contrast-agent 4.2.0 → 4.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Rakefile +1 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +22 -10
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +4 -3
- data/lib/contrast/agent.rb +5 -1
- data/lib/contrast/agent/assess.rb +0 -9
- data/lib/contrast/agent/assess/contrast_event.rb +49 -132
- data/lib/contrast/agent/assess/contrast_object.rb +54 -0
- data/lib/contrast/agent/assess/events/source_event.rb +4 -9
- data/lib/contrast/agent/assess/finalizers/hash.rb +7 -0
- data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +17 -3
- data/lib/contrast/agent/assess/policy/patcher.rb +4 -3
- data/lib/contrast/agent/assess/policy/policy_node.rb +31 -59
- data/lib/contrast/agent/assess/policy/preshift.rb +3 -3
- data/lib/contrast/agent/assess/policy/propagation_method.rb +41 -32
- data/lib/contrast/agent/assess/policy/propagation_node.rb +12 -24
- data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -15
- data/lib/contrast/agent/assess/policy/propagator/center.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagator/database_write.rb +21 -18
- data/lib/contrast/agent/assess/policy/propagator/insert.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
- data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/remove.rb +2 -4
- data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -2
- data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -4
- data/lib/contrast/agent/assess/policy/propagator/splat.rb +25 -17
- data/lib/contrast/agent/assess/policy/propagator/split.rb +83 -120
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +41 -25
- data/lib/contrast/agent/assess/policy/propagator/trim.rb +3 -7
- data/lib/contrast/agent/assess/policy/source_method.rb +2 -14
- data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +5 -8
- data/lib/contrast/agent/assess/policy/trigger/xpath.rb +1 -1
- data/lib/contrast/agent/assess/policy/trigger_method.rb +13 -8
- data/lib/contrast/agent/assess/policy/trigger_node.rb +28 -7
- data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +59 -0
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
- data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +6 -4
- data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -4
- data/lib/contrast/agent/assess/properties.rb +0 -2
- data/lib/contrast/agent/assess/property/tagged.rb +56 -32
- data/lib/contrast/agent/assess/tracker.rb +16 -18
- data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +7 -0
- data/lib/contrast/agent/middleware.rb +134 -55
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +4 -0
- data/lib/contrast/agent/patching/policy/method_policy.rb +1 -1
- data/lib/contrast/agent/patching/policy/patch.rb +4 -4
- data/lib/contrast/agent/patching/policy/patch_status.rb +1 -1
- data/lib/contrast/agent/patching/policy/patcher.rb +51 -44
- data/lib/contrast/agent/patching/policy/trigger_node.rb +5 -2
- data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +47 -1
- data/lib/contrast/agent/protect/policy/rule_applicator.rb +53 -0
- data/lib/contrast/agent/protect/rule/base.rb +63 -14
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +3 -3
- data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -4
- data/lib/contrast/agent/protect/rule/deserialization.rb +4 -1
- data/lib/contrast/agent/protect/rule/no_sqli.rb +3 -3
- data/lib/contrast/agent/protect/rule/sqli.rb +20 -14
- data/lib/contrast/agent/protect/rule/xxe.rb +32 -11
- data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +10 -6
- data/lib/contrast/agent/reaction_processor.rb +1 -1
- data/lib/contrast/agent/request_context.rb +12 -0
- data/lib/contrast/agent/response.rb +5 -5
- data/lib/contrast/agent/rewriter.rb +3 -3
- data/lib/contrast/agent/scope.rb +33 -13
- data/lib/contrast/agent/static_analysis.rb +13 -7
