contrast-agent 4.2.0 → 4.4.1

data/lib/contrast/agent/assess/rule.rb

@@ -1,18 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Assess
-      # This is the base module for our assess rule classes. It is intended to
-      # facilitate the patching of the application for Assess functionality. Any
-      # class under this namespace should be required here, providing a single
-      # point of require for this functionality.
-      module Rule
-      end
-    end
-  end
-end
-
-require 'contrast/agent/assess/rule/base'
-require 'contrast/agent/assess/rule/provider'

data/lib/contrast/agent/assess/rule/base.rb

@@ -1,52 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'digest'
-require 'zlib'
-require 'contrast/components/interface'
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        # The base class for each of our Assess Rules
-        class Base
-          include Contrast::Components::Interface
-          access_component :agent, :analysis, :logging, :settings
-
-          def initialize
-            SETTINGS.assess_rules[name] = self
-          end
-
-          # Should return the name as it is known to Teamserver; defaults to
-          # class
-          def name
-            cs__class.name
-          end
-
-          def enabled?
-            ASSESS.enabled? && !ASSESS.rule_disabled?(name)
-          end
-
-          def prefilter _context; end
-
-          # If a rule needs to inspect the response body it is not stream safe
-          # The rule should override this and return false
-          def stream_safe?
-            true
-          end
-
-          def postfilter _context; end
-
-          # this rule is excluded if any of the given exclusions have a
-          # protection rule that matches this rule name
-          def excluded? exclusions
-            Array(exclusions).any? do |ex|
-              ex.assess_rule?(name)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/agent/assess/rule/redos.rb

@@ -1,67 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Agent
-    module Assess
-      module Rule
-        # A regexp is only vulnerable to REDOS if it's going to run
-        # with pathologically bad performance.
-        # We report a vulnerability if the regexp is liable to run
-        # with quadratic time for some input.
-        # This vastly errs on the side of false positives.
-        class Redos < Contrast::Agent::Assess::Rule::Base
-          class << self
-            NAME = 'redos'
-            def name
-              NAME
-            end
-
-            def regexp_complexity_check context, trigger_node, source, object, ret, *args
-              # we can arrive here either from:
-              #   regexp =~ string
-              #   string =~ regexp
-              #   regexp.match string
-              #
-              # so object/args[0] can be string/regexp or regexp/string.
-              regexp = object.is_a?(Regexp) ? object : args[0]
-              string = object.is_a?(String) ? object : args[0]
-
-              # (1) regexp must be exploitable
-              return unless regexp_vulnerable?(regexp)
-
-              # (2) regexp must evaluate against user input
-              return unless trigger_node.violated?(string)
-
-              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, args)
-            end
-
-            protected
-
-            VULNERABLE_PATTERN = /[\[(].*?[\[(].*?[\])][*+?].*?[\])][*+?]/.cs__freeze
-
-            # Does the regexp
-            # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
-            def regexp_vulnerable? regexp
-              # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
-              # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
-              # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
-              # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
-              # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
-
-              # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back
-              # (in the sense of `my_str == Regexp.new(my_str).to_s`), it gives you a Regexp that
-              # will have the same functional characteristics as the original.
-              # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
-              # Regexp#source will give you the original source.
-
-              # Use #match? because it doesn't fill out global variables
-              # in the way match or =~ do.
-              VULNERABLE_PATTERN.match? regexp.source
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/framework/sinatra/patch/base.rb

