contrast-agent 4.3.2 → 4.7.0

data/lib/contrast/logger/log.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'logger'
@@ -27,8 +27,7 @@ module Contrast
       STDOUT_STR       = 'STDOUT'
       STDERR_STR       = 'STDERR'
 
-      attr_reader :previous_path,
-                  :previous_level
+      attr_reader :previous_path, :previous_level
 
       def initialize
         update
@@ -37,28 +36,22 @@ module Contrast
       # Given new settings from TeamServer, update our logging to use the new
       # file and level, assuming they weren't set by local configuration.
       #
-      # @param log_file [String] the file to which to log
-      # @param log_level [String] the level at which to log
+      # @param log_file [String] the file to which to log, as provided by TeamServer settings
+      # @param log_level [String] the level at which to log, as provided by TeamServer settings
       def update log_file = nil, log_level = nil
-        config = CONFIG.root.agent.logger
-
-        config_path  = config.path&.length.to_i.positive? ? config.path : nil
-        config_level = config.level&.length&.positive? ? config.level : nil
-
-        # config > settings > default
-        path        = valid_path(config_path   || log_file)
-        level_const = valid_level(config_level || log_level)
+        current_path        = find_valid_path(log_file)
+        current_level_const = find_valid_level(log_level)
 
-        path_change = path != previous_path
-        level_change = level_const != previous_level
+        path_change = current_path != previous_path
+        level_change = current_level_const != previous_level
 
         # don't needlessly recreate logger
         return if @_logger && !(path_change || level_change)
 
-        @previous_path  = path
-        @previous_level = level_const
+        @previous_path  = current_path
+        @previous_level = current_level_const
 
-        @_logger = build(path: path, level_const: level_const)
+        @_logger = build(path: current_path, level_const: current_level_const)
         # If we're logging to a new path, then let's start it w/ our helpful
         # data gathering messages
         log_update if path_change
@@ -108,6 +101,17 @@ module Contrast
         logger.extend(Contrast::Logger::Time)
       end
 
+      # Determine the valid path to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
+      def find_valid_path log_file
+        config = CONFIG.root.agent.logger
+        config_path = config.path&.length.to_i.positive? ? config.path : nil
+        valid_path(config_path || log_file)
+      end
+
       def valid_path path
         path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
         return path if path == STDOUT_STR
@@ -119,7 +123,9 @@ module Contrast
         elsif write_permission?(DEFAULT_NAME)
           # Log once when the path is invalid. We'll change to this path, so no
           # need to log again.
-          puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead." if previous_path != DEFAULT_NAME
+          if previous_path != DEFAULT_NAME
+            puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
+          end
           DEFAULT_NAME
         else
           # Log once when the path is invalid. We'll change to this path, so no
@@ -129,6 +135,17 @@ module Contrast
         end
       end
 
+      # Determine the valid level to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [::Ougai::Logging::Severity] the level at which to log
+      def find_valid_level log_level
+        config = CONFIG.root.agent.logger
+        config_level = config.level&.length&.positive? ? config.level : nil
+        valid_level(config_level || log_level)
+      end
+
       def valid_level level
         level ||= DEFAULT_LEVEL
         level = level.upcase

data/lib/contrast/logger/request.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -22,8 +22,7 @@ module Contrast
       def request_end
         context = Contrast::Agent::REQUEST_TRACKER.current
         elapsed_time = context ? (Contrast::Utils::Timer.now_ms - context.timer.start_ms) : -1
-        debug('Ending request analysis',
-              elapsed_time_ms: elapsed_time)
+        debug('Ending request analysis', elapsed_time_ms: elapsed_time)
       end
     end
   end

data/lib/contrast/logger/time.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/security_exception.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -8,7 +8,7 @@ module Contrast
   # to be handled by our customer's applications.
   class SecurityException < StandardError
     def initialize rule, message = nil
-      super(message || "Rule #{ rule.name } threw a security exception")
+      super(message || "Rule #{ rule.rule_name } threw a security exception")
     end
   end
 end

data/lib/contrast/tasks/config.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'yaml'

