contrast-agent 4.2.0 → 4.4.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (140) hide show
  1. checksums.yaml +4 -4
  2. data/Rakefile +1 -0
  3. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +22 -10
  4. data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h +4 -3
  5. data/lib/contrast/agent.rb +5 -1
  6. data/lib/contrast/agent/assess.rb +0 -9
  7. data/lib/contrast/agent/assess/contrast_event.rb +49 -132
  8. data/lib/contrast/agent/assess/contrast_object.rb +54 -0
  9. data/lib/contrast/agent/assess/events/source_event.rb +4 -9
  10. data/lib/contrast/agent/assess/finalizers/hash.rb +7 -0
  11. data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +17 -3
  12. data/lib/contrast/agent/assess/policy/patcher.rb +4 -3
  13. data/lib/contrast/agent/assess/policy/policy_node.rb +31 -59
  14. data/lib/contrast/agent/assess/policy/preshift.rb +3 -3
  15. data/lib/contrast/agent/assess/policy/propagation_method.rb +41 -32
  16. data/lib/contrast/agent/assess/policy/propagation_node.rb +12 -24
  17. data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -15
  18. data/lib/contrast/agent/assess/policy/propagator/center.rb +1 -2
  19. data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
  20. data/lib/contrast/agent/assess/policy/propagator/database_write.rb +21 -18
  21. data/lib/contrast/agent/assess/policy/propagator/insert.rb +1 -2
  22. data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -2
  23. data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
  24. data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -2
  25. data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -2
  26. data/lib/contrast/agent/assess/policy/propagator/remove.rb +2 -4
  27. data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -2
  28. data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -2
  29. data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -4
  30. data/lib/contrast/agent/assess/policy/propagator/splat.rb +25 -17
  31. data/lib/contrast/agent/assess/policy/propagator/split.rb +83 -120
  32. data/lib/contrast/agent/assess/policy/propagator/substitution.rb +41 -25
  33. data/lib/contrast/agent/assess/policy/propagator/trim.rb +3 -7
  34. data/lib/contrast/agent/assess/policy/source_method.rb +2 -14
  35. data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +5 -8
  36. data/lib/contrast/agent/assess/policy/trigger/xpath.rb +1 -1
  37. data/lib/contrast/agent/assess/policy/trigger_method.rb +13 -8
  38. data/lib/contrast/agent/assess/policy/trigger_node.rb +28 -7
  39. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +59 -0
  40. data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -3
  41. data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +6 -4
  42. data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +2 -4
  43. data/lib/contrast/agent/assess/properties.rb +0 -2
  44. data/lib/contrast/agent/assess/property/tagged.rb +56 -32
  45. data/lib/contrast/agent/assess/tracker.rb +16 -18
  46. data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +7 -0
  47. data/lib/contrast/agent/middleware.rb +134 -55
  48. data/lib/contrast/agent/patching/policy/after_load_patcher.rb +4 -0
  49. data/lib/contrast/agent/patching/policy/method_policy.rb +1 -1
  50. data/lib/contrast/agent/patching/policy/patch.rb +4 -4
  51. data/lib/contrast/agent/patching/policy/patch_status.rb +1 -1
  52. data/lib/contrast/agent/patching/policy/patcher.rb +51 -44
  53. data/lib/contrast/agent/patching/policy/trigger_node.rb +5 -2
  54. data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +47 -1
  55. data/lib/contrast/agent/protect/policy/rule_applicator.rb +53 -0
  56. data/lib/contrast/agent/protect/rule/base.rb +63 -14
  57. data/lib/contrast/agent/protect/rule/cmd_injection.rb +3 -3
  58. data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -4
  59. data/lib/contrast/agent/protect/rule/deserialization.rb +4 -1
  60. data/lib/contrast/agent/protect/rule/no_sqli.rb +3 -3
  61. data/lib/contrast/agent/protect/rule/sqli.rb +20 -14
  62. data/lib/contrast/agent/protect/rule/xxe.rb +32 -11
  63. data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +10 -6
  64. data/lib/contrast/agent/reaction_processor.rb +1 -1
  65. data/lib/contrast/agent/request_context.rb +12 -0
  66. data/lib/contrast/agent/response.rb +5 -5
  67. data/lib/contrast/agent/rewriter.rb +3 -3
  68. data/lib/contrast/agent/scope.rb +33 -13