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/thread_watcher.rb +20 -5
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api/communication/messaging_queue.rb +18 -21
- data/lib/contrast/api/communication/response_processor.rb +8 -1
- data/lib/contrast/api/communication/socket_client.rb +22 -14
- data/lib/contrast/api/decorators.rb +2 -0
- data/lib/contrast/api/decorators/agent_startup.rb +58 -0
- data/lib/contrast/api/decorators/application_startup.rb +51 -0
- data/lib/contrast/api/decorators/library.rb +1 -0
- data/lib/contrast/api/decorators/library_usage_update.rb +1 -0
- data/lib/contrast/api/decorators/route_coverage.rb +15 -5
- data/lib/contrast/api/decorators/trace_event.rb +58 -42
- data/lib/contrast/api/decorators/trace_event_object.rb +11 -3
- data/lib/contrast/api/decorators/trace_event_signature.rb +27 -5
- data/lib/contrast/api/decorators/user_input.rb +2 -1
- data/lib/contrast/common_agent_configuration.rb +1 -1
- data/lib/contrast/components/agent.rb +2 -0
- data/lib/contrast/components/app_context.rb +4 -22
- data/lib/contrast/components/assess.rb +36 -0
- data/lib/contrast/components/interface.rb +5 -3
- data/lib/contrast/components/sampling.rb +48 -6
- data/lib/contrast/components/scope.rb +23 -0
- data/lib/contrast/components/settings.rb +8 -7
- data/lib/contrast/config/assess_configuration.rb +2 -1
- data/lib/contrast/extension/assess/array.rb +1 -2
- data/lib/contrast/extension/assess/erb.rb +1 -3
- data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
- data/lib/contrast/extension/assess/fiber.rb +2 -3
- data/lib/contrast/extension/assess/hash.rb +4 -2
- data/lib/contrast/extension/assess/kernel.rb +1 -2
- data/lib/contrast/extension/assess/marshal.rb +34 -26
- data/lib/contrast/extension/assess/regexp.rb +3 -8
- data/lib/contrast/extension/assess/string.rb +1 -2
- data/lib/contrast/framework/base_support.rb +51 -53
- data/lib/contrast/framework/manager.rb +16 -14
- data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
- data/lib/contrast/framework/rack/support.rb +2 -1
- data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
- data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
- data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +1 -1
- data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +1 -1
- data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +1 -1
- data/lib/contrast/framework/rails/support.rb +44 -44
- data/lib/contrast/framework/sinatra/support.rb +102 -42
- data/lib/contrast/logger/application.rb +0 -3
- data/lib/contrast/logger/log.rb +31 -15
- data/lib/contrast/utils/class_util.rb +3 -1
- data/lib/contrast/utils/duck_utils.rb +1 -1
- data/lib/contrast/utils/heap_dump_util.rb +103 -87
- data/lib/contrast/utils/invalid_configuration_util.rb +21 -12
- data/lib/contrast/utils/object_share.rb +3 -3
- data/lib/contrast/utils/preflight_util.rb +1 -1
- data/lib/contrast/utils/resource_loader.rb +1 -1
- data/lib/contrast/utils/sha256_builder.rb +2 -2
- data/lib/contrast/utils/string_utils.rb +1 -1
- data/lib/contrast/utils/tag_util.rb +9 -13
- data/resources/assess/policy.json +12 -18
- data/resources/deadzone/policy.json +150 -0
- data/resources/protect/policy.json +12 -0
- data/ruby-agent.gemspec +60 -19
- data/service_executables/VERSION +1 -1
- data/service_executables/linux/contrast-service +0 -0
- data/service_executables/mac/contrast-service +0 -0
- metadata +124 -112
- data/lib/contrast/agent/assess/rule.rb +0 -18
- data/lib/contrast/agent/assess/rule/base.rb +0 -52
- data/lib/contrast/agent/assess/rule/redos.rb +0 -67
- data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
- data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
- data/lib/contrast/utils/prevent_serialization.rb +0 -52
@@ -17,11 +17,13 @@ module Contrast
|
|
17
17
|
return object unless object.is_a?(String) && !object.cs__frozen?
