contrast-agent 4.2.0 → 4.3.0

data/lib/contrast/agent/rewriter.rb

@@ -96,11 +96,11 @@ module Contrast
           return unless method_exists?(clazz, method_name, type)
 
           method_instance = method_instance(clazz, method_name, type)
-          return nil if method_instance.nil?
+          return if method_instance.nil?
 
           location = method_instance.source_location
-          return nil unless location_available?(location)
-          return nil if opener.written_from_location?(location)
+          return unless location_available?(location)
+          return if opener.written_from_location?(location)
 
           opener.written_from_location!(location)
           opener.source_code(location, method_name)

data/lib/contrast/agent/scope.rb

@@ -15,29 +15,40 @@ module Contrast
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
     class Scope
-      SCOPE_LIST = %i[contrast deserialization].cs__freeze
+      SCOPE_LIST = %i[contrast deserialization split].cs__freeze
 
       def initialize
-        instance_variable_set(:@contrast_scope, 0)
-        instance_variable_set(:@deserialization_scope, 0)
+        @contrast_scope = 0
+        @deserialization_scope = 0
+        @split_scope = 0
       end
 
       def in_contrast_scope?
-        instance_variable_get(:@contrast_scope).positive?
+        @contrast_scope.positive?
       end
 
       def in_deserialization_scope?
-        instance_variable_get(:@deserialization_scope).positive?
+        @deserialization_scope.positive?
+      end
+
+      def in_split_scope?
+        @split_scope.positive?
       end
 
       def enter_contrast_scope!
-        level = instance_variable_get(:@contrast_scope)
-        instance_variable_set(:@contrast_scope, level + 1)
+        @contrast_scope += 1
       end
 
       def enter_deserialization_scope!
-        level = instance_variable_get(:@deserialization_scope)
-        instance_variable_set(:@deserialization_scope, level + 1)
+        @deserialization_scope += 1
+      end
+
+      def enter_split_scope!
+        @split_scope += 1
+      end
+
+      def split_scope_depth
+        @split_scope
       end
 
       # Scope Exits...
@@ -61,13 +72,15 @@ module Contrast
       #   exit  =  1
       #   scope =  1
       def exit_contrast_scope!
-        level = instance_variable_get(:@contrast_scope)
-        instance_variable_set(:@contrast_scope, level - 1)
+        @contrast_scope -= 1
       end
 
       def exit_deserialization_scope!
-        level = instance_variable_get(:@deserialization_scope)
-        instance_variable_set(:@deserialization_scope, level - 1)
+        @deserialization_scope -= 1
+      end
+
+      def exit_split_scope!
+        @split_scope -= 1
       end
 
       def with_contrast_scope
@@ -84,6 +97,13 @@ module Contrast
         exit_deserialization_scope!
       end
 
+      def with_split_scope
+        enter_split_scope!
+        yield
+      ensure
+        exit_split_scope!
+      end
+
       # Dynamic versions of the above.
       # These are equivalent, but they're slower and riskier.
       # Prefer the static methods if you know what scope you need at the call site.

data/lib/contrast/agent/static_analysis.rb

@@ -17,14 +17,9 @@ module Contrast
         # report the already-loaded gems.
         def catchup
           @_catchup ||= begin
-            with_contrast_scope do
-              Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
-              send_inventory_message
-              true
-            end
+            threaded_analysis!
+            true
           end
-        rescue StandardError => e
-          logger.warn('Unable to run post-initialization static analysis', e)
         end
 
         def send_inventory_message
@@ -35,6 +30,17 @@ module Contrast
           Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
           Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
         end
+
+        private
+
+        def threaded_analysis!
+          Contrast::Agent::Thread.new do
+            Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.catchup
+            send_inventory_message
+          rescue StandardError => e
+            logger.warn('Unable to run post-initialization static analysis', e)
+          end
+        end
       end
     end
   end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.2.0'
+    VERSION = '4.3.0'
   end
 end

data/lib/contrast/api/decorators/library.rb

@@ -13,6 +13,7 @@ module Contrast
         def self.included klass
           klass.extend(ClassMethods)
         end
+
         # Used to add class methods to the Library class on inclusion of the decorator
         module ClassMethods
           def build digest, gem_specification