  69. data/lib/contrast/agent/static_analysis.rb +13 -7
  70. data/lib/contrast/agent/thread.rb +1 -1
  71. data/lib/contrast/agent/thread_watcher.rb +20 -5
  72. data/lib/contrast/agent/version.rb +1 -1
  73. data/lib/contrast/api/communication/messaging_queue.rb +18 -21
  74. data/lib/contrast/api/communication/response_processor.rb +8 -1
  75. data/lib/contrast/api/communication/socket_client.rb +22 -14
  76. data/lib/contrast/api/decorators.rb +2 -0
  77. data/lib/contrast/api/decorators/agent_startup.rb +58 -0
  78. data/lib/contrast/api/decorators/application_startup.rb +51 -0
  79. data/lib/contrast/api/decorators/library.rb +1 -0
  80. data/lib/contrast/api/decorators/library_usage_update.rb +1 -0
  81. data/lib/contrast/api/decorators/route_coverage.rb +15 -5
  82. data/lib/contrast/api/decorators/trace_event.rb +58 -42
  83. data/lib/contrast/api/decorators/trace_event_object.rb +11 -3
  84. data/lib/contrast/api/decorators/trace_event_signature.rb +27 -5
  85. data/lib/contrast/api/decorators/user_input.rb +2 -1
  86. data/lib/contrast/common_agent_configuration.rb +1 -1
  87. data/lib/contrast/components/agent.rb +2 -0
  88. data/lib/contrast/components/app_context.rb +4 -22
  89. data/lib/contrast/components/assess.rb +36 -0
  90. data/lib/contrast/components/interface.rb +5 -3
  91. data/lib/contrast/components/sampling.rb +48 -6
  92. data/lib/contrast/components/scope.rb +23 -0
  93. data/lib/contrast/components/settings.rb +8 -7
  94. data/lib/contrast/config/assess_configuration.rb +2 -1
  95. data/lib/contrast/extension/assess/array.rb +1 -2
  96. data/lib/contrast/extension/assess/erb.rb +1 -3
  97. data/lib/contrast/extension/assess/exec_trigger.rb +1 -1
  98. data/lib/contrast/extension/assess/fiber.rb +2 -3
  99. data/lib/contrast/extension/assess/hash.rb +4 -2
  100. data/lib/contrast/extension/assess/kernel.rb +1 -2
  101. data/lib/contrast/extension/assess/marshal.rb +34 -26
  102. data/lib/contrast/extension/assess/regexp.rb +3 -8
  103. data/lib/contrast/extension/assess/string.rb +1 -2
  104. data/lib/contrast/framework/base_support.rb +51 -53
  105. data/lib/contrast/framework/manager.rb +16 -14
  106. data/lib/contrast/framework/rack/patch/session_cookie.rb +1 -1
  107. data/lib/contrast/framework/rack/support.rb +2 -1
  108. data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
  109. data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +1 -1
  110. data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +1 -1
  111. data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +1 -1
  112. data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +1 -1
  113. data/lib/contrast/framework/rails/support.rb +44 -44
  114. data/lib/contrast/framework/sinatra/support.rb +102 -42
  115. data/lib/contrast/logger/application.rb +0 -3
  116. data/lib/contrast/logger/log.rb +31 -15
  117. data/lib/contrast/utils/class_util.rb +3 -1
  118. data/lib/contrast/utils/duck_utils.rb +1 -1
  119. data/lib/contrast/utils/heap_dump_util.rb +103 -87
  120. data/lib/contrast/utils/invalid_configuration_util.rb +21 -12
  121. data/lib/contrast/utils/object_share.rb +3 -3
  122. data/lib/contrast/utils/preflight_util.rb +1 -1
  123. data/lib/contrast/utils/resource_loader.rb +1 -1
  124. data/lib/contrast/utils/sha256_builder.rb +2 -2
  125. data/lib/contrast/utils/string_utils.rb +1 -1
  126. data/lib/contrast/utils/tag_util.rb +9 -13
  127. data/resources/assess/policy.json +12 -18
  128. data/resources/deadzone/policy.json +150 -0
  129. data/resources/protect/policy.json +12 -0
  130. data/ruby-agent.gemspec +60 -19
  131. data/service_executables/VERSION +1 -1
  132. data/service_executables/linux/contrast-service +0 -0
  133. data/service_executables/mac/contrast-service +0 -0
  134. metadata +124 -112
  135. data/lib/contrast/agent/assess/rule.rb +0 -18
  136. data/lib/contrast/agent/assess/rule/base.rb +0 -52
  137. data/lib/contrast/agent/assess/rule/redos.rb +0 -67
  138. data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
  139. data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
  140. data/lib/contrast/utils/prevent_serialization.rb +0 -52
@@ -12,9 +12,14 @@ module Contrast
12
12
  # finalizer on the object to remove its entry from the Hash immediately
13
13
  # after it's GC'd.
14
14
  class Hash < Hash
15
+ include Contrast::Components::Interface
16
+ access_component :agent, :analysis
17
+
15
18
  FROZEN_FINALIZED_IDS = Set.new
16
19
 