|
18
18
|
return object unless Contrast::Agent::Assess::Tracker.tracked?(object)
|
19
19
|
|
20
|
-
|
21
|
-
|
20
|
+
# Copy the object, then freeze it, so that it looks the same
|
21
|
+
# externally, but will have our finalizer on it.
|
22
|
+
object.dup&.cs__freeze
|
22
23
|
rescue StandardError
|
23
24
|
# we'll rescue this error, but we can't log it here as that will
|
24
25
|
# result in a seg fault
|
26
|
+
object
|
25
27
|
end
|
26
28
|
|
27
29
|
def instrument_hash_track
|
@@ -39,8 +39,7 @@ module Contrast
|
|
39
39
|
# oh, and there's also %<name>type and %{name}... b/c of course there is
|
40
40
|
# -HM
|
41
41
|
def sprintf_tagger patcher, preshift, ret, _block
|
42
|
-
properties = Contrast::Agent::Assess::Tracker.properties(ret)
|
43
|
-
return unless properties
|
42
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
|
44
43
|
|
45
44
|
format_string = preshift.args[0]
|
46
45
|
args = preshift.args[1]
|
@@ -6,42 +6,50 @@ require 'contrast/components/interface'
|
|
6
6
|
module Contrast
|
7
7
|
module Extension
|
8
8
|
module Assess
|
9
|
-
# This is our patch of the
|
9
|
+
# This is our patch of the Marshal class
|
10
10
|
# Disclaimer: there may be a better way, but we're in a 'get it work' state.
|
11
11
|
# Hopefully, we'll be in a 'get it right' state soon.
|
12
|
-
# This module is used for our Marshal
|
12
|
+
# This module is used for our Marshal.load patches
|
13
13
|
class MarshalPropagator
|
14
14
|
include Contrast::Components::Interface
|
15
15
|
|
16
|
-
access_component :logging
|
16
|
+
access_component :logging, :scope
|
17
17
|
|
18
18
|
class << self
|
19
|
-
def
|
20
|
-
|
21
|
-
return unless current_context
|
19
|
+
def cs__load_protect arg
|
20
|
+
return if in_contrast_scope?
|
22
21
|
|
23
|
-
|
24
|
-
|
25
|
-
|
22
|
+
with_contrast_scope do
|
23
|
+
Contrast::Agent::Protect::Policy::AppliesDeserializationRule.prepended_invoke(arg)
|
24
|
+
end
|
25
|
+
nil
|
26
|
+
end
|
27
|
+
|
28
|
+
def cs__load_assess source, ret
|
29
|
+
with_contrast_scope do
|
30
|
+
current_context = Contrast::Agent::REQUEST_TRACKER.current
|
31
|
+
return unless current_context
|
26
32
|
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
properties.copy_from(source, ret)
|
33
|
+
args = [source]
|
34
|
+
# source might not be all the args passed in, but it is the one we care
|
35
|
+
# about. we could pass in all the args in the last param here if it
|
36
|
+
# becomes an issue in rendering on TS
|
37
|
+
Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
|
38
|
+
current_context,
|
39
|
+
trigger_node('Marshal', :load),
|
40
|
+
source,
|
41
|
+
self,
|
42
|
+
ret,
|
43
|
+
*args)
|
44
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
|
40
45
|
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
46
|
+
properties.copy_from(source, ret)
|
47
|
+
|
48
|
+
node = Contrast::Agent::Assess::Policy::Policy.instance.find_propagator_node('Marshal', :load, false)