data/lib/contrast/tasks/service.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -74,7 +74,11 @@ module Contrast
               sleep(0.05) while Contrast::Utils::OS.running?
             end
             watcher.join(1)
-            puts Contrast::Utils::OS.running? ? 'Contrast Service did not stop.' : 'Contrast Service stopped successfully.'
+            if Contrast::Utils::OS.running?
+              puts 'Contrast Service did not stop.'
+            else
+              puts 'Contrast Service stopped successfully.'
+            end
           else
             puts 'Contrast Service is not already running. No need to stop.'
           end

data/lib/contrast/utils/assess/sampling_util.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'singleton'

data/lib/contrast/utils/assess/tracking_util.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/tracker'
@@ -53,8 +53,7 @@ module Contrast
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
               obj.each_pair do |k, v|
-                return true if _tracked?(k, idx)
-                return true if _tracked?(v, idx)
+                return true if _tracked?(k, idx) || _tracked?(v, idx)
               end
               false
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)

data/lib/contrast/utils/class_util.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/extension/module'
@@ -9,14 +9,6 @@ module Contrast
     # Utility methods for exploring the complete space of Objects
     class ClassUtil
       class << self
-        # Given a module, return all of its descendants
-        #
-        # @param mod [Module] the module whose descendants you want to find.
-        # @return [Array<Module>] those Modules that inherit from the given.
-        def descendants mod
-          ObjectSpace.each_object(mod).to_a
-        end
-
         # some classes have had things prepended to them, like Marshal in Rails
         # 5 and higher. Their ActiveSupport::MarshalWithAutoloading will break
         # our alias patching approach, as will any other prepend on something
@@ -52,7 +44,7 @@ module Contrast
         # Return a String representing the object invoking this method in the
         # form expected by our dataflow events.
         #
-        # @param object [Object] the entity to convert to a String
+        # @param object [Object, nil] the entity to convert to a String
         # @return [String] the human readable form of the String, as defined by
         #   https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md
         def to_contrast_string object
@@ -63,14 +55,16 @@ module Contrast
             return cached if cached
 
             object.dup
+          elsif object.nil?
+            Contrast::Utils::ObjectShare::NIL_STRING
           elsif object.cs__is_a?(Symbol)
             ":#{ object }"
-          elsif object.cs__is_a?(Numeric)
-            object.to_s
           elsif object.cs__is_a?(Module) || object.cs__is_a?(Class)
             "#{ object.cs__name }@#{ object.__id__ }"
           elsif object.cs__is_a?(Regexp)
             object.source
+          elsif use_to_s?(object)
+            object.to_s
           else
             "#{ object.cs__class.cs__name }@#{ object.__id__ }"
           end
@@ -106,6 +100,18 @@ module Contrast
 
         private
 
+        # Some objects have nice to_s that we can use to make them human readable. If they do, we should leverage them.
+        # We used to do this by default, but this opened us up to danger, so we're instead using an allow list approach.
+        #
+        # @param object [Object] something that may have a safe to_s method
+        # @return [Boolean] if we should invoke to_s to represent the object
+        def use_to_s? object
+          return true if object.cs__is_a?(Numeric)
+          return true if defined?(Arel::Nodes::SqlLiteral) && object.cs__is_a?(Arel::Nodes::SqlLiteral)
+
+          false
+        end
+
         def determine_target_class mod, is_instance
           return mod if mod.singleton_class?
 

data/lib/contrast/utils/duck_utils.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/utils/env_configuration_item.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/utils/hash_digest.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'digest'
@@ -15,10 +15,7 @@ module Contrast
       include Digest::Instance
 
       CONTENT_LENGTH_HEADER = 'Content-Length'
-      CRYPTO_RULES = %w[
-        crypto-bad-ciphers
-        crypto-bad-mac
-      ].cs__freeze
+      CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
       CONFIG_PATH_KEY = 'path'
       CONFIG_SESSION_ID_KEY = 'sessionId'
       CLASS_SOURCE_KEY = 'source'
@@ -37,13 +34,13 @@ module Contrast
           hash.finish
         end
 
-        def generate_event_hash finding, source
-          return generate_dataflow_hash(finding) if finding.events.length.to_i > 1
+        def generate_event_hash finding, source, request
+          return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
 
           id = finding.rule_id
-          return generate_crypto_hash(finding, source) if CRYPTO_RULES.include?(id)
+          return generate_crypto_hash(finding, source, request) if CRYPTO_RULES.include?(id)
 
