RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/method_policy'
@@ -27,6 +27,9 @@ module Contrast
               class_name = klass.cs__name
               instance_methods = klass.instance_methods
               instance_methods.concat(klass.private_instance_methods)
+              current_context = Contrast::Agent::REQUEST_TRACKER.current
+              current_request = current_context&.request
               tainted_columns.each_pair do |field, properties|
                 next unless properties
@@ -34,14 +37,14 @@ module Contrast
                 # Move on if we already know about this Dynamic Source
                 next if Contrast::Agent::Assess::Policy::Policy.instance.find_source_node(class_name, method_name, true)
-                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys))
+                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys),
+                                                         current_request)
                 Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
                 method_policy = build_source_policy(method_name, dynamic_source_node)
                 Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
-                current_context = Contrast::Agent::REQUEST_TRACKER.current
                 next unless current_context
-                dynamic_source = create_dynamic_source(current_context, dynamic_source_node, field, properties)
+                dynamic_source = create_dynamic_source(current_request, dynamic_source_node, field, properties)
                 node_id = Contrast::Utils::StringUtils.force_utf8(dynamic_source_node.id)
                 current_context.activity.dynamic_sources[node_id] = dynamic_source
               end
@@ -56,8 +59,10 @@ module Contrast
             # @param class_name [String] the name of the Class to patch
             # @param method_name [Symbol] the name of the Method to patch
             # @param tags [Set<String>] the tags this event should apply
+            # @param request [Contrast::Agent::Request] the request during
+            #  which this source is to be created.
             # @return [Contrast::Agent::Assess::Policy::SourceNode]
-            def create_source_node class_name, method_name, tags
+            def create_source_node class_name, method_name, tags, request
               node = Contrast::Agent::Assess::Policy::SourceNode.new
               node.class_name = class_name
               node.instance_method = true
@@ -72,8 +77,7 @@ module Contrast
               node.add_property(READ_TABLE, class_name)
               node.add_property(READ_COLUMN, method_name)
               node.add_property(WRITE_QUERY_TIME, Contrast::Utils::Timer.now_ms)
-              url = Contrast::Agent::REQUEST_TRACKER.current&.request&.normalized_uri
-              node.add_property(WRITE_QUERY_URL, url)
+              node.add_property(WRITE_QUERY_URL, request&.normalized_uri)
               node
             end
@@ -92,8 +96,8 @@ module Contrast
               method_policy
             end
-            # @param current_context [Contrast::Agent::RequestContext] the
-            #   context of the request in which this source is to be created.
+            # @param request [Contrast::Agent::Request] the request during
+            #   which this source is to be created.
             # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
             #   the SourceNode that applies to this method
             # @param field [String] the name of the method to which this source
@@ -104,22 +108,36 @@ module Contrast
             # @return [Contrast::Api::Dtm::DynamicSource] the message to send
             #   to the Service to allow it to report the events leading up to
             #   the creation of the Dynamic Source
-            def create_dynamic_source current_context, source_node, field, properties
+            def create_dynamic_source request, source_node, field, properties
               dynamic_source = Contrast::Api::Dtm::DynamicSource.new
               dynamic_source.class_name = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
+              append_properties!(dynamic_source, request, source_node, field)
+              append_events!(dynamic_source, properties.event)
+              dynamic_source
+            end
+            # Append the properties needed to reconstruct the given DynamicSource in other dataflows and for rendering
+            # in TeamServer
+            #
+            # @param dynamic_source [Contrast::Api::Dtm::DynamicSource] the message to send to the Service to allow it
+            #   to report the events leading up to the creation of the Dynamic Source.
+            # @param request [Contrast::Agent::Request] the request during which this source is to be created.
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the SourceNode that applies to this
+            #   method.
+            # @param field [String] the name of the method to which this source applies.
