contrast-agent 4.3.2 → 4.4.0

data/lib/contrast/framework/rails/support.rb

@@ -47,32 +47,34 @@ module Contrast
           end
 
           # Find the current route, based on the provided Request wrapper
+          #
           # @param request[Contrast::Agent::Request]
           # @return [Contrast::Api::Dtm::RouteCoverage]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
 
-            # returns array of arrays [[match_data, path_parameters, route]], sorted by
-            # precedence
-            # match_data: ActionDispatch::Journey::Path::Pattern::MatchData
-            # path_parameters: hash of various things
-            # route: ActionDispatch::Journey::Route
-            full_routes = ::Rails.application.routes.router.send(:find_routes, request.rack_request)
-            return if full_routes.empty?
+            match, _params, route, path = get_full_route(request.rack_request)
 
-            full_route = full_routes[0]
+            original_url = request.rack_request.path_info
 
-            # the route is directly implemented within the application
-            if direct_route?(full_route)
-              route = full_route[2] # route w/ highest precedence
-              Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route)
-            else
-              engine_route(full_route, request)
+            # Route is either the final rails route, or a router that points to a Sinatra controller.
+            if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
+              # Create a request copied from current request, but with the base path removed from path_info.
+              new_req = ::ActionDispatch::Request.new(request.env)
+              new_req.path_info = new_req.path_info.gsub((path << match).join, '')
+
+              return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
             end
+
+            Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
           rescue StandardError => _e
             nil
           end
 
+          # Copy a request for modification.
+          #
+          # @param [::ActionDispatch::Request] original env.
+          # @return [::ActionDispatch::Request] a copy of original env with rails env merged.
           def retrieve_request env
             rails_env = ::Rails.application.env_config.merge(env)
             ::ActionDispatch::Request.new(rails_env || env)
@@ -87,37 +89,34 @@ module Contrast
 
           private
 
-          # route is not mounted within an engine
-          def direct_route? full_route
-            full_route[2]&.app&.cs__class == ActionDispatch::Routing::RouteSet::Dispatcher ||
-                (full_route[2].cs__class == ActionDispatch::Journey::Route && full_route[2]&.app&.cs__class == ActionDispatch::Routing::Mapper::Constraints)
+          # Determine if route is a Rails engine route.
+          #
+          # @param [Object] app or route that points to a ::Rails::Engine
+          # @return [bool] whether the router is an engine or not.
+          def engine_route? route
+            route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
           end
 
-          def engine_route full_route, request
-            engine_route = full_route[2] # supposed route - but actually an Engine mount point
-            return unless engine_route
-
-            engine_mount_name = engine_route.name
-            return unless engine_mount_name
-
-            engine_path_segments = request.rack_request.path_info.split(engine_mount_name)
-            return if engine_path_segments.empty?
-
-            path_within_engine = engine_path_segments[-1]
-            return unless path_within_engine
-
-            engine_router = engine_route.app&.app&.routes&.router
-            return unless engine_router
-
-            # Get all routes regardless of http method
-            matching_routes = engine_router.send(:filter_routes, path_within_engine)
-            return unless matching_routes
-
-            # filter for current http method
-            reportable_routes = engine_router.send(:match_routes, matching_routes, request.rack_request)
-            return if reportable_routes.empty?
-
-            Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(reportable_routes[0])
+          # Recursively get final route traversing engines as required.
+          #
+          # @param request [::Rack::Request] the rack request as will be handed to rails controller.
+          # @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
+          # @param path [Array<String>] the chunks of path that have been seen.
+          # @return [Array<array>] the final set of rails route classes.
+          def get_full_route request, top_router = ::Rails.application.routes.router, path = []
+            return if (route_matches = top_router.send(:find_routes, request)).empty?
+
+            match, params, route = route_matches.first
+
+            # If the current routing node points to a sub-app (::Rais::Engine), dive deeper.
+            # Have sub-app route the remainder of the url.
+            if engine_route?(route)
+              new_req = retrieve_request request.env
+              new_req.path_info = new_req.path_info.gsub(match.to_s, '')
+              get_full_route(new_req, route.app.app.routes.router, path << match.to_s)
+            else
+              [match, params, route, path]
+            end
           end
 
