contrast-agent 4.3.2 → 4.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '09fcc059f5c03c966c230f4576d93399f6a35bc15a42cfd4a5a9541d5e292f95'
-  data.tar.gz: 96d58e585f42c42599744e9170d1051263e661671ae88ea9ca972a9c9be2f954
+  metadata.gz: 0e9acb88aec7b0f51a076b5358738fa6d0c245bb2d91c2dfcf41d2f9fb3ed204
+  data.tar.gz: 405ba4ca7da645d6f06767961341c587bc6369279f62742ae7b86d5dc0b6101c
 SHA512:
-  metadata.gz: d789f3aa5577188dabc62847c921a2a00f0dec9016dc10d6d8bb8ebe6c74c69c485ee81ae0a95e99ef3d82030e620167f3d433220120de611bf021947fb1ab67
-  data.tar.gz: 55e07ffd5112cbdde2e97b7eab565c24c811318927c13c55bde4f93a9ac4e78ba00bdb25e18d275700bb0433eeb50cee6d5dc4fa704a8526e71ba2d0ce4a99d4
+  metadata.gz: 4bf982f03e6daa5425c13adcb0b2c332745a9dee27733d5f90d77a4e5b4c9983a71b39f7cc0f836d19fc04b9b2a6e4eaf39ef2732be65921fd7c2f125a53b685
+  data.tar.gz: c18d27bc472db9037ada00561a81cf0eed181ee717ab7c20f40f39d4675fd1a797b00c0109792afb3902b107ae37b69c3c564399a2d2ca1882dd2ed71f0c93fe

data/lib/contrast/agent.rb

@@ -56,8 +56,12 @@ module Contrast
       @_framework_manager ||= Contrast::Framework::Manager.new
     end
 
+    def self.heapdump_util
+      thread_watcher.heapdump_util
+    end
+
     def self.messaging_queue
-      @_messaging_queue ||= Contrast::Api::Communication::MessagingQueue.new
+      thread_watcher.messaging_queue
     end
 
     def self.thread_watcher

data/lib/contrast/agent/assess.rb

@@ -13,18 +13,9 @@ module Contrast
       require 'contrast/agent/rewriter'
       require 'contrast/agent/assess/policy/preshift'
 
-      require 'contrast/utils/prevent_serialization'
-
-      # Rules - generic
-      require 'contrast/agent/assess/rule'
-      require 'contrast/agent/assess/rule/base'
-
       # Dynamic Sources
       require 'contrast/agent/assess/policy/dynamic_source_factory'
 
-      # Rule: REDOS
-      require 'contrast/agent/assess/rule/redos'
-
       # reporting / tracking
       require 'contrast/agent/assess/properties'
       require 'contrast/agent/assess/tag'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -5,7 +5,6 @@ require 'contrast/utils/assess/tracking_util'
 require 'contrast/utils/class_util'
 require 'contrast/utils/duck_utils'
 require 'contrast/utils/object_share'
-require 'contrast/utils/prevent_serialization'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/timer'
@@ -35,7 +34,6 @@ module Contrast
       # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the
       #   safe representation of the Arguments with which the method was invoked
       class ContrastEvent
-        include Contrast::Utils::PreventSerialization
         include Contrast::Components::Interface
         access_component :analysis
 

data/lib/contrast/agent/assess/contrast_object.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/class_util'
+require 'contrast/utils/object_share'
+require 'contrast/agent/assess/tracker'
 
 module Contrast
   module Agent
@@ -28,7 +30,7 @@ module Contrast
         # Capture the details about the object which we need to render it in
         # TeamServer.
         #
-        # @param object [Object] the thing to keep a Contrast String of
+        # @param object [Object, nil] the thing to keep a Contrast String of
         def initialize object
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
@@ -38,7 +40,8 @@ module Contrast
             #   String that was then #reverse!'d, would our tags be wrong?
             @tags = Contrast::Agent::Assess::Tracker.properties(object)&.tags
           else
-            @object_type = Contrast::Utils::ObjectShare::NIL_STRING
+            @object = Contrast::Utils::ObjectShare::NIL_STRING
+            @object_type = nil.cs__class.name
           end
         end
 

