contrast-agent 4.2.0 → 4.3.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -92,8 +92,7 @@ module Contrast
               end
 
               def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
                 parent_event = incoming_properties&.event
@@ -141,22 +140,23 @@ module Contrast
               end
 
               def block_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def hash_sub self_tracked, source, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                properties&.splat_from(source, ret) if self_tracked
+                return unless self_tracked
+
+                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
+                properties&.splat_from(source, ret)
               end
 
               def pattern_gsub parent_events, preshift, ret
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
-
                 source = preshift.object
-                source_properties = Contrast::Agent::Assess::Tracker.properties(source)
-                return unless source_properties
+                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source_properties.tag_keys.each do |key|
                   properties.add_tag(key, 0...1)

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -11,13 +11,11 @@ module Contrast
           # Disclaimer: there may be a better way, but we're
           # in a 'get it work' state. hopefully, we'll be in
           # a 'get it right' state soon.
-          class Trim
+          module Trim
             class << self
               def tr_tagger patcher, preshift, ret, _block
                 return ret unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return ret unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args
@@ -59,9 +57,7 @@ module Contrast
 
               def tr_s_tagger patcher, preshift, ret, _block
                 return unless ret && !ret.empty?
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 source = preshift.object
                 args = preshift.args

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -178,8 +178,8 @@ module Contrast
               # don't apply second source -- probably needs tuning later if we
               # use more than 'UNTRUSTED' in our sources
               return if Contrast::Agent::Assess::Tracker.tracked?(target)
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
-              properties = Contrast::Agent::Assess::Tracker.properties(target)
               # otherwise for each tag this source_node applies, create a tag range
               # on the target object
               # I realize this looping is counter-intuitive from the above
@@ -243,19 +243,7 @@ module Contrast
               when Contrast::Utils::ObjectShare::OBJECT_KEY
                 object
               else
-                if source_target.is_a?(Integer)
-                  args[source_target]
-                  # If this isn't an index param, it's a named one. R.I.P.
-                else
-                  arg = nil
-                  args.each do |search|
-                    next unless search.is_a?(Hash)
-
-                    arg = search[source_target]
-                    break if arg
-                  end
-                  arg
-                end
+                args[source_target]
               end
             end
 

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -25,14 +25,13 @@ module Contrast
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
               def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                return unless properties
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 scope = args[0]
                 erb_template_prerender = object.instance_variable_get(:@data)
                 interpolated_inputs = []
-                handle_binding_variables(scope, erb_template_prerender, ret, interpolated_inputs)
-                handle_local_variables(args, erb_template_prerender, ret, interpolated_inputs)
+                handle_binding_variables(scope, erb_template_prerender, ret, properties, interpolated_inputs)
+                handle_local_variables(args, erb_template_prerender, ret, properties, interpolated_inputs)
                 properties.build_event(TEMPLATE_PROPAGATION_NODE, ret, erb_template_prerender, ret, interpolated_inputs)
                 unless interpolated_inputs.empty?
                   current_event = properties.event
@@ -53,8 +52,7 @@ module Contrast
 
               private
 
-              def handle_binding_variables scope, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_binding_variables scope, erb_template_prerender, ret, properties, interpolated_inputs
                 binding_variables = scope.instance_variables
 
                 binding_variables.each do |bound_variable_sym|
@@ -71,8 +69,7 @@ module Contrast
                 end
               end
 
-              def handle_local_variables args, erb_template_prerender, ret, interpolated_inputs
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
+              def handle_local_variables args, erb_template_prerender, ret, properties, interpolated_inputs
                 locals = args[1]
                 locals.each do |local_name, local_value|
                   next unless Contrast::Agent::Assess::Tracker.tracked?(local_value)

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -43,7 +43,7 @@ module Contrast
                   next unless trigger_node.violated?(arg)
 