           # Rails engine routes need to be detected by inspecting Engine class route set

data/lib/contrast/framework/sinatra/support.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/framework/base_support'
-require 'contrast/framework/sinatra/patch/support'
 
 module Contrast
   module Framework
@@ -10,7 +9,6 @@ module Contrast
       # Used when Sinatra is present to define framework specific behavior
       class Support
         extend Contrast::Framework::BaseSupport
-        extend Contrast::Framework::Sinatra::Patch::Support
         class << self
           def detection_class
             'Sinatra'
@@ -21,44 +19,74 @@ module Contrast
           end
 
           def application_name
-            return unless app_class
-
-            app_class.cs__class.cs__name
+            app_class&.cs__name
           end
 
           def application_root
-            return unless app_class
-
-            app_class.root
+            app_instance&.root
           end
 
           def server_type
             'sinatra'
           end
 
-          # Iterate over every class that extends Sinatra::Base, pull out its routes
-          # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-          # Contrast::Api::Dtm::RouteCoverage
+          # Given an object, determine if it is a Sinatra controller with routes.
+          #
+          # @param app [Object] suspected Sinatra app.
+          # @return [Boolean]
+          def sinatra_controller? app
+            # Sinatra is loaded?
+            return false unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            # App is a subclass of or actually is ::Sinatra::Base.
+            return false unless (app.cs__respond_to?(:<) && app < ::Sinatra::Base) || app == ::Sinatra::Base
+
+            # App has routes.
+            !app.routes.empty?
+          end
+
+          # Find all classes that subclass ::Sinatra::Base. Gather their routes.
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>] the routes found as Dtms.
           def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+
             routes = []
-            controllers = sinatra_controllers
-            controllers.each do |clazz|
-              class_routes = sinatra_class_routes(clazz)
-              next unless class_routes
-
-              class_routes.each_pair do |method, list|
-                # item: [ Mustermann::Sinatra, [], Proc]
-                list.each do |item|
-                  routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(clazz, method, item[0])
+            sinatra_controllers.each do |controller|
+              controller.routes.each_pair do |method, route_triplets|
+                # Sinatra stores its routes as a triplet: [Mustermann::Sinatra, [], Proc]
+                route_triplets.map(&:first).each do |route_pattern|
+                  routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(controller, method, route_pattern)
                 end
               end
             end
             routes
           end
 
-          # TODO: RUBY-763
-          def current_route _request
-            nil
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Sinatra::Base, full_route = nil
+            return unless sinatra_controller?(controller)
+
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            # Find route match--checking superclasses if necessary.
+            final_controller, route_pattern = _route_recurse(controller, method, _cleaned_route(request))
+            return unless !final_controller.nil? && !route_pattern.nil?
+
+            full_route ||= request.path_info
+
+            Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(final_controller, method, route_pattern, full_route)
+          end
+
+          # Search object space for sinatra controllers--any class that subclasses ::Sinatra::Base.
+          #
+          # @return [Array<::Sinatra::Base>] sinatra controlelrs
+          def sinatra_controllers
+            [::Sinatra::Base] + ObjectSpace.each_object(Class).select { |clazz| sinatra_controller?(clazz) }
           end
 
           def retrieve_request env
@@ -67,30 +95,61 @@ module Contrast
 
           private
 
-          def app_class
-            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
-
-            @_app_class ||= begin
-              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
-              result_layer = sinatra_layers.find { |layer| layer.app.nil? }
-              result_layer
+          # Given a controller and a route to match against, find the route_pattern and class that will serve the
+          # route. This is recursive as Sinatra's routing is recursive from subclass to super.
+          #
+          # @param controller [Sinatra::Base, #routes] a Sinatra application.
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param method [String] the relative route passed from Rack.
+          # @return [Array[Sinatra::Base, Mustermann::Sinatra], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse controller, method, route
+            return if controller.nil? || controller.cs__class == NilClass
+
+            route_patterns = controller.routes.fetch(method, []).map(&:first)
+            route_pattern = route_patterns&.find do |matcher|
+              matcher.params(route) # ::Mustermann::Sinatra match.
             end
+
+            return controller, route_pattern if route_pattern
+
+            # Check routes defined in superclass if present.
+            return _route_recurse(controller.superclass, method, route) if controller.superclass&.instance_variable_get(:@routes)
           end
 
