contrast-agent 4.3.2 → 4.4.0

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -101,18 +101,12 @@ module Contrast
             #   conditions were not met
             def build_finding context, trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
-
-              request = context.request
-              env = request.env
-              return if defined?(ActionController::Live) &&
-                  env &&
-                  env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live)
+              return unless reportable?(context)
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
               build_from_source(finding, source)
-              trigger_event = Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
-              finding.events << trigger_event
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
               build_hash(finding, source)
               finding.routes << context.route if context.route
               finding.version = determine_compliance_version(finding)
@@ -127,6 +121,17 @@ module Contrast
 
             private
 
+            # A request is reportable if it is not from ActionController::Live
+            #
+            # @param context [Contrast::Agent::RequestContext] the current request context
+            # @return [Boolean]
+            def reportable? context
+              env = context.request.env
+              !(defined?(ActionController::Live) &&
+                env &&
+                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+            end
+
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -185,11 +185,7 @@ module Contrast
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
           def ranges_with_all_tags length, properties, required_tags
-            # if there are no tags, not required tags, or the tags don't have
-            # all the required tags, we can just return here.
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags&.any?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless required_tags.all? { |tag| properties.tag_keys.include?(tag) }
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
 
             ranges = []
             chunking = false
@@ -229,8 +225,7 @@ module Contrast
           #   by the given conditions
           def ranges_with_any_tag properties, tags
             # if there aren't any all_tags or tags, break early
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tags&.any?
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless search_tags?(properties, tags)
 
             ranges = []
             tags.each do |desired|
@@ -243,6 +238,32 @@ module Contrast
             end
             ranges
           end
+
+          # We should only try to match tags on properties if those properties have any tags (are tracked) and there
+          # are tags to try and match on. Some rules, like regexp rules, have no tags. Some rules, like trigger, have
+          # no properties.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def search_tags? properties, tags
+            return false unless properties.tracked?
+            return false unless tags&.any?
+
+            true
+          end
+
+          # Determine if the given properties have instances of all the given tags or not.
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param tags [Set<String>] the list of tags on which to match
+          # @return [Boolean] if the given properties has instances of every tag in tags
+          def matches_tags? properties, tags
+            return false unless search_tags?(properties, tags)
+            return false unless tags.all? { |tag| properties.tag_keys.include?(tag) }
+
+            true
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module TriggerValidation
+          # Validator used to assert a REDOS finding is actually vulnerable
+          # before serializing that finding as a DTM to report to the service.
+          module REDOSValidator
+            RULE_NAME = 'redos'
+
+            class << self
+              def valid? _patcher, object, _ret, args
+                # Can arrive here from either:
+                #   regexp =~ string
+                #   string =~ regexp
+                #   regexp.match string
+                #
+                # Thus object/args[0] can be string/regexp or regexp/string.
+                regexp = object.is_a?(Regexp) ? object : args[0]
+
+                # regexp must be exploitable.
+                return false unless regexp_vulnerable?(regexp)
+
+                true
+              end
+
+              protected
+
+              VULNERABLE_PATTERN = /[\[(].*?[\[(].*?[\])][*+?].*?[\])][*+?]/.cs__freeze
+
+              # Does the regexp
+              # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
+              def regexp_vulnerable? regexp
+                # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
+                # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
+                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
+                # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
+                # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
+
+                # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back
+                # (in the sense of `my_str == Regexp.new(my_str).to_s`), it gives you a Regexp that
+                # will have the same functional characteristics as the original.
+                # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
+                # Regexp#source will give you the original source.
+
+                # Use #match? because it doesn't fill out global variables
+                # in the way match or =~ do.
+                VULNERABLE_PATTERN.match? regexp.source
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -9,7 +9,7 @@ module Contrast
           # Validator used to assert a SSRF finding is actually vulnerable
           # before serializing that finding as a DTM to report to the service.
           module SSRFValidator
-            SSRF_RULE = 'ssrf'
+            RULE_NAME = 'ssrf'
             URL_PATTERN =
               %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
             # The Net::HTTP class validates host format on instantiation. Since
@@ -23,7 +23,6 @@ module Contrast
             # querystring
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/server_side_request_forgery.md
             def self.valid? patcher, _object, _ret, args
-              return true unless SSRF_RULE == patcher&.rule_id
               return true if patcher.id.to_s.start_with?(PATH_ONLY_PATCH_MARKER)
 
