RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/framework/rails/rewrite/active_record_named.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 require 'contrast/components/interface'
 module Contrast

data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 module Contrast
   module Framework
     module Rails

data/lib/contrast/framework/rails/support.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/api/dtm.pb'
@@ -27,8 +27,8 @@ module Contrast
           def application_name
             app_class = ::Rails.application.cs__class
-            # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed entirely
-            # and instead we need to use parent_module_name
+            # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed
+            # entirely and instead we need to use parent_module_name
             return app_class.parent_module_name if Gem::Version.new(::Rails.version) >= RAILS_MODULE_NAME_VERSION
             app_class.parent_name
@@ -47,32 +47,34 @@ module Contrast
           end
           # Find the current route, based on the provided Request wrapper
+          #
           # @param request[Contrast::Agent::Request]
           # @return [Contrast::Api::Dtm::RouteCoverage]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
-            # returns array of arrays [[match_data, path_parameters, route]], sorted by
-            # precedence
-            # match_data: ActionDispatch::Journey::Path::Pattern::MatchData
-            # path_parameters: hash of various things
-            # route: ActionDispatch::Journey::Route
-            full_routes = ::Rails.application.routes.router.send(:find_routes, request.rack_request)
-            return if full_routes.empty?
+            match, _params, route, path = get_full_route(request.rack_request)
-            full_route = full_routes[0]
+            original_url = request.rack_request.path_info
-            # the route is directly implemented within the application
-            if direct_route?(full_route)
-              route = full_route[2] # route w/ highest precedence
-              Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route)
-            else
-              engine_route(full_route, request)
+            # Route is either the final rails route, or a router that points to a Sinatra controller.
+            if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
+              # Create a request copied from current request, but with the base path removed from path_info.
+              new_req = ::ActionDispatch::Request.new(request.env)
+              new_req.path_info = new_req.path_info.gsub((path << match).join, '')
+              return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
             end
+            Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
           rescue StandardError => _e
             nil
           end
+          # Copy a request for modification.
+          #
+          # @param [::ActionDispatch::Request] original env.
+          # @return [::ActionDispatch::Request] a copy of original env with rails env merged.
           def retrieve_request env
             rails_env = ::Rails.application.env_config.merge(env)
             ::ActionDispatch::Request.new(rails_env || env)
@@ -87,37 +89,34 @@ module Contrast
           private
-          # route is not mounted within an engine
-          def direct_route? full_route
-            full_route[2]&.app&.cs__class == ActionDispatch::Routing::RouteSet::Dispatcher ||
-                (full_route[2].cs__class == ActionDispatch::Journey::Route && full_route[2]&.app&.cs__class == ActionDispatch::Routing::Mapper::Constraints)
+          # Determine if route is a Rails engine route.
+          #
+          # @param [Object] app or route that points to a ::Rails::Engine
+          # @return [bool] whether the router is an engine or not.
+          def engine_route? route
+            route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
           end
-          def engine_route full_route, request
-            engine_route = full_route[2] # supposed route - but actually an Engine mount point
-            return unless engine_route
-            engine_mount_name = engine_route.name
-            return unless engine_mount_name
-            engine_path_segments = request.rack_request.path_info.split(engine_mount_name)
-            return if engine_path_segments.empty?
-            path_within_engine = engine_path_segments[-1]
-            return unless path_within_engine
-            engine_router = engine_route.app&.app&.routes&.router
-            return unless engine_router
-            # Get all routes regardless of http method
-            matching_routes = engine_router.send(:filter_routes, path_within_engine)
-            return unless matching_routes
-            # filter for current http method
-            reportable_routes = engine_router.send(:match_routes, matching_routes, request.rack_request)
-            return if reportable_routes.empty?
-            Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(reportable_routes[0])
+          # Recursively get final route traversing engines as required.
+          #
+          # @param request [::Rack::Request] the rack request as will be handed to rails controller.
+          # @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
+          # @param path [Array<String>] the chunks of path that have been seen.
+          # @return [Array<array>] the final set of rails route classes.
+          def get_full_route request, top_router = ::Rails.application.routes.router, path = []
+            return if (route_matches = top_router.send(:find_routes, request)).empty?
+            match, params, route = route_matches.first
+            # If the current routing node points to a sub-app (::Rais::Engine), dive deeper.
+            # Have sub-app route the remainder of the url.
+            if engine_route?(route)
+              new_req = retrieve_request request.env
+              new_req.path_info = new_req.path_info.gsub(match.to_s, '')
+              get_full_route(new_req, route.app.app.routes.router, path << match.to_s)
+            else
+              [match, params, route, path]
+            end
           end
           # Rails engine routes need to be detected by inspecting Engine class route set