-          # Iterate over every class that extends Sinatra::Base, pull out its routes
-          # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-          # Contrast::Api::Dtm::RouteCoverage
-          def sinatra_controllers
-            return [] unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+          # Get route and do some cleanup matching that of Sinatra::Base#process_route.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            settings = ::Sinatra::Base.settings
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty? && !settings.empty_path_info?
+
+            !settings.strict_paths? && route.end_with?('/') ? route[0..-2] : route
+          end
 
-            Contrast::Utils::ClassUtil.descendants(::Sinatra::Base)
+          # Almost an alias to app_instance.
+          #
+          # @return [::Sinatra::Base] the current controller class as routed by Rack.
+          def app_class
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+
+            app_instance.cs__class
           end
 
-          def sinatra_class_routes controller
-            controller.instance_variable_get(:@routes) if controller.instance_variable_defined?(:@routes)
-          rescue StandardError
-            logger.trace('Sinatra controller found with no route instances', module: controller)
-            nil
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Sinatra::Base with @app=nil since it is the final servicer
+          # in the request/middleware chain.
+          #
+          # @return [::Sinatra::Base] the current controller as routed by Rack.
+          def app_instance
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+
+            @_app_instance ||= begin
+              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
+              sinatra_layers.find { |layer| layer.app.nil? }
+            end
           end
         end
       end

data/lib/contrast/logger/log.rb

@@ -37,28 +37,22 @@ module Contrast
       # Given new settings from TeamServer, update our logging to use the new
       # file and level, assuming they weren't set by local configuration.
       #
-      # @param log_file [String] the file to which to log
-      # @param log_level [String] the level at which to log
+      # @param log_file [String] the file to which to log, as provided by TeamServer settings
+      # @param log_level [String] the level at which to log, as provided by TeamServer settings
       def update log_file = nil, log_level = nil
-        config = CONFIG.root.agent.logger
-
-        config_path  = config.path&.length.to_i.positive? ? config.path : nil
-        config_level = config.level&.length&.positive? ? config.level : nil
-
-        # config > settings > default
-        path        = valid_path(config_path   || log_file)
-        level_const = valid_level(config_level || log_level)
+        current_path        = find_valid_path(log_file)
+        current_level_const = find_valid_level(log_level)
 
-        path_change = path != previous_path
-        level_change = level_const != previous_level
+        path_change = current_path != previous_path
+        level_change = current_level_const != previous_level
 
         # don't needlessly recreate logger
         return if @_logger && !(path_change || level_change)
 
-        @previous_path  = path
-        @previous_level = level_const
+        @previous_path  = current_path
+        @previous_level = current_level_const
 
-        @_logger = build(path: path, level_const: level_const)
+        @_logger = build(path: current_path, level_const: current_level_const)
         # If we're logging to a new path, then let's start it w/ our helpful
         # data gathering messages
         log_update if path_change
@@ -108,6 +102,17 @@ module Contrast
         logger.extend(Contrast::Logger::Time)
       end
 
+      # Determine the valid path to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
+      def find_valid_path log_file
+        config = CONFIG.root.agent.logger
+        config_path = config.path&.length.to_i.positive? ? config.path : nil
+        valid_path(config_path || log_file)
+      end
+
       def valid_path path
         path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
         return path if path == STDOUT_STR
@@ -129,6 +134,17 @@ module Contrast
         end
       end
 
