RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/framework/rails/rewrite/active_record_named.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 require 'contrast/components/interface'
 module Contrast

data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 module Contrast
   module Framework
     module Rails

data/lib/contrast/framework/rails/support.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/api/dtm.pb'
@@ -27,8 +27,8 @@ module Contrast
           def application_name
             app_class = ::Rails.application.cs__class
-            # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed entirely
-            # and instead we need to use parent_module_name
+            # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed
+            # entirely and instead we need to use parent_module_name
             return app_class.parent_module_name if Gem::Version.new(::Rails.version) >= RAILS_MODULE_NAME_VERSION
             app_class.parent_name
@@ -47,32 +47,34 @@ module Contrast
           end
           # Find the current route, based on the provided Request wrapper
+          #
           # @param request[Contrast::Agent::Request]
           # @return [Contrast::Api::Dtm::RouteCoverage]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
-            # returns array of arrays [[match_data, path_parameters, route]], sorted by
-            # precedence
-            # match_data: ActionDispatch::Journey::Path::Pattern::MatchData
-            # path_parameters: hash of various things
-            # route: ActionDispatch::Journey::Route
-            full_routes = ::Rails.application.routes.router.send(:find_routes, request.rack_request)
-            return if full_routes.empty?
+            match, _params, route, path = get_full_route(request.rack_request)
-            full_route = full_routes[0]
+            original_url = request.rack_request.path_info
-            # the route is directly implemented within the application
-            if direct_route?(full_route)
-              route = full_route[2] # route w/ highest precedence
-              Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route)
-            else
-              engine_route(full_route, request)
+            # Route is either the final rails route, or a router that points to a Sinatra controller.
+            if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
+              # Create a request copied from current request, but with the base path removed from path_info.
+              new_req = ::ActionDispatch::Request.new(request.env)
+              new_req.path_info = new_req.path_info.gsub((path << match).join, '')
+              return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
             end
+            Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
           rescue StandardError => _e
             nil
           end
+          # Copy a request for modification.
+          #
+          # @param [::ActionDispatch::Request] original env.
+          # @return [::ActionDispatch::Request] a copy of original env with rails env merged.
           def retrieve_request env
             rails_env = ::Rails.application.env_config.merge(env)
             ::ActionDispatch::Request.new(rails_env || env)
@@ -87,37 +89,34 @@ module Contrast
           private
-          # route is not mounted within an engine
-          def direct_route? full_route
-            full_route[2]&.app&.cs__class == ActionDispatch::Routing::RouteSet::Dispatcher ||
-                (full_route[2].cs__class == ActionDispatch::Journey::Route && full_route[2]&.app&.cs__class == ActionDispatch::Routing::Mapper::Constraints)
+          # Determine if route is a Rails engine route.
+          #
+          # @param [Object] app or route that points to a ::Rails::Engine
+          # @return [bool] whether the router is an engine or not.
+          def engine_route? route
+            route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
           end
-          def engine_route full_route, request
-            engine_route = full_route[2] # supposed route - but actually an Engine mount point
-            return unless engine_route
-            engine_mount_name = engine_route.name
-            return unless engine_mount_name
-            engine_path_segments = request.rack_request.path_info.split(engine_mount_name)
-            return if engine_path_segments.empty?
-            path_within_engine = engine_path_segments[-1]
-            return unless path_within_engine
-            engine_router = engine_route.app&.app&.routes&.router
-            return unless engine_router
-            # Get all routes regardless of http method
-            matching_routes = engine_router.send(:filter_routes, path_within_engine)
-            return unless matching_routes
-            # filter for current http method
-            reportable_routes = engine_router.send(:match_routes, matching_routes, request.rack_request)
-            return if reportable_routes.empty?
-            Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(reportable_routes[0])
+          # Recursively get final route traversing engines as required.
+          #
+          # @param request [::Rack::Request] the rack request as will be handed to rails controller.
+          # @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
+          # @param path [Array<String>] the chunks of path that have been seen.
+          # @return [Array<array>] the final set of rails route classes.
+          def get_full_route request, top_router = ::Rails.application.routes.router, path = []
+            return if (route_matches = top_router.send(:find_routes, request)).empty?
+            match, params, route = route_matches.first
+            # If the current routing node points to a sub-app (::Rais::Engine), dive deeper.
+            # Have sub-app route the remainder of the url.
+            if engine_route?(route)
+              new_req = retrieve_request request.env
+              new_req.path_info = new_req.path_info.gsub(match.to_s, '')
+              get_full_route(new_req, route.app.app.routes.router, path << match.to_s)
+            else
+              [match, params, route, path]
+            end
           end
           # Rails engine routes need to be detected by inspecting Engine class route set