17
20
  def []= key, obj
21
+ return unless AGENT.enabled? && ASSESS.enabled?
22
+
18
23
  # We can't finalize frozen things, so only act on those that went
19
24
  # through .pre_freeze
20
25
  if key.cs__frozen?
@@ -35,6 +40,7 @@ module Contrast
35
40
  # @param key [Object] the thing to determine if trackable
36
41
  # @return [Boolean]
37
42
  def trackable? key
43
+ return false unless key
38
44
  # Track things in these, not them themselves.
39
45
  return false if Contrast::Utils::DuckUtils.iterable_hash?(key)
40
46
  return false if Contrast::Utils::DuckUtils.iterable_enumerable?(key)
@@ -81,6 +87,7 @@ module Contrast
81
87
  # @param key [Object] the Object on which we need to pre-define
82
88
  # finalizers
83
89
  def pre_freeze key
90
+ return unless AGENT.enabled? && ASSESS.enabled?
84
91
  return if key.cs__frozen?
85
92
  return if FROZEN_FINALIZED_IDS.include?(key.__id__)
86
93
 
@@ -110,16 +110,30 @@ module Contrast
110
110
  dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
111
111
  dynamic_source.instance_method = source_node.instance_method?
112
112
  dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
113
+ append_properties!(dynamic_source, current_context, source_node, field)
114
+ append_events!(dynamic_source, properties.event)
115
+ dynamic_source
116
+ end
117
+
118
+ # Append the properties needed to reconstruct the given DynamicSource in other dataflows and for rendering
119
+ # in TeamServer
120
+ #
121
+ # @param dynamic_source [Contrast::Api::Dtm::DynamicSource] the message to send to the Service to allow it
122
+ # to report the events leading up to the creation of the Dynamic Source
123
+ # @param current_context [Contrast::Agent::RequestContext] the context of the request in which this source
124
+ # is to be created.
125
+ # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the SourceNode that applies to this
126
+ # method
127
+ # @param field [String] the name of the method to which this source applies
128
+ def append_properties! dynamic_source, current_context, source_node, field
113
129
  dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
114
130
  dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
115
131
  dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
116
132
  url = current_context.request.normalized_uri
117
133
  dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
118
- append_events(dynamic_source, properties.event)
119
- dynamic_source
120
134
  end
121
135
 
122
- def append_events dynamic_source, event
136
+ def append_events! dynamic_source, event
123
137
  return unless event
124
138
 
125
139
  event.parent_events&.each do |parent_event|
@@ -52,12 +52,13 @@ module Contrast
52
52
  Contrast::Utils::ObjectShare::CLASS,
53
53
  Contrast::Utils::ObjectShare::MODULE
54
54
  ].cs__freeze
55
- def patch_assess_method clazz, method_name
55
+ def patch_assess_method mod, method_name
56
56
  # Module.define_method is called a lot in Class and Module. We
57
57
  # currently do not expect these define_methods to result in methods
58
58
  # that require patching, so for the sake of performance, we're going
59
59
  # to skip evaluating them
60
- class_name = clazz.cs__name
60
+ mod = mod.cs__class unless mod.cs__is_a?(Module)
61
+ class_name = mod.cs__class
61
62
  return if CLASS_TYPES.include?(class_name)
62
63
  return unless ASSESS.enabled?
63
64
 
@@ -73,7 +74,7 @@ module Contrast
73
74
  method_name: source_node.method_name,
74
75
  method_visibility: source_node.method_visibility,
75
76
  instance_method: true)
76
- patcher.patch_method(clazz, method_array, method_policy)
77
+ patcher.patch_method(mod, method_array, method_policy)
77
78
  end
78
79
  rescue StandardError => e
79
80
  logger.warn(
@@ -19,8 +19,8 @@ module Contrast
19
19
  @source_string = policy_hash[JSON_SOURCE]
20
20
  @target_string = policy_hash[JSON_TARGET]
21
21
  @tags = Set.new(policy_hash[JSON_TAGS])
22
- generate_sources
23
- generate_targets
22
+ @sources = convert_policy_markers(source_string)
23
+ @targets = convert_policy_markers(target_string)
24
24
  end
25
25
 