                   Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, args)
+                      context, trigger_node, arg, object, ret, *args)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -39,7 +39,7 @@ module Contrast
               finish ||= url.length
 
               properties = Contrast::Agent::Assess::Tracker.properties(args[0])
-              properties.any_tags_between?(start, finish)
+              properties&.any_tags_between?(start, finish)
             end
           end
         end

data/lib/contrast/agent/assess/property/tagged.rb

@@ -79,6 +79,10 @@ module Contrast
           # range       : 5-10
           # result      : 0-05
           #
+          # Note that we disable Lint/DuplicateBranch in this branch in order
+          # list out all tag range cases in the proper order to make this
+          # easier to understand
+          #
           # @param range [Range] the span to check, inclusive to exclusive
           # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
           #   key to tags
@@ -101,10 +105,10 @@ module Contrast
                   finish = range.size - start
                   add << Contrast::Agent::Assess::Tag.new(tag.label, finish, start)
                   # the tag spans the requested range.
-                when Contrast::Agent::Assess::Tag::WITHOUT
+                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
                   add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
                   # part of the tag is being selected
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN
+                when Contrast::Agent::Assess::Tag::HIGH_SPAN # rubocop:disable Lint/DuplicateBranch
                   add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
                 end
               end
@@ -173,14 +177,6 @@ module Contrast
             tags.fetch(label, nil) if tracked?
           end
 
-          # Convert the tags of this object into the TraceTaintRange required
-          # to be sent to the service
-          #
-          # @return [Array<Contrast::Api::Dtm::TraceTaintRange>]
-          def tags_to_dtm
-            Contrast::Api::Dtm::TraceTaintRange.build_for_event(tags)
-          end
-
           # Remove all tags within the given ranges.
           # This does not delete an entire tag if part of that tag is
           # outside this range, meaning we may reduce sizes of tags
@@ -301,9 +297,19 @@ module Contrast
             end
           end
 
-          # Shift the tag ranges covering the given range
-          # We assume this is for a insertion, meaning we
-          # have to move tags to the right
+          # Shift the tag ranges covering the given range to account for new
+          # data being added. We assume this is for a insertion, meaning we
+          # have to move tags out of the range and to the right. For example,
+          # given current tags:     0-15
+          # when we insert a range: 5-10
+          # then the result is:     0-5, 10-20
+          #
+          # Note that we disable Lint/DuplicateBranch in this branch in order
+          # list out all tag range cases in the proper order to make this
+          # easier to understand
+          #
+          # @param range [Range] the range of new information that's been
+          #   inserted
           def shift_tags_for_insertion range
             return unless tracked?
 
@@ -325,13 +331,13 @@ module Contrast
                 when Contrast::Agent::Assess::Tag::WITHIN
                   tag.shift(length)
                   # the tag spans the range. leave the part below alone
-                when Contrast::Agent::Assess::Tag::WITHOUT
+                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
                   new_tag = tag.clone
                   new_tag.update_start(range.begin)
                   new_tag.shift(length)
                   add << new_tag
                   tag.update_end(range.begin)
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE
+                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE # rubocop:disable Lint/DuplicateBranch
                   tag.shift(length)
                 end
               end

data/lib/contrast/agent/assess/rule/redos.rb

@@ -33,7 +33,7 @@ module Contrast
               # (2) regexp must evaluate against user input
               return unless trigger_node.violated?(string)
 
-              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, args)
+              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, *args)
             end
 
             protected

data/lib/contrast/agent/assess/tracker.rb

@@ -14,7 +14,20 @@ module Contrast
         PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
 
         class << self
+          # Retrieve the properties of the given Object, iff they exist.
+          #
+          # @param source [Object] the thing for which to look up properties.
+          # @return [Contrast::Agent::Assess::Properties, nil]
           def properties source
+            PROPERTIES_HASH[source]
+          end
+
+          # Retrieve the properties of the given Object, returning a new
+          # instance if one does not already exist and the source is trackable.
+          #
+          # @param source [Object] the thing for which to look up properties.
+          # @return [Contrast::Agent::Assess::Properties, nil]
+          def properties! source
             return unless trackable?(source)
 