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -12,9 +12,14 @@ module Contrast
         # finalizer on the object to remove its entry from the Hash immediately
         # after it's GC'd.
         class Hash < Hash
+          include Contrast::Components::Interface
+          access_component :agent, :analysis
+
           FROZEN_FINALIZED_IDS = Set.new
 
           def []= key, obj
+            return unless AGENT.enabled? && ASSESS.enabled?
+
             # We can't finalize frozen things, so only act on those that went
             # through .pre_freeze
             if key.cs__frozen?
@@ -35,6 +40,7 @@ module Contrast
           # @param key [Object] the thing to determine if trackable
           # @return [Boolean]
           def trackable? key
+            return false unless key
             # Track things in these, not them themselves.
             return false if Contrast::Utils::DuckUtils.iterable_hash?(key)
             return false if Contrast::Utils::DuckUtils.iterable_enumerable?(key)
@@ -81,6 +87,7 @@ module Contrast
           # @param key [Object] the Object on which we need to pre-define
           #   finalizers
           def pre_freeze key
+            return unless AGENT.enabled? && ASSESS.enabled?
             return if key.cs__frozen?
             return if FROZEN_FINALIZED_IDS.include?(key.__id__)
 

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -110,16 +110,30 @@ module Contrast
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
+              append_properties!(dynamic_source, current_context, source_node, field)
+              append_events!(dynamic_source, properties.event)
+              dynamic_source
+            end
+
+            # Append the properties needed to reconstruct the given DynamicSource in other dataflows and for rendering
+            # in TeamServer
+            #
+            # @param dynamic_source [Contrast::Api::Dtm::DynamicSource] the message to send to the Service to allow it
+            #   to report the events leading up to the creation of the Dynamic Source
+            # @param current_context [Contrast::Agent::RequestContext] the context of the request in which this source
+            #   is to be created.
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the SourceNode that applies to this
+            #   method
+            # @param field [String] the name of the method to which this source applies
+            def append_properties! dynamic_source, current_context, source_node, field
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
               url = current_context.request.normalized_uri
               dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
-              append_events(dynamic_source, properties.event)
-              dynamic_source
             end
 
-            def append_events dynamic_source, event
+            def append_events! dynamic_source, event
               return unless event
 
               event.parent_events&.each do |parent_event|

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -258,22 +258,12 @@ module Contrast
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
+              return unless (propagation_class = find_propagation_class(propagation_node))
 
-              propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
-              unless propagation_class
-                logger.warn(
-                    'Unknown propagation action received. Unable to propagate.',
-                    node_id: propagation_node.id,
-                    action: propagation_node.action)
-                return
-              end
               restore_frozen_state = false
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
-                return unless ASSESS.track_frozen_sources?
-                return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-
-                dup = safe_dup(ret)
-                return unless dup
+                return unless can_handle_frozen?(propagation_node)
+                return unless (dup = safe_dup(ret))
 
                 restore_frozen_state = true
                 ret = dup
@@ -302,6 +292,31 @@ module Contrast
                            target_id: target.__id__)
               restore_frozen_state ? ret : nil
             end
+
+            # Find the propagation class from the given node, if one exists.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
+            #   propagation event.
+            # @return [Contrast::Agent::Assess::Policy::Propagator, nil]
+            def find_propagation_class propagation_node
+              unless (propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil))
+                logger.warn(
+                    'Unknown propagation action received. Unable to propagate.',
+                    node_id: propagation_node.id,
+                    action: propagation_node.action)
+              end
+              propagation_class
+            end
+
+            # We can handle frozen propagation iff we're allowed to, as determined by configuration, and the target of
+            # the propagation is a return, as that's a replaceable value.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
+            #   propagation event.
+            # @return [Boolean]
+            def can_handle_frozen? propagation_node
+              ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagator/append.rb

@@ -29,23 +29,38 @@ module Contrast
                 if source1.length == target.length
                   properties.copy_from(source1, target, 0, propagation_node.untags)
                 else
-                  # find original in the target, copy tags to the new position in
-                  # target
-                  original_start_index = target.index(source1)
-                  properties.copy_from(source1, target, original_start_index, propagation_node.untags)
+                  handle_append(propagation_node, source1, source2, target, properties)
+                end
+                properties.cleanup_tags
+              end
 