data/lib/contrast/framework/sinatra/support.rb CHANGED Viewed

@@ -1,8 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/framework/base_support'
-require 'contrast/framework/sinatra/patch/support'
 module Contrast
   module Framework
@@ -10,7 +9,6 @@ module Contrast
       # Used when Sinatra is present to define framework specific behavior
       class Support
         extend Contrast::Framework::BaseSupport
-        extend Contrast::Framework::Sinatra::Patch::Support
         class << self
           def detection_class
             'Sinatra'
@@ -21,44 +19,74 @@ module Contrast
           end
           def application_name
-            return unless app_class
-            app_class.cs__class.cs__name
+            app_class&.cs__name
           end
           def application_root
-            return unless app_class
-            app_class.root
+            app_instance&.root
           end
           def server_type
             'sinatra'
           end
-          # Iterate over every class that extends Sinatra::Base, pull out its routes
-          # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-          # Contrast::Api::Dtm::RouteCoverage
+          # Given an object, determine if it is a Sinatra controller with routes.
+          #
+          # @param app [Object] suspected Sinatra app.
+          # @return [Boolean]
+          def sinatra_controller? app
+            # Sinatra is loaded?
+            return false unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            # App is a subclass of or actually is ::Sinatra::Base.
+            return false unless (app.cs__respond_to?(:<) && app < ::Sinatra::Base) || app == ::Sinatra::Base
+            # App has routes.
+            !app.routes.empty?
+          end
+          # Find all classes that subclass ::Sinatra::Base. Gather their routes.
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>] the routes found as Dtms.
           def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless defined?(::Sinatra) && defined?(::Sinatra::Base)
             routes = []
-            controllers = sinatra_controllers
-            controllers.each do |clazz|
-              class_routes = sinatra_class_routes(clazz)
-              next unless class_routes
-              class_routes.each_pair do |method, list|
-                # item: [ Mustermann::Sinatra, [], Proc]
-                list.each do |item|
-                  routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(clazz, method, item[0])
+            sinatra_controllers.each do |controller|
+              controller.routes.each_pair do |method, route_triplets|
+                # Sinatra stores its routes as a triplet: [Mustermann::Sinatra, [], Proc]
+                route_triplets.map(&:first).each do |route_pattern|
+                  routes << Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(controller, method, route_pattern)
                 end
               end
             end
             routes
           end
-          # TODO: RUBY-763
-          def current_route _request
-            nil
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Sinatra::Base] optionally use this controller instead of global ::Sinatra::Base.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Sinatra::Base, full_route = nil
+            return unless sinatra_controller?(controller)
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+            # Find route match--checking superclasses if necessary.
+            final_controller, route_pattern = _route_recurse(controller, method, _cleaned_route(request))
+            return unless !final_controller.nil? && !route_pattern.nil?
+            full_route ||= request.path_info
+            Contrast::Api::Dtm::RouteCoverage.from_sinatra_route(final_controller, method, route_pattern, full_route)
+          end
+          # Search object space for sinatra controllers--any class that subclasses ::Sinatra::Base.
+          #
+          # @return [Array<::Sinatra::Base>] sinatra controlelrs
+          def sinatra_controllers
+            [::Sinatra::Base] + ObjectSpace.each_object(Class).select { |clazz| sinatra_controller?(clazz) }
           end
           def retrieve_request env
@@ -67,30 +95,63 @@ module Contrast
           private
-          def app_class
-            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
-            @_app_class ||= begin
-              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
-              result_layer = sinatra_layers.find { |layer| layer.app.nil? }
-              result_layer
+          # Given a controller and a route to match against, find the route_pattern and class that will serve the
+          # route. This is recursive as Sinatra's routing is recursive from subclass to super.
+          #
+          # @param controller [Sinatra::Base, #routes] a Sinatra application.
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param method [String] the relative route passed from Rack.
+          # @return [Array[Sinatra::Base, Mustermann::Sinatra], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse controller, method, route
+            return if controller.nil? || controller.cs__class == NilClass
+            route_patterns = controller.routes.fetch(method, []).map(&:first)
+            route_pattern = route_patterns&.find do |matcher|
+              matcher.params(route) # ::Mustermann::Sinatra match.
             end
+            return controller, route_pattern if route_pattern
+            # Check routes defined in superclass if present.
+            return unless controller.superclass&.instance_variable_get(:@routes)
+            _route_recurse(controller.superclass, method, route)
           end
-          # Iterate over every class that extends Sinatra::Base, pull out its routes
-          # (array of arrays with Mustermann::Sinatra as [][0]) and convert them into
-          # Contrast::Api::Dtm::RouteCoverage
-          def sinatra_controllers
-            return [] unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+          # Get route and do some cleanup matching that of Sinatra::Base#process_route.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            settings = ::Sinatra::Base.settings
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty? && !settings.empty_path_info?
+            !settings.strict_paths? && route.end_with?('/') ? route[0..-2] : route
+          end
-            Contrast::Utils::ClassUtil.descendants(::Sinatra::Base)
+          # Almost an alias to app_instance.
+          #
+          # @return [::Sinatra::Base] the current controller class as routed by Rack.
+          def app_class
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            app_instance.cs__class
           end
-          def sinatra_class_routes controller
-            controller.instance_variable_get(:@routes) if controller.instance_variable_defined?(:@routes)
-          rescue StandardError
-            logger.trace('Sinatra controller found with no route instances', module: controller)
-            nil
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Sinatra::Base with @app=nil since it is the final servicer
+          # in the request/middleware chain.
+          #
+          # @return [::Sinatra::Base] the current controller as routed by Rack.
+          def app_instance
+            return unless defined?(::Sinatra) && defined?(::Sinatra::Base)
+            @_app_instance ||= begin
+              sinatra_layers = ObjectSpace.each_object(::Sinatra::Base).to_a
+              sinatra_layers.find { |layer| layer.app.nil? }
+            end
           end
         end
       end