               url = args[0].to_s

data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/assess/policy/trigger_validation/ssrf_validator'
 require 'contrast/agent/assess/policy/trigger_validation/xss_validator'
+require 'contrast/agent/assess/policy/trigger_validation/redos_validator'
 
 module Contrast
   module Agent
@@ -15,7 +16,8 @@ module Contrast
         module TriggerValidation
           VALIDATORS = [
             Contrast::Agent::Assess::Policy::TriggerValidation::SSRFValidator,
-            Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator
+            Contrast::Agent::Assess::Policy::TriggerValidation::XSSValidator,
+            Contrast::Agent::Assess::Policy::TriggerValidation::REDOSValidator
           ].cs__freeze
 
           # Determines if the conditions in which this trigger was called are
@@ -32,9 +34,9 @@ module Contrast
           # @return [Boolean] if the conditions are valid for the generation of
           #   a Contrast::Api::Dtm::Finding
           def self.valid? patcher, object, ret, args
-            VALIDATORS.each do |validator|
-              return false unless validator.valid?(patcher, object, ret, args)
-            end
+            specific_validator = VALIDATORS.find { |validator| validator::RULE_NAME == patcher&.rule_id }
+            return specific_validator.valid?(patcher, object, ret, args) if specific_validator
+
             true
           end
         end

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -10,7 +10,7 @@ module Contrast
           # vulnerable before serializing that finding as a DTM to report to
           # the service.
           module XSSValidator
-            XSS_RULE = 'reflected-xss'
+            RULE_NAME = 'reflected-xss'
             SAFE_CONTENT_TYPES = %w[
               /csv
               /javascript
@@ -23,9 +23,7 @@ module Contrast
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
-            def self.valid? patcher, _object, _ret, _args
-              return true unless XSS_RULE == patcher&.rule_id
-
+            def self.valid? _patcher, _object, _ret, _args
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
               return true unless content_type
 

data/lib/contrast/agent/assess/properties.rb

@@ -6,7 +6,6 @@ require 'set'
 require 'contrast/agent/assess/property/evented'
 require 'contrast/agent/assess/property/tagged'
 require 'contrast/agent/assess/property/updated'
-require 'contrast/utils/prevent_serialization'
 
 module Contrast
   module Agent
@@ -18,7 +17,6 @@ module Contrast
       # to properly convey the events that lead up to the state of the tracked
       # user input.
       class Properties
-        include Contrast::Utils::PreventSerialization
         include Contrast::Agent::Assess::Property::Evented
         include Contrast::Agent::Assess::Property::Tagged
         include Contrast::Agent::Assess::Property::Updated

data/lib/contrast/agent/assess/property/tagged.rb

@@ -91,28 +91,15 @@ module Contrast
 
             at = Hash.new { |h, k| h[k] = [] }
             tags.each_pair do |key, value|
-              add = []
+              add = nil
               value.each do |tag|
-                comparison = tag.compare_range(range.begin, range.end)
-                # BELOW and ABOVE are applicable to this check and are removed.
-                case comparison
-                  # part of the tag is being selected
-                when Contrast::Agent::Assess::Tag::LOW_SPAN
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
-                  # the tag exists in the requested range, figure out the boundaries
-                when Contrast::Agent::Assess::Tag::WITHIN
-                  start = tag.start_idx - range.begin
-                  finish = range.size - start
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, finish, start)
-                  # the tag spans the requested range.
-                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
-                  # part of the tag is being selected
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN # rubocop:disable Lint/DuplicateBranch
-                  add << Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+                within_range = resize_to_range(tag, range)
+                if within_range
+                  add ||= []
+                  add << within_range
                 end
               end
-              next if add.empty?
+              next unless add&.any?
 