-                  start = original_start_index + source1.length
-                  while start < target.length
-                    properties.copy_from(source2, target, start, propagation_node.untags)
-                    start += source2.length
-                    next unless start > target.length
+              private
 
-                    properties.tags_at(start - source2.length).each do |tag|
-                      tag.update_end(target.length)
-                    end
+              # Given the append operation on source 1 added source 2 to it, changing the target output, modify the
+              # tags on the target to account for the change.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node responsible for the
+              #   propagation action required by this method
+              # @param source1 [Object] the thing being appended to
+              # @param source2 [Object] the thing being appended
+              # @param target [Object] the result of the append operation
+              # @param properties [Contrast::Agent::Assess::Properties] the properties of the target
+              def handle_append propagation_node, source1, source2, target, properties
+                # find original in the target, copy tags to the new position in
+                # target
+                original_start_index = target.index(source1)
+                properties.copy_from(source1, target, original_start_index, propagation_node.untags)
+
+                start = original_start_index + source1.length
+                while start < target.length
+                  properties.copy_from(source2, target, start, propagation_node.untags)
+                  start += source2.length
+                  next unless start > target.length
+
+                  properties.tags_at(start - source2.length).each do |tag|
+                    tag.update_end(target.length)
                   end
                 end
-                properties.cleanup_tags
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -24,23 +24,8 @@ module Contrast
 
                 known_tainted = ASSESS.tainted_columns[class_name]
                 propagation_node.sources.each do |source|
-                  arg = preshift.args[source]
-                  next unless arg.cs__respond_to?(:each_pair)
-
-                  arg.each_pair do |key, value|
-                    next unless value
-                    next if known_tainted&.include?(key)
-                    next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
-
-                    # TODO: RUBY-540 handle sanitization, handle nested objects
-                    Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
-                    properties.build_event(propagation_node, value, preshift.object, target, preshift.args)
-                    next unless tracked_value?(value)
-
-                    tainted_columns[key] = properties
-                  end
+                  handle_write(propagation_node, source, preshift, target, known_tainted, tainted_columns)
                 end
-
                 return if tainted_columns.empty?
 
                 if known_tainted
@@ -51,6 +36,26 @@ module Contrast
 
                 Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns
               end
+
+              private
+
+              def handle_write propagation_node, source, preshift, target, known_tainted, tainted_columns
+                arg = preshift.args[source]
+                return unless arg.cs__respond_to?(:each_pair)
+
+                arg.each_pair do |key, value|
+                  next unless value
+                  next if known_tainted&.include?(key)
+                  next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
+
+                  # TODO: RUBY-540 handle sanitization, handle nested objects
+                  Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
+                  properties.build_event(propagation_node, value, preshift.object, target, preshift.args)
+                  next unless tracked_value?(value)
+
+                  tainted_columns[key] = properties
+                end
+              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -19,19 +19,7 @@ module Contrast
                   when Contrast::Utils::ObjectShare::OBJECT_KEY
                     tracked_inputs << preshift.object if Contrast::Agent::Assess::Tracker.tracked?(preshift.object)
                   else
-                    arg = preshift.args[source]
-                    if arg.is_a?(String)
-                      tracked_inputs << arg if Contrast::Agent::Assess::Tracker.tracked?(arg)
-                    elsif Contrast::Utils::DuckUtils.iterable_hash?(arg)
-                      arg.each_pair do |key, value|
-                        tracked_inputs << key if tracked_value?(key)
-                        tracked_inputs << value if tracked_value?(value)
-                      end
-                    elsif Contrast::Utils::DuckUtils.iterable_enumerable?(arg)
-                      arg.each do |value|
-                        tracked_inputs << value if tracked_value?(value)
-                      end
-                    end
+                    find_argument_inputs(tracked_inputs, preshift.args[source])
                   end
                 end
 