data/lib/contrast/api/decorators/library_usage_update.rb

@@ -11,6 +11,7 @@ module Contrast
         def self.included klass
           klass.extend(ClassMethods)
         end
+
         # Used to add class methods to the LibraryUsageUpdate class on inclusion of the decorator
         module ClassMethods
           def build digest, files

data/lib/contrast/api/decorators/trace_event.rb

@@ -15,44 +15,30 @@ module Contrast
 
         # Wrapper around build_event_object for the args array. Handles
         # tainting the correct argument.
-        def build_event_args contrast_event, taint_target
+        def build_event_args! contrast_event, taint_target
           contrast_event.args.each_index do |idx|
             truncate_arg = taint_target != idx
             event_arg = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.args[idx], truncate_arg)
             args << event_arg
           end
+          self
         end
 
-        # TeamServer only supports one object's taint ranges at a time.
-        # We'll find the taint ranges for the target and return those
-        def build_taint_ranges contrast_event, taint_target
+        # TeamServer only supports one object's taint ranges at a time. We keep
+        # those tags on the event directly, so we just need to convert them to
+        # their DTM form in order to report this.
+        #
+        # @param contrast_event [Contrast::Agent::AssessContrastEvent]
+        def build_taint_ranges! contrast_event
           # If there's no taint_target, this isn't a dataflow trace, but a
           # trigger one
-          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless taint_target
+          return self unless contrast_event&.tags
 
-          properties = case taint_target
-                       when Contrast::Utils::ObjectShare::OBJECT_KEY
-                         Contrast::Agent::Assess::Tracker.properties(contrast_event.object)
-                       when Contrast::Utils::ObjectShare::RETURN_KEY
-                         Contrast::Agent::Assess::Tracker.properties(contrast_event.ret)
-                       else
-                         target = contrast_event.args[taint_target]
-                         if target.is_a?(Hash)
-                           if contrast_event.policy_node&.targets&.any?
-                             Contrast::Agent::Assess::Tracker.properties(target[contrast_event.policy_node.targets[0]])
-                           else
-                             Contrast::Agent::Assess::Tracker.properties(target[contrast_event.policy_node.sources[0]])
-                           end
-                         else
-                           Contrast::Agent::Assess::Tracker.properties(target)
-                         end
-                       end
-          return unless properties.tracked?
-
-          self.taint_ranges += properties.tags_to_dtm
+          self.taint_ranges += Contrast::Api::Dtm::TraceTaintRange.build_for_event(contrast_event.tags)
+          self
         end
 
-        def build_parent_ids contrast_event
+        def build_parent_ids! contrast_event
           contrast_event&.parent_events&.each do |event|
             next unless event
 
@@ -60,12 +46,14 @@ module Contrast
             parent.id = event.event_id.to_i
             parent_object_ids << parent
           end
+          self
         end
 
-        def build_stack contrast_event
+        def build_stack! contrast_event
           # We delayed doing this as long as possible b/c it's expensive
           stack_dtms = Contrast::Utils::StackTraceUtils.build_assess_stack_array(contrast_event.stack_trace)
           self.stack += stack_dtms
+          self
         end
 
         # Class methods for TraceEvent
@@ -85,10 +73,10 @@ module Contrast
             event_dtm.object = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.object, truncate_obj)
             truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
             event_dtm.ret = Contrast::Api::Dtm::TraceEventObject.build(contrast_event.ret, truncate_ret)
-            event_dtm.build_event_args(contrast_event, taint_target)
-            event_dtm.build_parent_ids(contrast_event)
-            event_dtm.build_taint_ranges(contrast_event, taint_target)
-            event_dtm.build_stack(contrast_event)
+            event_dtm.build_event_args!(contrast_event, taint_target)
+            event_dtm.build_parent_ids!(contrast_event)
+            event_dtm.build_taint_ranges!(contrast_event)
+            event_dtm.build_stack!(contrast_event)
             event_dtm.object_id = contrast_event.event_id.to_i
             event_dtm.signature = Contrast::Api::Dtm::TraceEventSignature.build(contrast_event.ret, contrast_event.policy_node, contrast_event.args)
             event_dtm