26
26
  def feature
@@ -47,7 +47,7 @@ module Contrast
47
47
 
48
48
  def target_string= value
49
49
  @target_string = value
50
- generate_targets
50
+ @targets = convert_policy_markers(value)
51
51
  end
52
52
 
53
53
  # Sometimes we need to tie information to an event. We'll add a
@@ -66,62 +66,6 @@ module Contrast
66
66
  @properties[name]
67
67
  end
68
68
 
69
- # Given a source in the format A,B,C, populate the sources of this node
70
- # 1) Split on ','
71
- # 2) If 'O', add the source, else it's P (we don't have R sources) and
72
- # needs to be converted. P type will either be P:name or P# where #
73
- # is the index of the parameter. Drop the P and store the int as int
74
- # or name as symbol
75
- def generate_sources
76
- if source_string
77
- @sources = []
78
- source_string.split(Contrast::Utils::ObjectShare::COMMA).each do |s|
79
- is_object = (s == Contrast::Utils::ObjectShare::OBJECT_KEY)
80
- if is_object
81
- @sources << s
82
- else
83
- parameter_source = s[1..-1]
84
- @sources << if parameter_source.start_with?(Contrast::Utils::ObjectShare::COLON)
85
- parameter_source[1..-1].to_sym
86
- else
87
- parameter_source.to_i
88
- end
89
- end
90
- end
91
- else
92
- @sources = Contrast::Utils::ObjectShare::EMPTY_ARRAY
93
- end
94
- end
95
-
96
- # Given a target in the format A,B,C, populate the targets of this node
97
- # 1) Split on ','
98
- # 2) If 'O' or 'R', add the target, else it's P and needs to be
99
- # converted. P type will either be P:name or P# where # is the index
100
- # of the paramter. Drop the P and store the int as int or name as
101
- # symbol
102
- def generate_targets
103
- if target_string
104
- @targets = []
105
- target_string.split(Contrast::Utils::ObjectShare::COMMA).each do |t|
106
- case t
107
- when Contrast::Utils::ObjectShare::OBJECT_KEY
108
- @targets << t
109
- when Contrast::Utils::ObjectShare::RETURN_KEY
110
- @targets << t
111
- else
112
- parameter_target = t[1..-1]
113
- @targets << if parameter_target.start_with?(Contrast::Utils::ObjectShare::COLON)
114
- parameter_target[1..-1].to_sym
115
- else
116
- parameter_target.to_i
117
- end
118
- end
119
- end
120
- else
121
- @targets = Contrast::Utils::ObjectShare::EMPTY_ARRAY
122
- end
123
- end
124
-
125
69
  # Don't let nodes be created that will be missing things we need
126
70
  # later on. Really, if they don't have these things, they couldn't have
127
71
  # done their jobs anyway.
@@ -186,6 +130,34 @@ module Contrast
186
130
  JSON_TARGET = 'target'
187
131
  JSON_TAGS = 'tags'
188
132
  JSON_DATAFLOW = 'dataflow'
133
+
134
+ private
135
+
136
+ # Given a policy string in the format A,B,C, populate the given array
137
+ # 1) Split on ','
138
+ # 2) If 'O' or 'R', add the array, else it's P and needs to be
139
+ # converted. P type will either be P# where # is the index
140
+ # of the parameter. Drop the P and store the # as an int.
141
+ #
142
+ # @param markers [String] the String from the policy to parse
143
+ # @return [Array] the array generated by converting the marker string
144
+ def convert_policy_markers markers
145
+ return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless markers
146
+ return Contrast::Utils::ObjectShare::EMPTY_ARRAY if markers.empty?
147
+
148
+ converted = []
149
+ markers.split(Contrast::Utils::ObjectShare::COMMA).each do |t|
150
+ case t
151
+ when Contrast::Utils::ObjectShare::OBJECT_KEY,
152
+ Contrast::Utils::ObjectShare::RETURN_KEY
153
+
154
+ converted << t
155
+ else
156
+ converted << Integer(t[1..-1])
157
+ end
158
+ end
159
+ converted
160
+ end
189
161
  end
190
162
  end
191
163
  end
@@ -36,11 +36,11 @@ module Contrast
36
36
  # the state of the object and arguments just prior to the method
37
37
  # being called or nil if one is not required.
38
38
  def build_preshift propagation_node, object, args
39
- return nil unless propagation_node
40
- return nil unless ASSESS.enabled?
39
+ return unless propagation_node
40
+ return unless ASSESS.enabled?
41
41
 