-          generate_trigger_hash(finding)
+          generate_trigger_hash(finding, request)
         end
 
         def generate_config_hash finding
@@ -71,40 +68,35 @@ module Contrast
 
         private
 
-        def generate_crypto_hash finding, algorithm
+        def generate_crypto_hash finding, algorithm, request
           hash = new
           hash.update(finding.rule_id)
           hash.update(algorithm)
-          hash.update_on_request
+          hash.update_on_request(finding, request)
           hash.finish
         end
 
-        def generate_dataflow_hash finding
+        def generate_dataflow_hash finding, request
           hash = new
           hash.update(finding.rule_id)
           hash.update_on_sources(finding.events)
-          hash.update_on_request
+          hash.update_on_request(finding, request)
           hash.finish
         end
 
-        def generate_trigger_hash finding
+        def generate_trigger_hash finding, request
           hash = new
           hash.update(finding.rule_id)
-          hash.update_on_request
+          hash.update_on_request(finding, request)
           hash.finish
         end
       end
 
-      def update_on_request
-        context = Contrast::Agent::REQUEST_TRACKER.current
-        return unless context
-
-        route = context.route
-        request = context.request
-        if route
+      def update_on_request finding, request
+        if (route = finding.routes[0])
           update(route.route)
           update(route.verb)
-        elsif request
+        elsif request ||= Contrast::Agent::REQUEST_TRACKER.current&.request
           update(request.normalized_uri)
           update(request.request_method)
         end
@@ -116,7 +108,7 @@ module Contrast
         events.each do |event|
           event.event_sources.each do |source|
             update(source.type)
-            update(source.name)
+            update(source.name) # rubocop:disable Security/Module/Name -- API attribute.
           end
         end
       end

data/lib/contrast/utils/heap_dump_util.rb

@@ -1,13 +1,14 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'objspace'
+require 'singleton'
 require 'contrast/components/interface'
 
 module Contrast
   module Utils
     # Implementation of a heap dump util to automate generation
-    class HeapDumpUtil
+    class HeapDumpUtil < Contrast::Agent::WorkerThread
       include Contrast::Components::Interface
       access_component :heap_dump, :logging
 
@@ -15,98 +16,113 @@ module Contrast
       FILE_WRITE_FLAGS = 'w'
 
       class << self
-        def run
-          return unless heap_dump_enabled?
-
-          log_enabled_warning
-          dir = heap_dump_control[:path]
-          Dir.mkdir(dir) unless Dir.exist?(dir)
-          return unless File.writable?(dir)
-
-          delay = heap_dump_control[:delay]
-          Contrast::Agent::Thread.new do
-            logger.info("HEAP DUMP THREAD INITIALIZED. WAITING #{ delay } SECONDS TO BEGIN.")
-            sleep(delay)
-            capture_heap_dump
-          end
-        rescue StandardError => e
-          logger.info(LOG_ERROR_DUMPS, e)
-          nil
+        def enabled?
+          heap_dump_enabled?
+        end
+
+        def control
+          heap_dump_control
         end
+      end
+
+      def start_thread!
+        return unless Contrast::Utils::HeapDumpUtil.enabled?
 