@@ -1,83 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/framework/sinatra/support'
-
-module Contrast
-  module Framework
-    module Sinatra
-      module Patch
-        # Our patch into the Sinatra::Base Class, allowing for the inventory of the
-        # routes called by the application
-        module Base
-          class << self
-            # Use logic copied from Sinatra::Base#process_route to determine which
-            # pattern matches the request being invoked by Sinatra::Base#call!
-            #
-            # @param clazz [Class] the Class that extends Sinatra::Base in
-            #   which this route is defined.
-            # @param settings [Object] the Sinatra::Base @settings object.
-            # @param args [Array<Object>] we rely on the @settings object in
-            #   Sinatra::Base and the env variable passed in as args[0].
-            def map_route clazz, settings, *args
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless context
-
-              env = args[0]
-              return unless env
-              return unless settings
-
-              convert_routes(context, clazz, settings, env)
-            rescue StandardError
-              # Being careful here since we're directly patching something
-            end
-
-            def instrument
-              @_instrument ||= begin
-                ::Sinatra::Base.class_eval do
-                  alias_method :cs__patched_sinatra_base_call!, :call!
-                  # publicly available method for Sinatra::Base things -- unfortunately,
-                  # getting the routes appear to require a lookup every time
-                  def call! *args
-                    Contrast::Framework::Sinatra::Patch::Base.map_route(cs__class, settings, *args)
-                    cs__patched_sinatra_base_call!(*args)
-                  end
-                end
-                true
-              end
-            end
-
-            private
-
-            # Find the route that matches this request. Since we're using
-            # settings, we should resolve in the same precedence as Sinatra
-            def convert_routes context, clazz, settings, env
-              # There isn't a Request object in the Sinatra::Base yet - it's made
-              # during the #call! method, which we're patching - so we need to
-              # access the env
-              method = env[::Rack::REQUEST_METHOD]
-              # get all potential routes for this request type
-              routes = settings.routes[method]
-              return unless routes
-
-              route = env[::Rack::PATH_INFO]
-              route = route.to_s
-
-              # Do some cleanup that matches Sinatra::Base#process_route
-              route = '/' if route.empty? && !settings.empty_path_info?
-              route = route[0..-2] if !settings.strict_paths? && route != '/' && route.end_with?('/')
-
-              routes.each do |pattern, _, _| # Mustermann::Sinatra
-                next unless pattern.params(route)
-
-                dtm = Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(clazz, method, pattern)
-                context.append_route_coverage(dtm)
-                break
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/framework/sinatra/patch/support.rb

@@ -1,27 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-require 'contrast/agent/patching/policy/after_load_patch'
-
-module Contrast
-  module Framework
-    module Sinatra
-      module Patch
-        # Extension point allowing for the registration of Patches required to
-        # support the Sinatra framework.
-        module Support
-          # (See BaseSupport#after_load_patches)
-          def after_load_patches
-            Set.new([
-                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                          'Sinatra::Base',
-                          'contrast/framework/sinatra/patch/base',
-                          method_to_instrument: nil,
-                          instrumenting_module: 'Contrast::Framework::Sinatra::Patch::Base')
-                    ])
-          end
-        end
-      end
-    end
-  end
-end

data/lib/contrast/utils/prevent_serialization.rb

@@ -1,52 +0,0 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-module Contrast
-  module Utils
-    # DO NOT REMOVE THIS!
-    #
-    # Marshal is pretty cool. It does a lot of things well. What it doesn't
-    # mess around with though is StringIO. And what we don't want to do is
-    # serialize ourselves out with Marshal#dump.
-    #
-    # Unfortunately, we have to mess around w/ that. To isolate our things from
-    # user dumped Strings (and so that we can marshal findings), we have
-    # decided to make this class not marshalled.
-    module PreventMarshalSerialization
-      def marshal_dump
-        nil
-      end
-
-      def marshal_load *_args
-        nil
-      end
-    end
-
-    # DO NOT REMOVE THIS!
-    #
-    # Psych/YAML is also pretty cool. But it doesn't mess with anonymous
-    # classes. In order to make things we extend serializable, we need to make
-    # sure we play nice.
-    module PreventPsychSerialization
-      def encode_with *_args
-        nil
-      end
-
-      def init_with *_args
-        nil
-      end
-    end
-
-    # DO NOT REMOVE THIS!
-    #
-    # This module is used to prevent deserialization of our classes, not b/c
-    # we're trying to be sneaky, but b/c there is a high probability that the
-    # events we're capturing have non-serializable data in them and b/c we
-    # can't be sure the serialized data will be used in an application running
-    # Contrast.
-    module PreventSerialization
-      include PreventMarshalSerialization
-      include PreventPsychSerialization
-    end
-  end
-end