|
49
|
+
properties.build_event(node, ret, self, ret, args)
|
50
|
+
rescue StandardError => e
|
51
|
+
logger.error('Unable to run Assess for Marshal.load', e)
|
52
|
+
end
|
45
53
|
end
|
46
54
|
|
47
55
|
def instrument_marshal_load
|
@@ -48,14 +48,9 @@ module Contrast
|
|
48
48
|
|
49
49
|
target = info_hash[:back_ref]
|
50
50
|
with_contrast_scope do
|
51
|
-
result = info_hash[:result]
|
52
|
-
return unless
|
53
|
-
|
54
|
-
string = info_hash[:string]
|
55
|
-
return unless string
|
56
|
-
|
57
|
-
properties = Contrast::Agent::Assess::Tracker.properties(target)
|
58
|
-
return unless properties
|
51
|
+
return unless (result = info_hash[:result])
|
52
|
+
return unless (string = info_hash[:string])
|
53
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
|
59
54
|
|
60
55
|
properties.splat_from(string, target)
|
61
56
|
properties.build_event(
|
@@ -36,8 +36,7 @@ module Contrast
|
|
36
36
|
return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
|
37
37
|
|
38
38
|
with_contrast_scope do
|
39
|
-
properties = Contrast::Agent::Assess::Tracker.properties(result)
|
40
|
-
return unless properties
|
39
|
+
return unless (properties = Contrast::Agent::Assess::Tracker.properties!(result))
|
41
40
|
|
42
41
|
parent_events = []
|
43
42
|
offset = 0
|
@@ -4,68 +4,66 @@
|
|
4
4
|
module Contrast
|
5
5
|
module Framework
|
6
6
|
# The API for all subclasses to implement to correctly support a given framework
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
end
|
7
|
+
module BaseSupport
|
8
|
+
# The top level module name used by the framework
|
9
|
+
def detection_class
|
10
|
+
raise NoMethodError('Subclasses of BaseSupport should implement this method')
|
11
|
+
end
|
13
12
|
|
14
|
-
|
15
|
-
|
16
|
-
|
13
|
+
def version
|
14
|
+
raise NoMethodError('Subclasses of BaseSupport should implement this method')
|
15
|
+
end
|
17
16
|
|
18
|
-
|
19
|
-
|
20
|
-
|
17
|
+
def application_name
|
18
|
+
raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
|
19
|
+
end
|
21
20
|
|
22
|
-
|
23
|
-
|
24
|
-
|
21
|
+
def server_type
|
22
|
+
raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
|
23
|
+
end
|
25
24
|
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
25
|
+
# Find all the predefined routes for this application and append them to the
|
26
|
+
# provided inventory message
|
27
|
+
# msg should be a Contrast::Api::Dtm::ApplicationUpdate or some other msg
|
28
|
+
# that has a routes array consisting of Contrast::Api::Dtm::RouteCoverage
|
29
|
+
def collect_routes
|
30
|
+
raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
|
31
|
+
end
|
33
32
|
|
34
|
-
|
35
|
-
|
36
|
-
|
33
|
+
def current_route
|
34
|
+
raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
|
35
|
+
end
|
37
36
|
|
38
|
-
|
39
|
-
|
40
|
-
|
37
|
+
def retrieve_request _env
|
38
|
+
raise NoMethodError, 'Subclasses of BaseSupport should implement this method'