data/lib/contrast/framework/sinatra/support.rb CHANGED Viewed

@@ -1,8 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/framework/base_support'
-require 'contrast/framework/sinatra/patch/support'
 module Contrast
   module Framework
@@ -10,7 +9,6 @@ module Contrast
       # Used when Sinatra is present to define framework specific behavior
       class Support
         extend Contrast::Framework::BaseSupport
-        extend Contrast::Framework::Sinatra::Patch::Support
         class << self
           def detection_class
             'Sinatra'
@@ -21,44 +19,74 @@ module Contrast
           end
           def application_name
-            return unless app_class
-            app_class.cs__class.cs__name
+            app_class&.cs__name
           end
           def application_root
-            return unless app_class
-            app_class.root
+            app_instance&.root
           end
           def server_type
             'sinatra'
           end
-          # Iterate over every class that extends Sinatra::Base, pull out its routes
-          # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-          # Contrast::Api::Dtm::RouteCoverage
+          # Given an object, determine if it is a Sinatra controller with routes.
+          #
+          # @param app [Object] suspected Sinatra app.
+          # @return [Boolean]
+          def sinatra_controller? app
+            # Sinatra is loaded?
+            return false unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            # App is a subclass of or actually is ::Sinatra::Base.
+            return false unless (app.cs__respond_to?(:<) && app < ::Sinatra::Base) || app == ::Sinatra::Base
+            # App has routes.
+            !app.routes.empty?
+          end
+          # Find all classes that subclass ::Sinatra::Base. Gather their routes.
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>] the routes found as Dtms.
           def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless defined?(::Sinatra) && defined?(::Sinatra::Base)
             routes = []
-            controllers = sinatra_controllers
-            controllers.each do |clazz|
-              class_routes = sinatra_class_routes(clazz)
-              next unless class_routes
-              class_routes.each_pair do |method, list|
-                # item: [ Mustermann::Sinatra, [], Proc]
-                list.each do |item|
-                  routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(clazz, method, item[0])
+            sinatra_controllers.each do |controller|
+              controller.routes.each_pair do |method, route_triplets|
+                # Sinatra stores its routes as a triplet: [Mustermann::Sinatra, [], Proc]
+                route_triplets.map(&:first).each do |route_pattern|
+                  routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(controller, method, route_pattern)
                 end
               end
             end
             routes
           end
-          # TODO: RUBY-763
-          def current_route _request
-            nil
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Sinatra::Base, full_route = nil
+            return unless sinatra_controller?(controller)
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+            # Find route match--checking superclasses if necessary.
+            final_controller, route_pattern = _route_recurse(controller, method, _cleaned_route(request))
+            return unless !final_controller.nil? && !route_pattern.nil?
+            full_route ||= request.path_info
+            Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(final_controller, method, route_pattern, full_route)
+          end
+          # Search object space for sinatra controllers--any class that subclasses ::Sinatra::Base.
+          #
+          # @return [Array<::Sinatra::Base>] sinatra controlelrs
+          def sinatra_controllers
+            [::Sinatra::Base] + ObjectSpace.each_object(Class).select { |clazz| sinatra_controller?(clazz) }
           end
           def retrieve_request env
@@ -67,30 +95,63 @@ module Contrast
           private
-          def app_class
-            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
-            @_app_class ||= begin
-              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
-              result_layer = sinatra_layers.find { |layer| layer.app.nil? }
-              result_layer
+          # Given a controller and a route to match against, find the route_pattern and class that will serve the
+          # route. This is recursive as Sinatra's routing is recursive from subclass to super.
+          #
+          # @param controller [Sinatra::Base, #routes] a Sinatra application.
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param method [String] the relative route passed from Rack.
+          # @return [Array[Sinatra::Base, Mustermann::Sinatra], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse controller, method, route
+            return if controller.nil? || controller.cs__class == NilClass
+            route_patterns = controller.routes.fetch(method, []).map(&:first)
+            route_pattern = route_patterns&.find do |matcher|
+              matcher.params(route) # ::Mustermann::Sinatra match.
             end
+            return controller, route_pattern if route_pattern
+            # Check routes defined in superclass if present.
+            return unless controller.superclass&.instance_variable_get(:@routes)
+            _route_recurse(controller.superclass, method, route)
           end
-          # Iterate over every class that extends Sinatra::Base, pull out its routes
-          # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-          # Contrast::Api::Dtm::RouteCoverage
-          def sinatra_controllers
-            return [] unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+          # Get route and do some cleanup matching that of Sinatra::Base#process_route.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            settings = ::Sinatra::Base.settings
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty? && !settings.empty_path_info?
+            !settings.strict_paths? && route.end_with?('/') ? route[0..-2] : route
+          end
-            Contrast::Utils::ClassUtil.descendants(::Sinatra::Base)
+          # Almost an alias to app_instance.
+          #
+          # @return [::Sinatra::Base] the current controller class as routed by Rack.
+          def app_class
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            app_instance.cs__class
           end
-          def sinatra_class_routes controller
-            controller.instance_variable_get(:@routes) if controller.instance_variable_defined?(:@routes)
-          rescue StandardError
-            logger.trace('Sinatra controller found with no route instances', module: controller)
-            nil
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Sinatra::Base with @app=nil since it is the final servicer
+          # in the request/middleware chain.
+          #
+          # @return [::Sinatra::Base] the current controller as routed by Rack.
+          def app_instance
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            @_app_instance ||= begin
+              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
+              sinatra_layers.find { |layer| layer.app.nil? }
+            end
           end
         end
       end