-        def log_enabled_warning
-          dir    = heap_dump_control[:path]
-          window = heap_dump_control[:window]
-          count  = heap_dump_control[:count]
-          delay  = heap_dump_control[:delay]
-          clean  = heap_dump_control[:clean]
-
-          logger.info <<~WARNING
-            *****************************************************
-            ********      HEAP DUMP HAS BEEN ENABLED     ********
-            *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
-            *****************************************************
-
-            Heap dump is a debugging tool that snapshots the entire
-            state of the Ruby VM. It is an exceptionally expensive
-            process, and should only be used to debug especially
-            pernicious errors.
-
-            It will write multiple memory snaphots, which are liable
-            to be multiple gigabytes in size.
-            They will be named "[unix timestamp]-heap.dump",
-            e.g.: 1020304050-heap.dump
-
-            It will then call Ruby `exit()`.
-
-            If this is not your specific intent, you can (and should)
-            disable this option in your Contrast config file.
-
-            HEAP DUMP PARAMETERS:
-            \t[write files to this directory]             dir:     #{ dir    }
-            \t[wait this many seconds in between dumps]   window:  #{ window }
-            \t[heap dump this many times]                 count:   #{ count  }
-            \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
-            \t[perform gc pass before dump]               clean:   #{ clean  }
-
-            *****************************************************
-            ********        YOU HAVE BEEN WARNED         ********
-            *****************************************************
-          WARNING
+        control = Contrast::Utils::HeapDumpUtil.control
+        log_enabled_warning
+        dir = control[:path]
+        Dir.mkdir(dir) unless Dir.exist?(dir)
+        return unless File.writable?(dir)
+
+        delay = control[:delay]
+        @_thread = Contrast::Agent::Thread.new do
+          logger.info("HEAP DUMP THREAD INITIALIZED. WAITING #{ delay } SECONDS TO BEGIN.")
+          sleep(delay)
+          capture_heap_dump
         end
+      rescue StandardError => e
+        logger.info(LOG_ERROR_DUMPS, e)
+        nil
+      end
+
+      def log_enabled_warning
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        delay  = control[:delay]
+        clean  = control[:clean]
+
+        logger.info <<~WARNING
+          *****************************************************
+          ********      HEAP DUMP HAS BEEN ENABLED     ********
+          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+          *****************************************************
+
+          Heap dump is a debugging tool that snapshots the entire
+          state of the Ruby VM. It is an exceptionally expensive
+          process, and should only be used to debug especially
+          pernicious errors.
+
+          It will write multiple memory snaphots, which are liable
+          to be multiple gigabytes in size.
+          They will be named "[unix timestamp]-heap.dump",
+          e.g.: 1020304050-heap.dump
+
+          It will then call Ruby `exit()`.
+
+          If this is not your specific intent, you can (and should)
+          disable this option in your Contrast config file.
+
+          HEAP DUMP PARAMETERS:
+          \t[write files to this directory]             dir:     #{ dir    }
+          \t[wait this many seconds in between dumps]   window:  #{ window }
+          \t[heap dump this many times]                 count:   #{ count  }
+          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+          \t[perform gc pass before dump]               clean:   #{ clean  }
+
+          *****************************************************
+          ********        YOU HAVE BEEN WARNED         ********
+          *****************************************************
+        WARNING
+      end
+
+      def capture_heap_dump
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        clean  = control[:clean]
+        logger.info('HEAP DUMP MAIN LOOP')
+        ObjectSpace.trace_object_allocations_start
+        count.times do |i|
+          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
+          snapshot_heap(dir, clean)
+          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
+          sleep(window)
+        end
+      ensure
+        ObjectSpace.trace_object_allocations_stop
+        logger.info('*****************************************************')
+        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
+        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+        logger.info('*****************************************************')
+        exit # rubocop:disable Rails/Exit We weren't kidding!
+      end
 
-        def capture_heap_dump
-          dir    = heap_dump_control[:path]
-          window = heap_dump_control[:window]
-          count  = heap_dump_control[:count]
-          clean  = heap_dump_control[:clean]
-          logger.info('HEAP DUMP MAIN LOOP')
-          ObjectSpace.trace_object_allocations_start
-          count.times do |i|
-            logger.info('STARTING HEAP DUMP PASS', current_pass: i + 1, max: count)
-            output = "#{ Time.now.to_f }-heap.dump"
-            output = File.join(dir, output)
-            begin
-              logger.info('OPENING HEADUMP FILE', dir: dir, file: output)
-              file = File.new(output, FILE_WRITE_FLAGS)
-              if clean
-                logger.info('PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
-                GC.start
-              end
-              ObjectSpace.dump_all(output: file)
-              logger.info('FINISHING HEAP DUMP PASS', current_pass: i + 1, max: count)
-            ensure
-              file.close
-            end
-            sleep(window)
+      def snapshot_heap dir, clean
+        output = "#{ Time.now.to_f }-heap.dump"
+        output = File.join(dir, output)
+        begin
+          logger.info('OPENING HEADUMP FILE', dir: dir, file: output)
+          file = File.new(output, FILE_WRITE_FLAGS)
+          if clean
+            logger.info('PERFORMING GARBAGE COLLECTION BEFORE HEAP DUMP')
+            GC.start
           end
+          ObjectSpace.dump_all(output: file)
         ensure
-          ObjectSpace.trace_object_allocations_stop
-          logger.info('*****************************************************')
-          logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
-          logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
-          logger.info('*****************************************************')
-          exit # rubocop:disable Rails/Exit We weren't kidding!
+          file.close
         end
       end
     end