|
39
|
+
end
|
41
40
|
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
41
|
+
# Some Frameworks require specific patching for their classes to handle
|
42
|
+
# functionality like configuration scanning. To accommodate this, this
|
43
|
+
# method provides a place to register those patches for invocation on
|
44
|
+
# Agent load.
|
45
|
+
#
|
46
|
+
# By default, and hopefully in all cases, we won't need these patches,
|
47
|
+
# so we're allowing nil here rather than raising an exception.
|
48
|
+
def before_load_patches!; end
|
50
49
|
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
50
|
+
# Some Frameworks require specific patching for their classes to handle
|
51
|
+
# functionality like routing. To accommodate this, this method provides
|
52
|
+
# a place to register those patches for invocation in our
|
53
|
+
# AfterLoadPatcher flow.
|
54
|
+
#
|
55
|
+
# By default, and hopefully in all cases, we won't need these patches,
|
56
|
+
# so we're allowing nil here rather than raising an exception.
|
57
|
+
#
|
58
|
+
# @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>,nil]
|
59
|
+
# those patches required for a Framework which can only be installed
|
60
|
+
# once a specific module has been loaded.
|
61
|
+
def after_load_patches; end
|
63
62
|
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
end
|
63
|
+
# We only support websockets in rails right now, so we won't detect streaming in
|
64
|
+
# any other framework
|
65
|
+
def streaming? _env
|
66
|
+
false
|
69
67
|
end
|
70
68
|
end
|
71
69
|
end
|
@@ -44,11 +44,9 @@ module Contrast
|
|
44
44
|
end
|
45
45
|
end
|
46
46
|
|
47
|
-
# Return all the After Load Patches for all the Frameworks we know, even
|
48
|
-
# if that Framework hasn't been detected.
|
47
|
+
# Return all the After Load Patches for all the Frameworks we know, even if that Framework hasn't been detected.
|
49
48
|
#
|
50
|
-
# @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the
|
51
|
-
# AfterLoadPatches of each framework
|
49
|
+
# @return [Set<Contrast::Agent::Patching::Policy::AfterLoadPatch>] the AfterLoadPatches of each framework
|
52
50
|
def find_after_load_patches
|
53
51
|
patches = Set.new
|
54
52
|
SUPPORTED_FRAMEWORKS.each do |framework|
|
@@ -82,8 +80,10 @@ module Contrast
|
|
82
80
|
end
|
83
81
|
|
84
82
|
# If we have 0 or n > 1 frameworks, we need to use the default rack request
|
85
|
-
#
|
86
|
-
#
|
83
|
+
#
|
84
|
+
# @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
|
85
|
+
# of this particular Request
|
86
|
+
# @return [::Rack::Request] either a rack request or subclass thereof.
|
87
87
|
def retrieve_request env
|
88
88
|
return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
|
89
89
|
|
@@ -102,14 +102,15 @@ module Contrast
|
|
102
102
|
result
|
103
103
|
end
|
104
104
|
|
105
|
+
# Iterate through current frameworks and return the current request's route. This will be the first
|
106
|
+
# non-nil result.
|
107
|
+
#
|
108
|
+
# @param request [Contrast::Agent::Request] the current request.
|
109
|
+
# @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
|
110
|
+
# TODO: RUBY-1075 add unit test.
|
105
111
|
def get_route_dtm request
|
106
112
|
result = nil
|
107
|
-
@_frameworks.find
|
108
|
-
# TODO: RUBY-763 Sinatra::Base#call patch adds the Route report
|
109
|
-
next if framework_klass == Contrast::Framework::Sinatra::Support
|
110
|
-
|
111
|
-
result = framework_klass.current_route(request)
|
112
|
-
end
|
113
|
+
@_frameworks.find { |framework_klass| result = framework_klass.current_route(request) }
|
113
114
|
result
|
114
115
|
end
|
115
116
|
|
@@ -128,9 +129,10 @@ module Contrast
|
|
128
129
|
# @param method_name [Symbol] the method to call on each FrameworkSupport class
|
129
130
|
# @return [Array]
|
130
131
|
def data_for_all_frameworks method_name
|
131
|
-
@_frameworks.flat_map do |framework|
|
132
|
+
data = @_frameworks.flat_map do |framework|
|
132
133
|
framework.send(method_name)
|
133
|
-
end
|
134
|
+
end
|
135
|
+
data.compact
|
134
136
|
end
|
135
137
|
|
136
138
|
# This returns a single object from the first framework to successfully respond
|
@@ -26,7 +26,7 @@ module Contrast
|
|
26
26
|
@_instrument ||= begin
|
27
27
|
::Rack::Session::Cookie.class_eval do
|
28
28
|
alias_method :cs__patched_initialize, :initialize
|
29
|
-
def initialize app, options = {}
|
29
|
+
def initialize app, options = {} # rubocop:disable Style/OptionHash
|
30
30
|
Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
|
31
31
|
cs__patched_initialize(app, options)