               at[key] = add
             end
@@ -344,6 +331,37 @@ module Contrast
               Contrast::Utils::TagUtil.ordered_merge(value, add)
             end
           end
+
+          private
+
+          # Given a tag, compare it to a given range and, if any part of that tag is within the range, return a new tag
+          # covering the union of the original tag and the range. This new tag will start at the
+          # max(tag.start, range.start) and end at min(tag.end, range.end)
+          #
+          # @param tag [Contrast::Agent::Assess::Tag] the Tag that may be in this range
+          # @param range [Range] the span to check, inclusive to exclusive
+          # @return [Contrast::Agent::Assess::Tag, nil] a new tag, truncated to only span within the given range or nil
+          #   if no overlap exists
+          def resize_to_range tag, range
+            comparison = tag.compare_range(range.begin, range.end)
+            # BELOW and ABOVE are not applicable to this check and result in nil
+            case comparison
+              # part of the tag is being selected
+            when Contrast::Agent::Assess::Tag::LOW_SPAN
+              Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+              # the tag exists in the requested range, figure out the boundaries
+            when Contrast::Agent::Assess::Tag::WITHIN
+              start = tag.start_idx - range.begin
+              finish = range.size - start
+              Contrast::Agent::Assess::Tag.new(tag.label, finish, start)
+              # the tag spans the requested range.
+            when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
+              Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+              # part of the tag is being selected
+            when Contrast::Agent::Assess::Tag::HIGH_SPAN # rubocop:disable Lint/DuplicateBranch
+              Contrast::Agent::Assess::Tag.new(tag.label, range.size)
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/assess/tracker.rb

@@ -16,7 +16,7 @@ module Contrast
         class << self
           # Retrieve the properties of the given Object, iff they exist.
           #
-          # @param source [Object] the thing for which to look up properties.
+          # @param source [Object, nil] the thing for which to look up properties.
           # @return [Contrast::Agent::Assess::Properties, nil]
           def properties source
             PROPERTIES_HASH[source]

data/lib/contrast/agent/middleware.rb

@@ -46,27 +46,6 @@ module Contrast
         agent_startup_routine
       end
 
-      # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and
-      #   processing messages
-      # - start the heartbeat thread, which triggers service startup
-      # - start instrumenting libraries and do a 'catchup' patch for everything
-      #   we didn't see get loaded
-      # - enable TracePoint, which handles all class loads and required
-      #   instrumentation going forward
-      def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
-          Contrast::Agent.thread_watcher.ensure_running?
-        end
-
-        logger.debug_with_time('middleware: instrument shared libraries and patch') do
-          Contrast::Agent::Patching::Policy::Patcher.patch
-        end
-
-        AGENT.enable_tracepoint
-        Contrast::Agent::AtExitHook.exit_hook
-      end
-
       # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready
       # to do some processing on a per request basis. If not, we just pass the request along to the
       # next middleware in the stack.
@@ -76,14 +55,11 @@ module Contrast
       # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
       #   to the user up the Rack framework.
       def call env
-        Contrast::Utils::HeapDumpUtil.run
+        return app.call(env) unless AGENT.enabled?
 
-        if AGENT.enabled?
-          handle_first_request
-          call_with_agent(env)
-        else
-          app.call(env)
-        end
+        Contrast::Agent.heapdump_util.start_thread!
+        handle_first_request
+        call_with_agent(env)
       end
 
       private
@@ -103,6 +79,29 @@ module Contrast
         end
       end
 
+      # Startup the Agent as part of the initialization process:
+      # - start the service sending thread, responsible for sending and
+      #   processing messages
+      # - start the heartbeat thread, which triggers service startup
+      # - start instrumenting libraries and do a 'catchup' patch for everything
+      #   we didn't see get loaded
+      # - enable TracePoint, which handles all class loads and required
+      #   instrumentation going forward
+      def agent_startup_routine
+        logger.debug_with_time('middleware: starting service') do
+          Contrast::Agent.thread_watcher.ensure_running?
+        end
+
+        logger.debug_with_time('middleware: instrument shared libraries and patch') do
+          Contrast::Agent::Patching::Policy::Patcher.patch
+        end
+
+        logger.debug_with_time('middleware: enabling tracepoint') do
+          AGENT.enable_tracepoint
+        end
+        Contrast::Agent::AtExitHook.exit_hook
+      end
+
       # Some things have to wait until first request to happen, either because
       # resolution is not complete or because the framework will preload
       # classes, which confuses some of our instrumentation.
@@ -135,10 +134,12 @@ module Contrast
       # This is where we process each request we intercept as a middleware. We make the request context
       # available globally so that it can be accessed from anywhere. A RequestHandler object is made
       # for each request, which handles prefilter and postfilter operations.
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
+      #   and values of this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
+      #   to the user up the Rack framework.
       def call_with_agent env
         Contrast::Agent.thread_watcher.ensure_running?
-        return unless AGENT.enabled?
-
         framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
         context = Contrast::Agent::RequestContext.new(framework_request)
         response = nil
@@ -148,28 +149,9 @@ module Contrast
           logger.request_start
           request_handler = Contrast::Agent::RequestHandler.new(context)
 