             PROPERTIES_HASH[source] ||= Contrast::Agent::Assess::Properties.new
@@ -33,30 +46,15 @@ module Contrast
           end
 
           # Copy the properties from one object to the next, assuming the
-          # target does not already have its own properties.
+          # target does not already have its own properties. This should only
+          # ever be called when building PreShift for those objects sources
+          # which are already tracked.
           #
           # @param source [Object] the instance from which to copy properties
           # @param target [Object] the instance to which to copy properties
           def copy source, target
             PROPERTIES_HASH[target] ||= properties(source).dup
           end
-
-          # Duplicate the given object, returning the duplicate after copying
-          # the properties of the original and storing them as the properties
-          # of the duplicate.
-          #
-          # @param source [Object] the thing to duplicate
-          # @return [Object] the duplicate of the original, or the original if
-          #   it does not respond to duplication
-          def duplicate source
-            return source unless source
-
-            duplicate = source.dup
-            PROPERTIES_HASH[duplicate] ||= PROPERTIES_HASH[source].dup
-            duplicate
-          rescue StandardError
-            source
-          end
         end
       end
     end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -19,6 +19,13 @@ module Contrast
           def feature
             'Deadzone'
           end
+
+          # Deadzone means place the code inside of the contrast scope so that
+          # none of our code executes. As such, all DeadZone nodes have that as
+          # their method scope
+          def method_scope
+            :contrast
+          end
         end
       end
     end

data/lib/contrast/agent/middleware.rb

@@ -79,7 +79,7 @@ module Contrast
         Contrast::Utils::HeapDumpUtil.run
 
         if AGENT.enabled?
-          Contrast::Agent::StaticAnalysis.catchup
+          handle_first_request
           call_with_agent(env)
         else
           app.call(env)
@@ -91,6 +91,8 @@ module Contrast
       def setup_agent
         SETTINGS.reset_state
 
+        inform_deprecations
+
         if CONFIG.invalid?
           AGENT.disable!
           logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
@@ -101,6 +103,35 @@ module Contrast
         end
       end
 
+      # Some things have to wait until first request to happen, either because
+      # resolution is not complete or because the framework will preload
+      # classes, which confuses some of our instrumentation.
+      def handle_first_request
+        @_handle_first_request ||= begin
+          Contrast::Agent::StaticAnalysis.catchup
+          force_patching
+          true
+        end
+      end
+
+      # TODO: RUBY-1090 remove this method and those it calls.
+      #
+      # These modules are auto-loaded by Rails, meaning they are defined at
+      # startup, but that they don't actually exist. We account for this in
+      # most cases by using the ClassUtil.truly_defined? method, but it appears
+      # to fail for these Modules. In the short term, we can forcing a re-patch
+      # so that their dead zones apply.
+      def force_patching
+        force_patch(ActionDispatch::FileHandler) if defined?(ActionDispatch::FileHandler)
+        force_patch(ActionDispatch::Http::MimeNegotiation) if defined?(ActionDispatch::Http::MimeNegotiation)
+        force_patch(ActionView::Template) if defined?(ActionView::Template)
+      end
+
+      def force_patch mod
+        data = Contrast::Agent::ModuleData.new(mod)
+        Contrast::Agent::Patching::Policy::Patcher.send(:patch_into_module, data, true)
+      end
+
       # This is where we process each request we intercept as a middleware. We make the request context
       # available globally so that it can be accessed from anywhere. A RequestHandler object is made
       # for each request, which handles prefilter and postfilter operations.
@@ -173,6 +204,24 @@ module Contrast
           raise exception
         end
       end
+
+      # As we deprecate support to prepare to remove dead code, we need to
+      # inform our users still relying on the now deprecated and soon to be
+      # removed functionality. This method handles doing that by leveraging the
+      # standard Kernel#warn approach
+      def inform_deprecations
+        # Ruby 2.5 is currently in security maintenance, meaning int is only
+        # receiving updates for security issues. It will move to eol on 31
+        # March 2021. As such, we can remove support for it in Q2. We'll begin
+        # the deprecation warnings now so that customers have time to reach out
+        # if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if
+        #   there are no other deprecations, when we drop 2.5 support.
+        return unless RUBY_VERSION < '2.6.0'
+
+        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
+                    'Please contact Customer Support prior if you require continued support.')
+      end
     end
   end
 end