42
42
  initializing = propagation_node.method_name == :initialize
43
- return nil if unsafe_io_object?(object, initializing)
43
+ return if unsafe_io_object?(object, initializing)
44
44
 
45
45
  needs_object = propagation_node.needs_object?
46
46
  needs_args = propagation_node.needs_args?
@@ -37,20 +37,15 @@ module Contrast
37
37
 
38
38
  class << self
39
39
  def determine_target propagation_node, ret, object, args
40
- target_key = propagation_node.targets[0]
41
- return ret if target_key == Contrast::Utils::ObjectShare::RETURN_KEY
42
- return object if target_key == Contrast::Utils::ObjectShare::OBJECT_KEY
43
-
44
- return args[target_key] if target_key.is_a?(Integer)
45
-
46
- arg = nil
47
- args.each do |search|
48
- next unless search.is_a?(Hash)
49
-
50
- arg = search[target_key]
51
- break if arg
40
+ target = propagation_node.targets[0]
41
+ case target
42
+ when Contrast::Utils::ObjectShare::OBJECT_KEY
43
+ object
44
+ when Contrast::Utils::ObjectShare::RETURN_KEY
45
+ ret
46
+ else
47
+ args[target]
52
48
  end
53
- arg
54
49
  end
55
50
 
56
51
  # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
@@ -208,8 +203,8 @@ module Contrast
208
203
  # If this patcher has tags, apply them to the entire target
209
204
  def apply_tags propagation_node, target
210
205
  return unless propagation_node.tags
206
+ return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
211
207
 
212
- properties = Contrast::Agent::Assess::Tracker.properties(target)
213
208
  length = Contrast::Utils::StringUtils.ret_length(target)
214
209
  propagation_node.tags.each do |tag|
215
210
  properties.add_tag(tag, 0...length)
@@ -219,9 +214,7 @@ module Contrast
219
214
  # If this patcher has tags, remove them from the entire target
220
215
  def apply_untags propagation_node, target
221
216
  return unless propagation_node.untags
222
-
223
- properties = Contrast::Agent::Assess::Tracker.properties(target)
224
- return unless properties
217
+ return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
225
218
 
226
219
  propagation_node.untags.each do |tag|
227
220
  properties.delete_tags(tag)
@@ -256,7 +249,7 @@ module Contrast
256
249
 
257
250
  def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
258
251
  target.each do |value|
259
- next if target == value # Some Enumerable#each are overriden to return self the first time which leads to infinite propagation
252
+ next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
260
253
 
261
254
  apply_propagator(propagation_node, preshift, value, object, ret, args, block)
262
255
  end
@@ -265,22 +258,12 @@ module Contrast
265
258
  def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
266
259
  return if propagation_node.action == NOOP_ACTION
267
260
  return unless can_propagate?(propagation_node, preshift, target)
261
+ return unless (propagation_class = find_propagation_class(propagation_node))
268
262
 
269
- propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
270
- unless propagation_class
271
- logger.warn(
272
- 'Unknown propagation action received. Unable to propagate.',
273
- node_id: propagation_node.id,
274
- action: propagation_node.action)
275
- return
276
- end
277
263
  restore_frozen_state = false
278
264
  if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
279
- return unless ASSESS.track_frozen_sources?
280
- return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
281
-
282
- dup = safe_dup(ret)
283
- return unless dup
265
+ return unless can_handle_frozen?(propagation_node)
266
+ return unless (dup = safe_dup(ret))
284
267
 