+      # Determine the valid level to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [::Ougai::Logging::Severity] the level at which to log
+      def find_valid_level log_level
+        config = CONFIG.root.agent.logger
+        config_level = config.level&.length&.positive? ? config.level : nil
+        valid_level(config_level || log_level)
+      end
+
       def valid_level level
         level ||= DEFAULT_LEVEL
         level = level.upcase

data/lib/contrast/utils/class_util.rb

@@ -52,7 +52,7 @@ module Contrast
         # Return a String representing the object invoking this method in the
         # form expected by our dataflow events.
         #
-        # @param object [Object] the entity to convert to a String
+        # @param object [Object, nil] the entity to convert to a String
         # @return [String] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
         def to_contrast_string object
@@ -63,6 +63,8 @@ module Contrast
             return cached if cached
 
             object.dup
+          elsif object.nil?
+            Contrast::Utils::ObjectShare::NIL_STRING
           elsif object.cs__is_a?(Symbol)
             ":#{ object }"
           elsif object.cs__is_a?(Numeric)

data/lib/contrast/utils/heap_dump_util.rb

@@ -2,12 +2,13 @@
 # frozen_string_literal: true
 
 require 'objspace'
+require 'singleton'
 require 'contrast/components/interface'
 
 module Contrast
   module Utils
     # Implementation of a heap dump util to automate generation
-    class HeapDumpUtil
+    class HeapDumpUtil < Contrast::Agent::WorkerThread
       include Contrast::Components::Interface
       access_component :heap_dump, :logging
 
@@ -15,98 +16,113 @@ module Contrast
       FILE_WRITE_FLAGS = 'w'
 
       class << self
-        def run
-          return unless heap_dump_enabled?
-
-          log_enabled_warning
-          dir = heap_dump_control[:path]
-          Dir.mkdir(dir) unless Dir.exist?(dir)
-          return unless File.writable?(dir)
-
-          delay = heap_dump_control[:delay]
-          Contrast::Agent::Thread.new do
-            logger.info("HEAP DUMP THREAD INITIALIZED. WAITING #{ delay } SECONDS TO BEGIN.")
-            sleep(delay)
-            capture_heap_dump
-          end
-        rescue StandardError => e
-          logger.info(LOG_ERROR_DUMPS, e)
-          nil
+        def enabled?
+          heap_dump_enabled?
+        end
+
+        def control
+          heap_dump_control
         end
+      end
+
+      def start_thread!
+        return unless Contrast::Utils::HeapDumpUtil.enabled?
 