|
32
32
|
end
|
@@ -9,7 +9,8 @@ module Contrast
|
|
9
9
|
module Rack
|
10
10
|
# Used when Rack is present to define framework specific behavior. For
|
11
11
|
# now, the only part of this implemented is the Patch Support.
|
12
|
-
|
12
|
+
module Support
|
13
|
+
extend Contrast::Framework::BaseSupport
|
13
14
|
extend Contrast::Framework::Rack::Patch::Support
|
14
15
|
class << self
|
15
16
|
def detection_class
|
@@ -7,7 +7,7 @@ module Contrast
|
|
7
7
|
module Patch
|
8
8
|
# This class acts as our patch into the ActionController::Live::Buffer
|
9
9
|
# class, allowing us to track the close event on streamed responses.
|
10
|
-
|
10
|
+
module ActionControllerLiveBuffer
|
11
11
|
class << self
|
12
12
|
def send_messages
|
13
13
|
return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
|
@@ -10,7 +10,7 @@ module Contrast
|
|
10
10
|
# for the runtime detection of insecure configurations on individual
|
11
11
|
# ActionDispatch::Session::AbstractStore instances within the
|
12
12
|
# application.
|
13
|
-
|
13
|
+
module RailsApplicationConfiguration
|
14
14
|
def self.instrument
|
15
15
|
@_instrument ||= begin
|
16
16
|
::Rails::Application::Configuration.class_eval do
|
@@ -12,7 +12,7 @@ module Contrast
|
|
12
12
|
# TODO: RUBY-714 remove w/ EOL of 2.5
|
13
13
|
# @deprecated Changes to this class are discouraged as this approach is
|
14
14
|
# being phased out with support for those language versions.
|
15
|
-
|
15
|
+
module ActionControllerRailtiesHelperInherited
|
16
16
|
def self.instrument
|
17
17
|
@_instrument ||= begin
|
18
18
|
::ActionController::Railties::Helpers.class_eval do
|
@@ -14,7 +14,7 @@ module Contrast
|
|
14
14
|
# TODO: RUBY-714 remove w/ EOL of 2.5
|
15
15
|
# @deprecated Changes to this class are discouraged as this approach is
|
16
16
|
# being phased out with support for those language versions.
|
17
|
-
|
17
|
+
module ActiveRecordAttributeMethodsRead
|
18
18
|
def self.instrument
|
19
19
|
@_instrument ||= begin
|
20
20
|
::ActiveRecord::AttributeMethods::Read::ClassMethods.class_eval do
|
@@ -9,7 +9,7 @@ module Contrast
|
|
9
9
|
# TODO: RUBY-714 remove w/ EOL of 2.5
|
10
10
|
# @deprecated Changes to this class are discouraged as this approach is
|
11
11
|
# being phased out with support for those language versions.
|
12
|
-
|
12
|
+
module ActiveRecordTimeZoneInherited
|
13
13
|
def self.instrument
|
14
14
|
@_instrument ||= begin
|
15
15
|
::ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods.class_eval do
|
@@ -10,7 +10,8 @@ module Contrast
|
|
10
10
|
module Framework
|
11
11
|
module Rails
|
12
12
|
# Used when Rails is present to define framework specific behavior
|
13
|
-
class Support
|
13
|
+
class Support
|
14
|
+
extend Contrast::Framework::BaseSupport
|
14
15
|
extend Contrast::Framework::Rails::Patch::Support
|
15
16
|
|
16
17
|
class << self
|
@@ -46,32 +47,34 @@ module Contrast
|
|
46
47
|
end
|
47
48
|
|
48
49
|
# Find the current route, based on the provided Request wrapper
|
50
|
+
#
|
49
51
|
# @param request[Contrast::Agent::Request]
|
50
52
|
# @return [Contrast::Api::Dtm::RouteCoverage]
|
51
53
|
def current_route request
|
52
54
|
return unless ::Rails.cs__respond_to?(:application)
|
53
55
|
|
54
|
-
|
55
|
-
# precedence
|
56
|
-
# match_data: ActionDispatch::Journey::Path::Pattern::MatchData
|
57
|
-
# path_parameters: hash of various things
|
58
|
-
# route: ActionDispatch::Journey::Route
|
59
|
-
full_routes = ::Rails.application.routes.router.send(:find_routes, request.rack_request)
|
60
|
-
return if full_routes.empty?