data/lib/contrast/api/decorators/trace_event_object.rb

@@ -29,13 +29,21 @@ module Contrast
           ELLIPSIS = '...'
           UNTRUNCATED_PORTION_LENGTH = 25
           TRUNCATION_LENGTH = (UNTRUNCATED_PORTION_LENGTH * 2) + ELLIPSIS.length
-          def build object, truncate
+
+          # Convert the given Object into a Contrast::Api::Dtm::TraceEventObject
+          #
+          # @param contrast_object [Contrast::Agent::Assess::ContrastObject, nil]
+          #   the thing to convert, if any
+          # @param truncate [Boolean] if the converted object can/should be
+          #   truncated.
+          # @return [Contrast::Api::Dtm::TraceEventObject]
+          def build contrast_object, truncate
             event_object = new
             with_contrast_scope do
-              obj_string = Contrast::Utils::StringUtils.force_utf8(object)
+              obj_string = Contrast::Utils::StringUtils.force_utf8(contrast_object&.object)
               obj_string = truncate(obj_string) if truncate && obj_string.length > TRUNCATION_LENGTH
               event_object.value = Base64.encode64(obj_string)
-              event_object.tracked = Contrast::Utils::Assess::TrackingUtil.tracked?(object)
+              event_object.tracked = contrast_object&.tracked?
             end
             event_object
           end

data/lib/contrast/api/decorators/trace_event_signature.rb

@@ -17,27 +17,49 @@ module Contrast
 
         # Class methods for TraceEventSignature
         module ClassMethods
+          # Convert the given composites into components that TeamServer can
+          # understand in order to build a representation of the method
+          # invoked.
+          #
+          # @param ret_obj [Contrast::Agent::Assess::ContrastObject, nil] the
+          #   return value of the method call.
+          # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+          #   the policy which pertains to the method invoked.
+          # @param args [Array<Contrast::Agent::Assess::ContrastObject>, nil]
+          # @return [Contrast::Api::Dtm::TraceEventSignature]
           def build ret_obj, policy_node, args
             signature = new
-            return_type = ret_obj ? ret_obj.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
-            signature.return_type = Contrast::Utils::StringUtils.force_utf8(return_type)
+            signature.return_type = Contrast::Utils::StringUtils.force_utf8(type_name(ret_obj))
             signature.class_name = Contrast::Utils::StringUtils.force_utf8(policy_node.class_name)
             signature.method_name = Contrast::Utils::StringUtils.force_utf8(policy_node.method_name)
             if args
               args&.each do |arg|
-                arg_type = arg ? arg.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
-                signature.arg_types << Contrast::Utils::StringUtils.force_utf8(arg_type)
+                signature.arg_types << Contrast::Utils::StringUtils.force_utf8(type_name(arg))
               end
             end
             signature.constructor = policy_node.method_name == :new
             # if there's a ret, then this method isn't nil. not 100% full proof since you can
             # return nil, but this is the best we've got currently.
-            signature.void_method = ret_obj.nil?
+            signature.void_method = ret_obj.nil? || ret_obj.object.nil?
             # 8 is STATIC in Java... we have to placate them for now
             # it has been requested that flags be removed since it isn't used
             signature.flags = 8 unless policy_node.instance_method?
             signature
           end
+
+          private
+
+          # While Ruby signatures do not require neither a return type and can
+          # return anything depending on inputs, code paths, etc, nor constant
+          # parameter types, TeamServer was designed with strongly typed
+          # languages (Java) in mind, so we need types in our signatures.
+          #
+          # @param contrast_object [Contrast::Agent::Assess::ContrastObject, nil]
+          #   the object to find the type of
+          # @return [String] the name of the module of the ret_obj, or `nil`
+          def type_name contrast_object
+            contrast_object ? contrast_object.object_type : Contrast::Utils::ObjectShare::NIL_STRING
+          end
         end
       end
     end

data/lib/contrast/api/decorators/user_input.rb

@@ -12,7 +12,8 @@ module Contrast
       module UserInput
         UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
           user_input.input_type = :UNKNOWN
-        end.cs__freeze
+        end
+        UNKNOWN_USER_INPUT.cs__freeze
 
         def self.included klass
           klass.extend(ClassMethods)

data/lib/contrast/common_agent_configuration.rb

@@ -66,7 +66,7 @@ module Contrast
 
       %w[name default description required_languages display].each do |field|
         # TODO: RUBY-1052
-        define_method(field) { hsh[field].dup } # rubocop:disable Kernel/DefineMethod
+        define_method(field) { hsh[field].dup } # rubocop:disable Performance/Kernel/DefineMethod
       end
     end
 

data/lib/contrast/components/assess.rb

@@ -35,6 +35,42 @@ module Contrast
           disabled_rules.include?(name)
         end
 