data/lib/contrast/funchook/funchook.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -12,11 +12,7 @@ module Funchook
   ACCEPTABLE_FILES = %w[libfunchook.dylib libfunchook.so].cs__freeze
   # Top level agent directories that should have the funchook libraries
-  SEARCH_DIRS = [
-    File.join('ext'),
-    File.join('shared_libraries'),
-    File.join('funchook', 'src')
-  ].cs__freeze
+  SEARCH_DIRS = [File.join('ext'), File.join('shared_libraries'), File.join('funchook', 'src')].cs__freeze
   AGENT_ROOT = File.join(__dir__, '..', '..', '..')

data/lib/contrast/logger/application.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -16,10 +16,8 @@ module Contrast
       def application_environment
         return unless info?
-        info('Process environment information',
-             p_id: Process.pid,
-             pp_id: Process.ppid,
-             agent_version: Contrast::Agent::VERSION)
+        info('Process environment information', p_id: Process.pid, pp_id: Process.ppid,
+                                                agent_version: Contrast::Agent::VERSION)
         ENV.each do |env_key, env_value|
           env_key = env_key.to_s
           next unless ENV_KEYS.include?(env_key) ||
@@ -35,7 +33,9 @@ module Contrast
         loggable = CONFIG.loggable
         info('Current configuration', configuration: loggable)
-        env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
+        env_keys = ENV.keys.select do |env_key|
+          env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
+        end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
         env_translations = env_items.each_with_object({}) do |conversion, hash|
           hash[conversion.key] = conversion.dot_path_array.join('.')
@@ -52,7 +52,10 @@ module Contrast
       end
       FRAMEWORKS = %w[rails sinatra grape].cs__freeze
-      WEB_SERVERS = %w[agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn webrick yarn].cs__freeze
+      WEB_SERVERS = %w[
+        agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn
+        webrick yarn
+      ].cs__freeze
       LIBRARIES = %w[excon json mongo moped mysql nokogiri oga ox pg psych sqlite3 typhoeus yaml].cs__freeze
       def log_specific_libraries
         FRAMEWORKS.each(&cs__method(:log_gem_data))
@@ -67,6 +70,7 @@ module Contrast
         Gem.loaded_specs.each_pair do |_name, gem_spec|
           debug('Gem loaded',
+                # rubocop:disable Security/Module/Name -- gems builtin.
                 gem_name: gem_spec.name,
                 gem_version: gem_spec.version.to_s)
         end
@@ -76,9 +80,8 @@ module Contrast
         gem_spec = Gem.loaded_specs[gem_name]
         return unless gem_spec
-        info('Gem loaded',
-             gem_name: gem_spec.name,
-             gem_version: gem_spec.version.to_s)
+        info('Gem loaded', gem_name: gem_spec.name, gem_version: gem_spec.version.to_s)
+        # rubocop:enable Security/Module/Name
       end
     end
   end

data/lib/contrast/logger/format.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'ougai'
@@ -43,9 +43,7 @@ module Contrast
       def thread_hash
         hash = LOG_TRACKER.get(:logging_hash)
         unless hash
-          hash = {
-              thread_id: Thread.current.object_id
-          }
+          hash = { thread_id: Thread.current.object_id }
           LOG_TRACKER.set(:logging_hash, hash)
         end
         hash
@@ -53,8 +51,7 @@ module Contrast
       NO_REQUEST_HASH = { request_id: -1 }.cs__freeze
       def request_hash
-        @request_tracker_defined ||= defined?(Contrast::Agent) &&
-            defined?(Contrast::Agent::REQUEST_TRACKER)
+        @request_tracker_defined ||= defined?(Contrast::Agent) && defined?(Contrast::Agent::REQUEST_TRACKER)
         return NO_REQUEST_HASH unless @request_tracker_defined
         Contrast::Agent::REQUEST_TRACKER&.current&.logging_hash || NO_REQUEST_HASH