-          # prefilter sequence
-          with_contrast_scope do
-            context.service_extract_request
-            request_handler.ruleset.prefilter
-          end
-
-          response = application_code(env) # pass request down the Rack chain with original env
-
-          # postfilter sequence
-          with_contrast_scope do
-            context.extract_after(response) # update context with final response information
-
-            if Contrast::Agent.framework_manager.streaming?(env)
-              context.reset_activity
-              request_handler.stream_safe_postfilter
-            else
-              request_handler.ruleset.postfilter
-              # return response stored in the context in case any postfilter rules updated the response data
-              response = context.response&.rack_response || response
-              request_handler.send_activity_messages
-            end
-          end
+          pre_call_with_agent(context, request_handler)
+          response = application_code(env)
+          post_call_with_agent(context, env, request_handler, response)
         ensure
           logger.request_end
         end
@@ -179,6 +161,47 @@ module Contrast
         handle_exception(e)
       end
 
+      # Handle the operations the Agent needs to accomplish prior to the Application code executing during this
+      # request.
+      #
+      # @param context [Contrast::Agent::RequestContext]
+      # @param request_handler [Contrast::Agent::RequestHandler]
+      def pre_call_with_agent context, request_handler
+        with_contrast_scope do
+          context.service_extract_request
+          request_handler.ruleset.prefilter
+        end
+      rescue StandardError => e
+        raise e if security_exception?(e)
+
+        logger.error('Unable to execute agent pre_call', e)
+      end
+
+      # Handle the operations the Agent needs to accomplish after the Application code executes during this request.
+      #
+      # @param context [Contrast::Agent::RequestContext]
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @param request_handler [Contrast::Agent::RequestHandler]
+      # @param response [Array,Rack::Response]
+      def post_call_with_agent context, env, request_handler, response
+        with_contrast_scope do
+          context.extract_after(response) # update context with final response information
+
+          if Contrast::Agent.framework_manager.streaming?(env)
+            context.reset_activity
+            request_handler.stream_safe_postfilter
+          else
+            request_handler.ruleset.postfilter
+            request_handler.send_activity_messages
+          end
+        end
+      rescue StandardError => e
+        raise e if security_exception?(e)
+
+        logger.error('Unable to execute agent post_call', e)
+      end
+
       def application_code env
         logger.trace_with_time('application') do
           app.call(env)
@@ -192,9 +215,7 @@ module Contrast
       # We're only going to suppress SecurityExceptions indicating a blocked attack.
       # And, only if the config.agent.ruby.exceptions.capture? is set
       def handle_exception exception
-        if exception.is_a?(Contrast::SecurityException) ||
-              exception.message&.include?(SECURITY_EXCEPTION_MARKER)
-
+        if security_exception?(exception)
           exception_control = AGENT.exception_control
           raise exception unless exception_control[:enable]
 
@@ -205,6 +226,15 @@ module Contrast
         end
       end
 
+      # Is the given exception one raised by our Protect code?
+      #
+      # @param exception [Exception]
+      # @return [Boolean]
+      def security_exception? exception
+        exception.is_a?(Contrast::SecurityException) ||
+            exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+      end
+
       # As we deprecate support to prepare to remove dead code, we need to
       # inform our users still relying on the now deprecated and soon to be
       # removed functionality. This method handles doing that by leveraging the