= []
+
+            return @_interfaces unless @_interfaces.empty?
+
             arr = Socket.getifaddrs
             idx = 0
             check_family = 0

data/ruby-agent.gemspec

@@ -89,11 +89,11 @@ end
 
 # Dependencies used to run all of our Rubocop during the linting phase.
 def self.add_rubocop spec
-  spec.add_development_dependency 'rubocop', '1.13.0'
-  spec.add_development_dependency 'rubocop-performance', '1.11.0'
-  spec.add_development_dependency 'rubocop-rails', '2.9.1'
-  spec.add_development_dependency 'rubocop-rake', '0.5.1'
-  spec.add_development_dependency 'rubocop-rspec', '2.2.0'
+  spec.add_development_dependency 'rubocop', '1.22.3'
+  spec.add_development_dependency 'rubocop-performance', '1.12.0'
+  spec.add_development_dependency 'rubocop-rails', '2.12.4'
+  spec.add_development_dependency 'rubocop-rake', '0.6.0'
+  spec.add_development_dependency 'rubocop-rspec', '2.6.0'
 end
 
 # Dependencies not mocked out during RSpec that we test real code of, beyond just frameworks.