+            def append_properties! dynamic_source, request, source_node, field
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
-              dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
-              url = current_context.request.normalized_uri
-              dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
-              append_events(dynamic_source, properties.event)
-              dynamic_source
+              dynamic_source.properties[WRITE_QUERY_TIME] =
+                Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
+              dynamic_source.properties[WRITE_QUERY_URL] =
+                Contrast::Utils::StringUtils.force_utf8(request&.normalized_uri)
             end
-            def append_events dynamic_source, event
+            def append_events! dynamic_source, event
               return unless event
               event.parent_events&.each do |parent_event|

data/lib/contrast/agent/assess/policy/patcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/policy'
@@ -39,19 +39,13 @@ module Contrast
               patcher.patch_specific_module(mod)
             rescue StandardError => e
-              logger.warn(
-                  'Unable to patch assess during eval',
-                  e,
-                  module: mod.cs__name)
+              logger.warn('Unable to patch assess during eval', e, module: mod.cs__name)
             end
             # Exposed so that methods can be dynamically patched on creation at
             # runtime, like those generated by
             # ActiveRecord::AttributeMethods::Read::ClassMethods#define_method_attribute
-            CLASS_TYPES = [
-              Contrast::Utils::ObjectShare::CLASS,
-              Contrast::Utils::ObjectShare::MODULE
-            ].cs__freeze
+            CLASS_TYPES = [Contrast::Utils::ObjectShare::CLASS, Contrast::Utils::ObjectShare::MODULE].cs__freeze
             def patch_assess_method mod, method_name
               # Module.define_method is called a lot in Class and Module. We
               # currently do not expect these define_methods to result in methods
@@ -62,7 +56,8 @@ module Contrast
               return if CLASS_TYPES.include?(class_name)
               return unless ASSESS.enabled?
-              source_nodes = Contrast::Agent::Patching::Policy::ModulePolicy.nodes_for_module(policy.sources, class_name)
+              source_nodes = Contrast::Agent::Patching::Policy::ModulePolicy.nodes_for_module(policy.sources,
+                                                                                              class_name)
               return if source_nodes.empty?
               method_array = []
@@ -70,17 +65,15 @@ module Contrast
               source_nodes.each do |source_node|
                 next unless source_node.method_name.to_s == method_name
-                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.new(source_node: source_node,
-                                                                                    method_name: source_node.method_name,
-                                                                                    method_visibility: source_node.method_visibility,
-                                                                                    instance_method: true)
+                method_policy =
+                  Contrast::Agent::Patching::Policy::MethodPolicy.new(source_node: source_node,
+                                                                      method_name: source_node.method_name,
+                                                                      method_visibility: source_node.method_visibility,
+                                                                      instance_method: true)
                 patcher.patch_method(mod, method_array, method_policy)
               end
             rescue StandardError => e
-              logger.warn(
-                  'Unable to patch assess during define_method_attribute',
-                  e,
-                  module: mod.cs__name)
+              logger.warn('Unable to patch assess during define_method_attribute', e, module: mod.cs__name)
             end
           end
         end

data/lib/contrast/agent/assess/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'json'

data/lib/contrast/agent/assess/policy/policy_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/policy_node'
@@ -35,16 +35,6 @@ module Contrast
             :TYPE_METHOD
           end
-          def target
-            @_target ||= begin
-              if targets&.any?
-                targets[0]
-              elsif sources&.any?
-                sources[0]
-              end
-            end
-          end
           def target_string= value
             @target_string = value
             @targets = convert_policy_markers(value)
@@ -85,8 +75,7 @@ module Contrast
               next if Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
                   Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
-              raise(ArgumentError,
-                    "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
+              raise(ArgumentError, "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
             end
           end
@@ -100,27 +89,26 @@ module Contrast
           # Trigger (trigger nodes) don't have targets (they are the target)
           # Everything else (propagation nodes) are Source2Target
           def build_action
-            @event_action ||= begin
-              case node_class
-              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
-                :CREATION
-              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
-                :TRIGGER
-              else
-                if source_string.nil?
-                  :CREATION
-                elsif target_string.nil?
-                  :TRIGGER
-                else
-                  # TeamServer can't handle the multi-source or multi-target
-                  # values. Give it some help by changing them to 'A'
-                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
-                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
-                  str = source[0] + TO_MARKER + target[0]
-                  str.to_sym
-                end
-              end
-            end
+            @event_action ||= case node_class
+                              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
+                                :CREATION
+                              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
+                                :TRIGGER
+                              else
+                                if source_string.nil?
+                                  :CREATION
+                                elsif target_string.nil?
+                                  :TRIGGER
+                                else
+                                  # TeamServer can't handle the multi-source or multi-target values. Give it some help
+                                  # by changing them to 'A'
+                                  source = all_type?(source_string) ? ALL_TYPE : source_string
+                                  target = all_type?(target_string) ? ALL_TYPE : target_string
+                                  str = source[0] + TO_MARKER + target[0]
+                                  str.to_sym
+                                end
+                              end
             @event_action
           end
@@ -158,6 +146,10 @@ module Contrast
             end
             converted
           end
+          def all_type? marker
+            marker.include?(Contrast::Utils::ObjectShare::COMMA)
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'

data/lib/contrast/agent/assess/policy/preshift.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -91,7 +91,9 @@ module Contrast
               Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map do |preshift_arg|
+              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'set'
@@ -86,10 +86,6 @@ module Contrast
                 SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
             }.cs__freeze
-            def context_available?