data/lib/contrast/funchook/funchook.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -12,11 +12,7 @@ module Funchook
   ACCEPTABLE_FILES = %w[libfunchook.dylib libfunchook.so].cs__freeze
   # Top level agent directories that should have the funchook libraries
-  SEARCH_DIRS = [
-    File.join('ext'),
-    File.join('shared_libraries'),
-    File.join('funchook', 'src')
-  ].cs__freeze
+  SEARCH_DIRS = [File.join('ext'), File.join('shared_libraries'), File.join('funchook', 'src')].cs__freeze
   AGENT_ROOT = File.join(__dir__, '..', '..', '..')

data/lib/contrast/logger/application.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -16,10 +16,8 @@ module Contrast
       def application_environment
         return unless info?
-        info('Process environment information',
-             p_id: Process.pid,
-             pp_id: Process.ppid,
-             agent_version: Contrast::Agent::VERSION)
+        info('Process environment information', p_id: Process.pid, pp_id: Process.ppid,
+                                                agent_version: Contrast::Agent::VERSION)
         ENV.each do |env_key, env_value|
           env_key = env_key.to_s
           next unless ENV_KEYS.include?(env_key) ||
@@ -35,7 +33,9 @@ module Contrast
         loggable = CONFIG.loggable
         info('Current configuration', configuration: loggable)
-        env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
+        env_keys = ENV.keys.select do |env_key|
+          env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
+        end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
         env_translations = env_items.each_with_object({}) do |conversion, hash|
           hash[conversion.key] = conversion.dot_path_array.join('.')
@@ -52,7 +52,10 @@ module Contrast
       end
       FRAMEWORKS = %w[rails sinatra grape].cs__freeze
-      WEB_SERVERS = %w[agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn webrick yarn].cs__freeze
+      WEB_SERVERS = %w[
+        agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn
+        webrick yarn
+      ].cs__freeze
       LIBRARIES = %w[excon json mongo moped mysql nokogiri oga ox pg psych sqlite3 typhoeus yaml].cs__freeze
       def log_specific_libraries
         FRAMEWORKS.each(&cs__method(:log_gem_data))
@@ -67,6 +70,7 @@ module Contrast
         Gem.loaded_specs.each_pair do |_name, gem_spec|
           debug('Gem loaded',
+                # rubocop:disable Security/Module/Name -- gems builtin.
                 gem_name: gem_spec.name,
                 gem_version: gem_spec.version.to_s)
         end
@@ -76,9 +80,8 @@ module Contrast
         gem_spec = Gem.loaded_specs[gem_name]
         return unless gem_spec
-        info('Gem loaded',
-             gem_name: gem_spec.name,
-             gem_version: gem_spec.version.to_s)
+        info('Gem loaded', gem_name: gem_spec.name, gem_version: gem_spec.version.to_s)
+        # rubocop:enable Security/Module/Name
       end
     end
   end

data/lib/contrast/logger/format.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'ougai'
@@ -43,9 +43,7 @@ module Contrast
       def thread_hash
         hash = LOG_TRACKER.get(:logging_hash)
         unless hash
-          hash = {
-              thread_id: Thread.current.object_id
-          }
+          hash = { thread_id: Thread.current.object_id }
           LOG_TRACKER.set(:logging_hash, hash)
         end
         hash
@@ -53,8 +51,7 @@ module Contrast
       NO_REQUEST_HASH = { request_id: -1 }.cs__freeze
       def request_hash
-        @request_tracker_defined ||= defined?(Contrast::Agent) &&
-            defined?(Contrast::Agent::REQUEST_TRACKER)
+        @request_tracker_defined ||= defined?(Contrast::Agent) && defined?(Contrast::Agent::REQUEST_TRACKER)
         return NO_REQUEST_HASH unless @request_tracker_defined
         Contrast::Agent::REQUEST_TRACKER&.current&.logging_hash || NO_REQUEST_HASH