data/lib/contrast/agent/patching/policy/method_policy.rb

@@ -89,7 +89,7 @@ module Contrast
             end
 
             def find_method_node nodes, method_name, is_instance_method
-              return nil unless nodes
+              return unless nodes
 
               nodes.find do |node|
                 node.instance_method? == is_instance_method && node.method_name == method_name

data/lib/contrast/agent/patching/policy/patch.rb

@@ -366,17 +366,17 @@ module Contrast
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
                   # TODO: RUBY-1052
-                  # rubocop:disable Kernel/DefineMethod
+                  # rubocop:disable Performance/Kernel/DefineMethod
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                  # rubocop:enable Kernel/DefineMethod
+                  # rubocop:enable Performance/Kernel/DefineMethod
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend
                 prepending_module = Module.new
                 # TODO: RUBY-1052
-                # rubocop:disable Kernel/DefineMethod
+                # rubocop:disable Performance/Kernel/DefineMethod
                 prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                # rubocop:enable Kernel/DefineMethod
+                # rubocop:enable Performance/Kernel/DefineMethod
                 prepending_module.send(visibility, method_name)
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -16,6 +16,23 @@ module Contrast
           extend Contrast::Agent::Protect::Policy::RuleApplicator
 
           class << self
+            # Calls the actual rule for this applicator, if required. Most rules
+            # invoke this from within their apply_rule method after doing
+            # whatever transformations they need to get into this common format.
+            #
+            # @param _method [Symbol] the name of the method for which this rule
+            #   is invoked
+            # @param _exception [Exception] any exception raised; used for rules
+            #   like Padding Oracle Attack (now defunct), which determine if the
+            #   number and type of exceptions are an attack
+            # @param _properties [Hash] set of extra information provided by the
+            #   applicator in an attempt to build a better story for the user
+            # @param _object [Object] the thing on which the triggering method
+            #   was invoked
+            # @param args [Array<Object>] the arguments passed to the triggering
+            #   method at invocation
+            # @raise [Contrast::SecurityException] on block, will pass the
+            #   exception from the rule
             def invoke _method, _exception, _properties, _object, args
               return unless valid_input?(args)
               return if skip_analysis?
@@ -23,6 +40,28 @@ module Contrast
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
             end
 
+            # Calls the actual rule for this applicator, if required, when the
+            # triggering method is called from Marshal.load when it has been
+            # prepended.
+            #
+            # @param arg [Object] the argument passed to the triggering method
+            #   at invocation
+            # @raise [Contrast::SecurityException] on block, will pass the
+            #   exception from the rule
+            def prepended_invoke arg
+              return unless arg&.cs__is_a?(String)
+              return if skip_analysis?
+
+              rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, arg)
+            end
+
+            # Allow the rule to check if the given input is an attempt to
+            # deserialize something in a way that will result in a command
+            # execution
+            #
+            # @param command [String] user input that potentially contains a
+            #   Gadget, a Module that results in code execution on
+            #   deserialization, and some form of command.
             def apply_deserialization_command_check command
               return unless command
               return if skip_analysis?
@@ -38,11 +77,18 @@ module Contrast
 
             private
 
+            # Determine if the rule would care about the arguments passed in
+            # this method invocation. Required b/c Ruby doesn't do type
+            # checking on its method signatures.
+            #
+            # @param args [Array<Object>] the arguments provided to the
+            #   instrumented method
+            # @return [Boolean]
             def valid_input? args
               return false unless args&.any?
 
               input = args[0]
-              input.is_a?(String)
+              input.cs__is_a?(String)
             end
           end
         end