+        # The value of the stacktrace should be treated as an ENUM. We upcase it for
+        # faster comparisons when we use it. Anything not one of the known values of
+        # 'NONE',  'SOME', or 'ALL' is treated as 'ALL'
+        #
+        # @return [Symbol] the normalized value of CONFIG.root.assess.stacktraces
+        def capture_stacktrace_value
+          @_capture_stacktrace_value ||= case CONFIG.root.assess.stacktraces.upcase
+                                         when 'NONE'
+                                           :NONE
+                                         when 'SOME'
+                                           :SOME
+                                         else
+                                           :ALL
+                                         end
+        end
+
+        # Consider capture_stacktrace_value along with the node type
+        # to dertmine whether stacktraces should be captured.
+        #
+        # capture_stacktrace_value -> (:ALL, :NONE, :SOME)
+        # node types (SourceNode, PolicyNode, TriggerNode, PropagationNode)
+        #
+        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode] The node in question.
+        # @param return [Boolean] to capture or not to capture, that is the question.
+        def capture_stacktrace? policy_node
+          return true if capture_stacktrace_value == :ALL
+
+          return false if capture_stacktrace_value == :NONE
+
+          # Below here capture_stacktrace_value must be :SOME.
+          return true if policy_node.cs__is_a?(Contrast::Agent::Assess::Policy::SourceNode)
+          return true if policy_node.cs__is_a?(Contrast::Agent::Assess::Policy::TriggerNode)
+
+          false
+        end
+
         def scan_response?
           @_scan_response = !false?(CONFIG.root.assess.enable_scan_response) if @_scan_response.nil?
           @_scan_response

data/lib/contrast/components/interface.rb

@@ -168,9 +168,11 @@ Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:settings]
 require 'contrast/components/assess'
 require 'contrast/components/protect'
 require 'contrast/components/inventory'
-Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:analysis] = [Contrast::Components::Protect,
-                                                                                   Contrast::Components::Assess,
-                                                                                   Contrast::Components::Inventory]
+Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:analysis] = [
+  Contrast::Components::Protect,
+  Contrast::Components::Assess,
+  Contrast::Components::Inventory
+]
 
 require 'contrast/components/logger'
 Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:logging] = [Contrast::Components::Logger]

data/lib/contrast/components/scope.rb

@@ -56,6 +56,10 @@ module Contrast
           scope_for_current_ec.enter_deserialization_scope!
         end
 
+        def enter_split_scope!
+          scope_for_current_ec.enter_split_scope!
+        end
+
         def enter_scope! name
           scope_for_current_ec.enter_scope! name
         end
@@ -68,6 +72,10 @@ module Contrast
           scope_for_current_ec.exit_deserialization_scope!
         end
 
+        def exit_split_scope!
+          scope_for_current_ec.exit_split_scope!
+        end
+
         def exit_scope! name
           scope_for_current_ec.exit_scope! name
         end
@@ -80,6 +88,14 @@ module Contrast
           scope_for_current_ec.in_deserialization_scope?
         end
 
+        def in_split_scope?
+          scope_for_current_ec.in_split_scope?
+        end
+
+        def split_scope_depth
+          scope_for_current_ec.split_scope_depth
+        end
+
         def in_scope? name
           scope_for_current_ec.in_scope? name
         end
@@ -97,6 +113,13 @@ module Contrast
           scope_for_current_ec.exit_deserialization_scope!
         end
 
+        def with_split_scope
+          scope_for_current_ec.enter_split_scope!
+          yield
+        ensure
+          scope_for_current_ec.exit_split_scope!
+        end
+
         # TODO: RUBY-572
         #
         # Current behavior is to no-op if we're not "in a request context".