285
268
  restore_frozen_state = true
286
269
  ret = dup
@@ -300,7 +283,8 @@ module Contrast
300
283
  # both and there should never be a propagator that has a tag in
301
284
  # its untag.
302
285
  apply_untags(propagation_node, target)
303
- properties = Contrast::Agent::Assess::Tracker.properties(target)
286
+ return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
287
+
304
288
  properties.add_properties(propagation_node.properties)
305
289
  properties.build_event(propagation_node, target, object, ret, args)
306
290
  logger.trace('Propagation detected',
@@ -308,6 +292,31 @@ module Contrast
308
292
  target_id: target.__id__)
309
293
  restore_frozen_state ? ret : nil
310
294
  end
295
+
296
+ # Find the propagation class from the given node, if one exists.
297
+ #
298
+ # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
299
+ # propagation event.
300
+ # @return [Contrast::Agent::Assess::Policy::Propagator, nil]
301
+ def find_propagation_class propagation_node
302
+ unless (propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil))
303
+ logger.warn(
304
+ 'Unknown propagation action received. Unable to propagate.',
305
+ node_id: propagation_node.id,
306
+ action: propagation_node.action)
307
+ end
308
+ propagation_class
309
+ end
310
+
311
+ # We can handle frozen propagation iff we're allowed to, as determined by configuration, and the target of
312
+ # the propagation is a return, as that's a replaceable value.
313
+ #
314
+ # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
315
+ # propagation event.
316
+ # @return [Boolean]
317
+ def can_handle_frozen? propagation_node
318
+ ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
319
+ end
311
320
  end
312
321
  end
313
322
  end
@@ -83,35 +83,23 @@ module Contrast
83
83
  end
84
84
 
85
85
  def needs_object?
86
- @_needs_object ||= begin
87
- if action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION
88
- true
89
- elsif action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION
90
- true
91
- elsif sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY }
92
- true
93
- elsif targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
94
- true
95
- else
96
- false
97
- end
86
+ if @_needs_object.nil?
87
+ @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
88
+ action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
89
+ sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
90
+ targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
98
91
  end
92
+ @_needs_object
99
93
  end
100
94
 
101
95
  def needs_args?
102
- @_needs_args ||= begin
103
- if action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION
104
- true
105
- elsif action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION
106
- true
107
- elsif sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) }
108
- true
109
- elsif targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
110
- true
111
- else
112
- false
113
- end
96
+ if @_needs_args.nil?
97
+ @_needs_args = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
98
+ action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
99
+ sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
100
+ targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
114
101
  end
102
+ @_needs_args
115
103
  end
116
104
 
117
105
  # This is a tagger if it has a tag or an untag.
@@ -16,8 +16,7 @@ module Contrast
16
16
  # copy tags from the param to the target in chunks of param size or less
17
17
  # if param is appended in space less than param length
18
18
  def propagate propagation_node, preshift, target
19
- properties = Contrast::Agent::Assess::Tracker.properties(target)
20
- return unless properties
19
+ return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
21
20
 
22
21
  sources = propagation_node.sources
23
22
  source1 = find_source(sources[0], preshift)
@@ -30,23 +29,38 @@ module Contrast
30
29
  if source1.length == target.length
31
30
  properties.copy_from(source1, target, 0, propagation_node.untags)
32
31
  else
33
- # find original in the target, copy tags to the new position in
34
- # target
35
- original_start_index = target.index(source1)
36
- properties.copy_from(source1, target, original_start_index, propagation_node.untags)
32
+ handle_append(propagation_node, source1, source2, target, properties)
33
+ end
34
+ properties.cleanup_tags
35
+ end
37
36
 
38
- start = original_start_index + source1.length
39
- while start < target.length
40
- properties.copy_from(source2, target, start, propagation_node.untags)
41
- start += source2.length
42
- next unless start > target.length
37
+ private
43
38
 
44
- properties.tags_at(start - source2.length).each do |tag|
45
- tag.update_end(target.length)
46
- end
39
+ # Given the append operation on source 1 added source 2 to it, changing the target output, modify the
40
+ # tags on the target to account for the change.
41
+ #
42
+ # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node responsible for the
43
+ # propagation action required by this method
44
+ # @param source1 [Object] the thing being appended to
45
+ # @param source2 [Object] the thing being appended
46
+ # @param target [Object] the result of the append operation
47
+ # @param properties [Contrast::Agent::Assess::Properties] the properties of the target
48
+ def handle_append propagation_node, source1, source2, target, properties
49
+ # find original in the target, copy tags to the new position in
50
+ # target
51
+ original_start_index = target.index(source1)
52
+ properties.copy_from(source1, target, original_start_index, propagation_node.untags)
53
+
54
+ start = original_start_index + source1.length
55
+ while start < target.length
56
+ properties.copy_from(source2, target, start, propagation_node.untags)
57
+ start += source2.length
58
+ next unless start > target.length
59
+
60
+ properties.tags_at(start - source2.length).each do |tag|
61
+ tag.update_end(target.length)
47
62
  end
48
63
  end
49
- properties.cleanup_tags
50
64
  end
51
65
  end
52
66
  end