|
56
|
+
match, _params, route, path = get_full_route(request.rack_request)
|
61
57
|
|
62
|
-
|
58
|
+
original_url = request.rack_request.path_info
|
63
59
|
|
64
|
-
# the route
|
65
|
-
if
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
60
|
+
# Route is either the final rails route, or a router that points to a Sinatra controller.
|
61
|
+
if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
|
62
|
+
# Create a request copied from current request, but with the base path removed from path_info.
|
63
|
+
new_req = ::ActionDispatch::Request.new(request.env)
|
64
|
+
new_req.path_info = new_req.path_info.gsub((path << match).join, '')
|
65
|
+
|
66
|
+
return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
|
70
67
|
end
|
68
|
+
|
69
|
+
Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
|
71
70
|
rescue StandardError => _e
|
72
71
|
nil
|
73
72
|
end
|
74
73
|
|
74
|
+
# Copy a request for modification.
|
75
|
+
#
|
76
|
+
# @param [::ActionDispatch::Request] original env.
|
77
|
+
# @return [::ActionDispatch::Request] a copy of original env with rails env merged.
|
75
78
|
def retrieve_request env
|
76
79
|
rails_env = ::Rails.application.env_config.merge(env)
|
77
80
|
::ActionDispatch::Request.new(rails_env || env)
|
@@ -86,37 +89,34 @@ module Contrast
|
|
86
89
|
|
87
90
|
private
|
88
91
|
|
89
|
-
# route is
|
90
|
-
|
91
|
-
|
92
|
-
|
92
|
+
# Determine if route is a Rails engine route.
|
93
|
+
#
|
94
|
+
# @param [Object] app or route that points to a ::Rails::Engine
|
95
|
+
# @return [bool] whether the router is an engine or not.
|
96
|
+
def engine_route? route
|
97
|
+
route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
|
93
98
|
end
|
94
99
|
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
# filter for current http method
|
116
|
-
reportable_routes = engine_router.send(:match_routes, matching_routes, request.rack_request)
|
117
|
-
return if reportable_routes.empty?
|
118
|
-
|
119
|
-
Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(reportable_routes[0])
|
100
|
+
# Recursively get final route traversing engines as required.
|
101
|
+
#
|
102
|
+
# @param request [::Rack::Request] the rack request as will be handed to rails controller.
|
103
|
+
# @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
|
104
|
+
# @param path [Array<String>] the chunks of path that have been seen.
|
105
|
+
# @return [Array<array>] the final set of rails route classes.
|
106
|
+
def get_full_route request, top_router = ::Rails.application.routes.router, path = []
|
107
|
+
return if (route_matches = top_router.send(:find_routes, request)).empty?
|
108
|
+
|
109
|
+
match, params, route = route_matches.first
|
110
|
+
|
111
|
+
# If the current routing node points to a sub-app (::Rais::Engine), dive deeper.
|
112
|
+
# Have sub-app route the remainder of the url.
|
113
|
+
if engine_route?(route)
|
114
|
+
new_req = retrieve_request request.env
|
115
|
+
new_req.path_info = new_req.path_info.gsub(match.to_s, '')
|
116
|
+
get_full_route(new_req, route.app.app.routes.router, path << match.to_s)
|
117
|
+
else
|
118
|
+
[match, params, route, path]
|
119
|
+
end
|
120
120
|
end
|
121
121
|
|
122
122
|
# Rails engine routes need to be detected by inspecting Engine class route set
|