-              !!Contrast::Agent::REQUEST_TRACKER.current
-            end
             # I lied above. We had to figure out what the target of the
             # propagation was. Now that we know, we'll actually do things to
             # it. Note that the return of this method will replace the original
@@ -144,13 +140,7 @@ module Contrast
               !!target
             end
-            ZERO_LENGTH_ACTIONS = [
-              DB_WRITE_ACTION,
-              CUSTOM_ACTION,
-              KEEP_ACTION,
-              REPLACE_ACTION,
-              SPLAT_ACTION
-            ].cs__freeze
+            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
             # If the action required needs a length and the target does not have
             # one, the length is not valid
             def valid_length? target, action
@@ -225,7 +215,7 @@ module Contrast
             # This is checked right before actual propagation
             def propagation_possible? propagation_node, target
-              return false unless context_available? && propagation_node && valid_target?(target, propagation_node)
+              return false unless propagation_node && valid_target?(target, propagation_node)
               return false unless valid_length?(target, propagation_node.action)
               true
@@ -249,7 +239,7 @@ module Contrast
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
-                next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
+                next if target == value
                 apply_propagator(propagation_node, preshift, value, object, ret, args, block)
               end
@@ -258,22 +248,12 @@ module Contrast
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
+              return unless (propagation_class = find_propagation_class(propagation_node))
-              propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
-              unless propagation_class
-                logger.warn(
-                    'Unknown propagation action received. Unable to propagate.',
-                    node_id: propagation_node.id,
-                    action: propagation_node.action)
-                return
-              end
               restore_frozen_state = false
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
-                return unless ASSESS.track_frozen_sources?
-                return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-                dup = safe_dup(ret)
-                return unless dup
+                return unless can_handle_frozen?(propagation_node)
+                return unless (dup = safe_dup(ret))
                 restore_frozen_state = true
                 ret = dup
@@ -297,11 +277,33 @@ module Contrast
               properties.add_properties(propagation_node.properties)
               properties.build_event(propagation_node, target, object, ret, args)
-              logger.trace('Propagation detected',
-                           node_id: propagation_node.id,
-                           target_id: target.__id__)
+              logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
               restore_frozen_state ? ret : nil
             end
+            # Find the propagation class from the given node, if one exists.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
+            #   propagation event.
+            # @return [Contrast::Agent::Assess::Policy::Propagator, nil]
+            def find_propagation_class propagation_node
+              unless (propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil))
+                logger.warn('Unknown propagation action received. Unable to propagate.',
+                            node_id: propagation_node.id,
+                            action: propagation_node.action)
+              end
+              propagation_class
+            end
+            # We can handle frozen propagation iff we're allowed to, as determined by configuration, and the target of
+            # the propagation is a return, as that's a replaceable value.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
+            #   propagation event.
+            # @return [Boolean]
+            def can_handle_frozen? propagation_node
+              ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/policy_node'
@@ -62,11 +62,19 @@ module Contrast
             raise(ArgumentError, "Propagator #{ id } did not have a proper action. Unable to create.") unless action
             if @action == 'CUSTOM'
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.") unless patch_class
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.") unless patch_method.is_a?(Symbol)
+              unless patch_class
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.")
+              end
+              unless patch_method.is_a?(Symbol)
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.")
+              end
             else
-              raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.") unless targets&.any?
-              raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.") unless sources&.any?
+              unless targets&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.")
+              end
+              unless sources&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.")
+              end
             end
             validate_untags
           end
@@ -76,9 +84,12 @@ module Contrast
             untags.each do |tag|
               unless Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag)
-                raise(ArgumentError, "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+                raise(ArgumentError,
+                      "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+              end
+              if tags&.include?(tag)
+                raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.")
               end
-              raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.") if tags&.include?(tag)
             end
           end
@@ -86,8 +97,8 @@ module Contrast
             if @_needs_object.nil?
               @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
                   action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
-                  sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
-                  targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
+                  sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
+                  targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
             @_needs_object
           end