contrast-agent 4.3.1 → 4.6.0

data/lib/contrast/agent/assess/policy/source_node.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/source_method'
@@ -8,11 +8,13 @@ module Contrast
     module Assess
       module Policy
         module SourceValidation
-          # Validator used to assert a CROSS_SITE tag is actually applicable to
-          # the given method before applying the tag to its target
+          # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the
+          # tag to its target
           module CrossSiteValidator
-            # prevent the application of a tag if it is from a source known to
-            # not apply a tag in a provided context.
+            # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.
+            # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in
+            # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the
+            # Rack::Request#get_header method
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
             def self.valid? tag, source_type, source_name
               return true unless tag == 'CROSS_SITE'
@@ -20,7 +22,7 @@ module Contrast
               return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
               return false unless source_name
 
-              source_name.casecmp?('referer')
+              source_name == 'HTTP_REFERER'
             end
           end
         end

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/source_validation/cross_site_validator'

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -24,7 +24,7 @@ module Contrast
               }.cs__freeze
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
-              def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
+              def xss_tilt_trigger trigger_node, _source, object, ret, *args
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 scope = args[0]
@@ -44,7 +44,7 @@ module Contrast
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -19,31 +19,30 @@ module Contrast
             include Contrast::Components::Interface
 
             class << self
-              def xpath_expression_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_expression_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
 
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
 
-              def xpath_oga_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_oga_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
 
                 # convert the options arg in Oga::XML::CharacterNode#initialize into an
                 # array of its values so we can check if any are unsafe
                 args = args.first.values if args.first.cs__is_a?(Hash)
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
 
               private
 
-              def process context, trigger_node, object, ret, *args
+              def process trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
                   next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
 
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, *args)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/events/event_factory'
@@ -27,24 +27,6 @@ module Contrast
           CURRENT_FINDING_VERSION = 4
 
           class << self
-            # Append the given finding to the given context to be reported when
-            # the Context's activity is sent to the Service or, in the absence
-            # of that Context, generate an Activity and queue it manually
-            # @param finding [Contrast::Api::Dtm::Finding]
-            def report_finding finding
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              if context
-                context.activity.findings << finding
-              else
-                activity = Contrast::Api::Dtm::Activity.new
-                activity.findings << finding
-
-                Contrast::Agent.messaging_queue.send_event_eventually(activity)
-              end
-              logger.debug('Finding reported',
-                           rule: finding.rule_id)
-            end
-
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -57,22 +39,17 @@ module Contrast
             def apply_trigger_rule trigger_node, object, ret, args
               return if trigger_node.nil?
 
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless current_context&.analyze_request? && ASSESS.enabled?
-
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
                   source = determine_source(marker, object, ret, args)
-                  apply_trigger(current_context,
-                                trigger_node,
+                  apply_trigger(trigger_node,
                                 source,
                                 object,
                                 ret,
                                 *args)
                 end
               else
-                apply_trigger(current_context,
-                              trigger_node,
+                apply_trigger(trigger_node,
                               nil,
                               object,
                               ret,
@@ -80,15 +57,13 @@ module Contrast
               end
             end
 
-            def apply_eval_trigger context, trigger_node, source, object, ret, *args
-              apply_trigger(context, trigger_node, source, object, ret, *args)
+            def apply_eval_trigger trigger_node, source, object, ret, *args
+              apply_trigger(trigger_node, source, object, ret, *args)
             end
 
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -99,39 +74,96 @@ module Contrast
             # @return [Contrast::Api::Dtm::Finding, nil] the
             #   Contrast::Api::Dtm::Finding to send to TeamServer or nil if
             #   conditions were not met
-            def build_finding context, trigger_node, source, object, ret, *args
+            def build_finding trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
 
-              request = context.request
-              env = request.env
-              return if defined?(ActionController::Live) &&
-                  env &&
-                  env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)
+              request = find_request(source)
+              return unless reportable?(request&.env)
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              build_from_source(finding, source)
-              trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
-              finding.events << trigger_event
-              build_hash(finding, source)
-              finding.routes << context.route if context.route
+
+              append_events(finding, trigger_node, source, object, ret, args)
+              append_route(finding, request)
+              append_hash(finding, source, request)
               finding.version = determine_compliance_version(finding)
               logger.trace('Finding created',
                            node_id: trigger_node.id,
                            source_id: source.__id__,
                            rule: trigger_node.rule_id)
-              report_finding(finding)
+              report_finding(finding, request)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
 
+            # Given a finding, append it to an activity message and send it to
+            # the Service for processing.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding] the Finding to
+            #    report.
+            # @param request [Contrast::Agent::Request] our wrapper around the
+            #   Rack::Request.
+            def report_finding finding, request = nil
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+                return
+              end
+
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              if request
+                activity.http_request = request.dtm
+              else
+                logger.debug('Attempted to report finding without request', finding: finding)
+              end
+
+              # If we're out of request context, then we need to report this
+              # finding ourselves, so we'll send it in the one-off activity we
+              # created.
+              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+            end
+
             private
 