-        def log_enabled_warning
-          dir    = heap_dump_control[:path]
-          window = heap_dump_control[:window]
-          count  = heap_dump_control[:count]
-          delay  = heap_dump_control[:delay]
-          clean  = heap_dump_control[:clean]
-
-          logger.info <<~WARNING
-            *****************************************************
-            ********      HEAP DUMP HAS BEEN ENABLED     ********
-            *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
-            *****************************************************
-
-            Heap dump is a debugging tool that snapshots the entire
-            state of the Ruby VM. It is an exceptionally expensive
-            process, and should only be used to debug especially
-            pernicious errors.
-
-            It will write multiple memory snaphots, which are liable
-            to be multiple gigabytes in size.
-            They will be named "[unix timestamp]-heap.dump",
-            e.g.: 1020304050-heap.dump
-
-            It will then call Ruby `exit()`.
-
-            If this is not your specific intent, you can (and should)
-            disable this option in your Contrast config file.
-
-            HEAP DUMP PARAMETERS:
-            \t[write files to this directory]             dir:     #{ dir    }
-            \t[wait this many seconds in between dumps]   window:  #{ window }
-            \t[heap dump this many times]                 count:   #{ count  }
-            \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
-            \t[perform gc pass before dump]               clean:   #{ clean  }
-
-            *****************************************************
-            ********        YOU HAVE BEEN WARNED         ********
-            *****************************************************
-          WARNING
+        control = Contrast::Utils::HeapDumpUtil.control
+        log_enabled_warning
+        dir = control[:path]
+        Dir.mkdir(dir) unless Dir.exist?(dir)
+        return unless File.writable?(dir)
+
+        delay = control[:delay]
+        @_thread = Contrast::Agent::Thread.new do
+          logger.info("HEAP DUMP THREAD INITIALIZED. WAITING #{ delay } SECONDS TO BEGIN.")
+          sleep(delay)
+          capture_heap_dump
         end
+      rescue StandardError => e
+        logger.info(LOG_ERROR_DUMPS, e)
+        nil
+      end
+
+      def log_enabled_warning
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        delay  = control[:delay]
+        clean  = control[:clean]
+
+        logger.info <<~WARNING
+          *****************************************************
+          ********      HEAP DUMP HAS BEEN ENABLED     ********
+          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+          *****************************************************
+
+          Heap dump is a debugging tool that snapshots the entire
+          state of the Ruby VM. It is an exceptionally expensive
+          process, and should only be used to debug especially
+          pernicious errors.
+
+          It will write multiple memory snaphots, which are liable
+          to be multiple gigabytes in size.
+          They will be named "[unix timestamp]-heap.dump",
+          e.g.: 1020304050-heap.dump
+
+          It will then call Ruby `exit()`.
+
+          If this is not your specific intent, you can (and should)
+          disable this option in your Contrast config file.
+
+          HEAP DUMP PARAMETERS:
+          \t[write files to this directory]             dir:     #{ dir    }
+          \t[wait this many seconds in between dumps]   window:  #{ window }
+          \t[heap dump this many times]                 count:   #{ count  }
+          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+          \t[perform gc pass before dump]               clean:   #{ clean  }
+
+          *****************************************************
+          ********        YOU HAVE BEEN WARNED         ********
+          *****************************************************
+        WARNING
+      end
+
+      def capture_heap_dump
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        clean  = control[:clean]
+        logger.info('HEAP DUMP MAIN LOOP')
+        ObjectSpace.trace_object_allocations_start
+        count.times do |i|
+          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
+          snapshot_heap(dir, clean)
+          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
+          sleep(window)
+        end
+      ensure
+        ObjectSpace.trace_object_allocations_stop
+        logger.info('*****************************************************')
+        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
+        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+        logger.info('*****************************************************')
+        exit # rubocop:disable Rails/Exit We weren't kidding!
+      end
 
-        def capture_heap_dump
-          dir    = heap_dump_control[:path]
-          window = heap_dump_control[:window]
-          count  = heap_dump_control[:count]
-          clean  = heap_dump_control[:clean]
-          logger.info('HEAP DUMP MAIN LOOP')
-          ObjectSpace.trace_object_allocations_start
-          count.times do |i|
-            logger.info('STARTING HEAP DUMP PASS', current_pass: i + 1, max: count)
-            output = "#{ Time.now.to_f }-heap.dump"
-            output = File.join(dir, output)
-            begin
-              logger.info('OPENING HEADUMP FILE', dir: dir, file: output)
-              file = File.new(output, FILE_WRITE_FLAGS)
-              if clean
-                logger.info('PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
-                GC.start
-              end
-              ObjectSpace.dump_all(output: file)
-              logger.info('FINISHING HEAP DUMP PASS', current_pass: i + 1, max: count)
-            ensure
-              file.close
-            end
-            sleep(window)
+      def snapshot_heap dir, clean
+        output = "#{ Time.now.to_f }-heap.dump"
+        output = File.join(dir, output)
+        begin
+          logger.info('OPENING HEADUMP FILE', dir: dir, file: output)
+          file = File.new(output, FILE_WRITE_FLAGS)
+          if clean
+            logger.info('PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
+            GC.start
           end
+          ObjectSpace.dump_all(output: file)
         ensure
-          ObjectSpace.trace_object_allocations_stop
-          logger.info('*****************************************************')
-          logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
-          logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
-          logger.info('*****************************************************')
-          exit # rubocop:disable Rails/Exit We weren't kidding!
+          file.close
         end
       end
     end