@@ -50,6 +38,28 @@ module Contrast
                   properties.splat_from(input, target)
                 end
               end
+
+              private
+
+              # The arguments to the splat method are complex and of multiple types. As such, we need to handle
+              # Strings and iterables to determine the tracked inputs on which to act.
+              #
+              # @param tracked_inputs [Array] storage for the inputs to act on later
+              # @param arg [Object] an input to the method which act as sources for this propagation.
+              def find_argument_inputs tracked_inputs, arg
+                if arg.is_a?(String)
+                  tracked_inputs << arg if Contrast::Agent::Assess::Tracker.tracked?(arg)
+                elsif Contrast::Utils::DuckUtils.iterable_hash?(arg)
+                  arg.each_pair do |key, value|
+                    tracked_inputs << key if tracked_value?(key)
+                    tracked_inputs << value if tracked_value?(value)
+                  end
+                elsif Contrast::Utils::DuckUtils.iterable_enumerable?(arg)
+                  arg.each do |value|
+                    tracked_inputs << value if tracked_value?(value)
+                  end
+                end
+              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -38,13 +38,7 @@ module Contrast
                 source = find_source(propagation_node.sources[0], preshift)
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
 
-                # grapheme_clusters break the string apart based on each "user-perceived" character.
-                # Otherwise, the default for String#split is to use a single whitespace.
-                separator_length = if propagation_node.method_name == :grapheme_clusters
-                                     0
-                                   else
-                                     preshift&.args&.first&.to_s&.length || $FIELD_SEPARATOR&.to_s&.length || 1
-                                   end
+                separator_length = find_separator_length(propagation_node, preshift)
 
                 current_index = 0
                 target.each do |target_elem|
@@ -126,6 +120,19 @@ module Contrast
 
               private
 
+              # grapheme_clusters break the string apart based on each "user-perceived" character. Otherwise, the
+              # default for String#split is to use a single whitespace.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              def find_separator_length propagation_node, preshift
+                return 0 if propagation_node.method_name == :grapheme_clusters
+
+                preshift&.args&.first&.to_s&.length || $FIELD_SEPARATOR&.to_s&.length || 1
+              end
+
               # Save index of the current split object.
               # Create index tracking array as needed.
               def save_split_index!

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -95,10 +95,8 @@ module Contrast
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
-                parent_event = incoming_properties&.event
-                parent_events << parent_event if parent_event
+                parent_events << incoming_properties&.event if incoming_properties&.event
 
-                pattern = preshift.args[0]
                 source = preshift.object
 
                 # We can't efficiently find the places that things were
@@ -111,6 +109,34 @@ module Contrast
 
                 # if it's just a straight insert, that we can do
                 # Copy the tags from us to the return
+                ranges = find_string_sub_insert(properties, preshift, incoming, ret, global)
+
+                properties.delete_tags_at_ranges(ranges)
+                properties.shift_tags(ranges)
+                return unless incoming_tracked
+                return unless incoming_properties
+
+                tags = incoming_properties.tag_keys
+                ranges.each do |range|
+                  tags.each do |tag|
+                    properties.add_tag(tag, range)
+                  end
+                end
+              end
+
+              # Find the points at which the new String was placed into the original
+              #
+              # @param properties [Contrast::Agent::Assess::Properties] the Properties of the ret
+              # @param preshift [Contrast::Agent::Assess::PreShift] the capture of the state of the code just prior to
+              #   the invocation of the patched method
+              # @param incoming [String] the new String going into the substitution
+              # @param ret [String] the result of the substitution
+              # @param global [Boolean] if this was a global or single substitution
+              # @return [Array<Range>] the Ranges where substitution occurred
+              def find_string_sub_insert properties, preshift, incoming, ret, global
+                pattern = preshift.args[0]
+                source = preshift.object
+
                 properties.copy_from(source, ret)
                 # Figure out where inserts occurred
                 last_idx = 0
@@ -126,17 +152,7 @@ module Contrast
                   ranges << (start_index...end_index)
                   break unless global
                 end
-                properties.delete_tags_at_ranges(ranges)
-                properties.shift_tags(ranges)
-                return unless incoming_tracked
-                return unless incoming_properties
-
-                tags = incoming_properties.tag_keys
-                ranges.each do |range|
-                  tags.each do |tag|
-                    properties.add_tag(tag, range)
-                  end
-                end
+                ranges
               end
 
               def block_sub self_tracked, source, ret