+            # A request is reportable if it is not from ActionController::Live
+            #
+            # @param env [Hash] the env of the Request
+            # @return [Boolean]
+            def reportable? env
+              !(defined?(ActionController::Live) &&
+                env &&
+                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+            end
+
+            # Find the request for this finding. This assumes, for now, that if
+            # there is an active request, then that is the request to report.
+            # Otherwise, we'll use the first request found in the events of the
+            # source_object.
+            #
+            # @param source [Object,nil] some Object used as the source of a
+            #   trigger event
+            # @return [Contrast::Agent::Request,nil] the request from which the
+            #   dataflow on the request originated.
+            def find_request source
+              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+
+              properties.events.each do |event|
+                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+                return event.request if event.request
+              end
+              nil
+            end
+
+            def settings
+              Contrast::Agent::FeatureState.instance
+            end
+
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -139,19 +171,19 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_trigger context, trigger_node, source, object, ret, *args
-              return unless context && trigger_node
+            def apply_trigger trigger_node, source, object, ret, *args
+              return unless trigger_node
               return if trigger_node.rule_disabled?
               return if trigger_node.dataflow? && source.nil?
 
               if trigger_node.regexp_rule?
-                apply_regexp_rule(context, trigger_node, source, object, ret, *args)
+                apply_regexp_rule(trigger_node, source, object, ret, *args)
               elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(context, trigger_node, source, object, ret, *args)
+                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
               elsif trigger_node.dataflow?
-                apply_dataflow_rule(context, trigger_node, source, object, ret, *args)
+                apply_dataflow_rule(trigger_node, source, object, ret, *args)
               else # trigger rule - just calling the method is dangerous
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               end
             rescue StandardError => e
               logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
@@ -199,8 +231,6 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -208,19 +238,17 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_regexp_rule context, trigger_node, source, object, ret, *args
+            def apply_regexp_rule trigger_node, source, object, ret, *args
               return unless source.is_a?(String)
               return if trigger_node.good_value && source.match?(trigger_node.good_value)
               return if trigger_node.bad_value && source !~ trigger_node.bad_value
 
-              build_finding(context, trigger_node, source, object, ret, *args)
+              build_finding(trigger_node, source, object, ret, *args)
             end
 
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -228,22 +256,22 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_dataflow_rule context, trigger_node, source, object, ret, *args
+            def apply_dataflow_rule trigger_node, source, object, ret, *args
               return unless source
 
               if Contrast::Agent::Assess::Tracker.trackable?(source)
                 return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
 
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
                 source.each_pair do |key, value|
-                  apply_dataflow_rule(context, trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
                 source.each do |value|
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               else
                 logger.debug('Trigger source is untrackable. Unable to inspect.',
@@ -255,7 +283,12 @@ module Contrast
               end
             end
 
-            def build_from_source finding, source
+            def append_events finding, trigger_node, source, object, ret, args
+              append_from_source(finding, source)
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
+            end
+
+            def append_from_source finding, source
               return unless source
               return unless Contrast::Agent::Assess::Tracker.trackable?(source)
 
@@ -286,8 +319,17 @@ module Contrast
               finding.events << event.to_dtm_event
             end
 
-            def build_hash finding, source
-              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
+            def append_route finding, request
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                finding.routes << context.route if context.route
+              elsif request&.route
+                finding.routes << request.route
+              end
+            end
+
+            def append_hash finding, source, request
+              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/trigger/reflected_xss'
@@ -47,8 +47,8 @@ module Contrast
             TRIGGER
           end
 
-          def apply_custom_trigger context, trigger_node, source, object, ret, *args
-            custom_trigger_class.send(@trigger_method, context, trigger_node, source, object, ret, *args)
+          def apply_custom_trigger trigger_node, source, object, ret, *args
+            custom_trigger_class.send(@trigger_method, trigger_node, source, object, ret, *args)
           end
 
           def custom_trigger_class
@@ -185,11 +185,7 @@ module Contrast
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
           def ranges_with_all_tags length, properties, required_tags
-            # if there are no tags, not required tags, or the tags don't have
-            # all the required tags, we can just return here.
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
 
             ranges = []
             chunking = false
@@ -229,8 +225,7 @@ module Contrast
           #   by the given conditions
           def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
 
             ranges = []
             tags.each do |desired|
@@ -243,6 +238,32 @@ module Contrast
             end
             ranges
           end
+
+          # We should only try to match tags on properties if those properties have any tags (are tracked) and there
+          # are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
+          # no properties.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def search_tags? properties, tags
+            return false unless properties.tracked?
+            return false unless tags&.any?
+
+            true
+          end
+
+          # Determine if the given properties have instances of all the given tags or not.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def matches_tags? properties, tags
+            return false unless search_tags?(properties, tags)
+            return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
+
+            true
+          end
         end
       end
     end