RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/method_policy'
@@ -27,6 +27,9 @@ module Contrast
               class_name = klass.cs__name
               instance_methods = klass.instance_methods
               instance_methods.concat(klass.private_instance_methods)
+              current_context = Contrast::Agent::REQUEST_TRACKER.current
+              current_request = current_context&.request
               tainted_columns.each_pair do |field, properties|
                 next unless properties
@@ -34,14 +37,14 @@ module Contrast
                 # Move on if we already know about this Dynamic Source
                 next if Contrast::Agent::Assess::Policy::Policy.instance.find_source_node(class_name, method_name, true)
-                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys))
+                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys),
+                                                         current_request)
                 Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
                 method_policy = build_source_policy(method_name, dynamic_source_node)
                 Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
-                current_context = Contrast::Agent::REQUEST_TRACKER.current
                 next unless current_context
-                dynamic_source = create_dynamic_source(current_context, dynamic_source_node, field, properties)
+                dynamic_source = create_dynamic_source(current_request, dynamic_source_node, field, properties)
                 node_id = Contrast::Utils::StringUtils.force_utf8(dynamic_source_node.id)
                 current_context.activity.dynamic_sources[node_id] = dynamic_source
               end
@@ -56,8 +59,10 @@ module Contrast
             # @param class_name [String] the name of the Class to patch
             # @param method_name [Symbol] the name of the Method to patch
             # @param tags [Set<String>] the tags this event should apply
+            # @param request [Contrast::Agent::Request] the request during
+            #  which this source is to be created.
             # @return [Contrast::Agent::Assess::Policy::SourceNode]
-            def create_source_node class_name, method_name, tags
+            def create_source_node class_name, method_name, tags, request
               node = Contrast::Agent::Assess::Policy::SourceNode.new
               node.class_name = class_name
               node.instance_method = true
@@ -72,8 +77,7 @@ module Contrast
               node.add_property(READ_TABLE, class_name)
               node.add_property(READ_COLUMN, method_name)
               node.add_property(WRITE_QUERY_TIME, Contrast::Utils::Timer.now_ms)
-              url = Contrast::Agent::REQUEST_TRACKER.current&.request&.normalized_uri
-              node.add_property(WRITE_QUERY_URL, url)
+              node.add_property(WRITE_QUERY_URL, request&.normalized_uri)
               node
             end
@@ -92,8 +96,8 @@ module Contrast
               method_policy
             end
-            # @param current_context [Contrast::Agent::RequestContext] the
-            #   context of the request in which this source is to be created.
+            # @param request [Contrast::Agent::Request] the request during
+            #   which this source is to be created.
             # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
             #   the SourceNode that applies to this method
             # @param field [String] the name of the method to which this source
@@ -104,22 +108,36 @@ module Contrast
             # @return [Contrast::Api::Dtm::DynamicSource] the message to send
             #   to the Service to allow it to report the events leading up to
             #   the creation of the Dynamic Source
-            def create_dynamic_source current_context, source_node, field, properties
+            def create_dynamic_source request, source_node, field, properties
               dynamic_source = Contrast::Api::Dtm::DynamicSource.new
               dynamic_source.class_name = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
+              append_properties!(dynamic_source, request, source_node, field)
+              append_events!(dynamic_source, properties.event)
+              dynamic_source
+            end
+            # Append the properties needed to reconstruct the given DynamicSource in other dataflows and for rendering
+            # in TeamServer
+            #
+            # @param dynamic_source [Contrast::Api::Dtm::DynamicSource] the message to send to the Service to allow it
+            #   to report the events leading up to the creation of the Dynamic Source.
+            # @param request [Contrast::Agent::Request] the request during which this source is to be created.
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the SourceNode that applies to this
+            #   method.
+            # @param field [String] the name of the method to which this source applies.
+            def append_properties! dynamic_source, request, source_node, field
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
-              dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
-              url = current_context.request.normalized_uri
-              dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
-              append_events(dynamic_source, properties.event)
-              dynamic_source
+              dynamic_source.properties[WRITE_QUERY_TIME] =
+                Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
+              dynamic_source.properties[WRITE_QUERY_URL] =
+                Contrast::Utils::StringUtils.force_utf8(request&.normalized_uri)
             end
-            def append_events dynamic_source, event
+            def append_events! dynamic_source, event
               return unless event
               event.parent_events&.each do |parent_event|

data/lib/contrast/agent/assess/policy/patcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/policy'
@@ -39,19 +39,13 @@ module Contrast
               patcher.patch_specific_module(mod)
             rescue StandardError => e
-              logger.warn(
-                  'Unable to patch assess during eval',
-                  e,
-                  module: mod.cs__name)
+              logger.warn('Unable to patch assess during eval', e, module: mod.cs__name)
             end
             # Exposed so that methods can be dynamically patched on creation at
             # runtime, like those generated by
             # ActiveRecord::AttributeMethods::Read::ClassMethods#define_method_attribute
-            CLASS_TYPES = [
-              Contrast::Utils::ObjectShare::CLASS,
-              Contrast::Utils::ObjectShare::MODULE
-            ].cs__freeze
+            CLASS_TYPES = [Contrast::Utils::ObjectShare::CLASS, Contrast::Utils::ObjectShare::MODULE].cs__freeze
             def patch_assess_method mod, method_name
               # Module.define_method is called a lot in Class and Module. We
               # currently do not expect these define_methods to result in methods
@@ -62,7 +56,8 @@ module Contrast
               return if CLASS_TYPES.include?(class_name)
               return unless ASSESS.enabled?
-              source_nodes = Contrast::Agent::Patching::Policy::ModulePolicy.nodes_for_module(policy.sources, class_name)
+              source_nodes = Contrast::Agent::Patching::Policy::ModulePolicy.nodes_for_module(policy.sources,
+                                                                                              class_name)
               return if source_nodes.empty?
               method_array = []
@@ -70,17 +65,15 @@ module Contrast
               source_nodes.each do |source_node|
                 next unless source_node.method_name.to_s == method_name
-                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.new(source_node: source_node,
-                                                                                    method_name: source_node.method_name,
-                                                                                    method_visibility: source_node.method_visibility,
-                                                                                    instance_method: true)
+                method_policy =
+                  Contrast::Agent::Patching::Policy::MethodPolicy.new(source_node: source_node,
+                                                                      method_name: source_node.method_name,
+                                                                      method_visibility: source_node.method_visibility,
+                                                                      instance_method: true)
                 patcher.patch_method(mod, method_array, method_policy)
               end
             rescue StandardError => e
-              logger.warn(
-                  'Unable to patch assess during define_method_attribute',
-                  e,
-                  module: mod.cs__name)
+              logger.warn('Unable to patch assess during define_method_attribute', e, module: mod.cs__name)
             end
           end
         end

data/lib/contrast/agent/assess/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'json'

data/lib/contrast/agent/assess/policy/policy_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/policy_node'
@@ -35,16 +35,6 @@ module Contrast
             :TYPE_METHOD
           end
-          def target
-            @_target ||= begin
-              if targets&.any?
-                targets[0]
-              elsif sources&.any?
-                sources[0]
-              end
-            end
-          end
           def target_string= value
             @target_string = value
             @targets = convert_policy_markers(value)
@@ -85,8 +75,7 @@ module Contrast
               next if Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
                   Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
-              raise(ArgumentError,
-                    "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
+              raise(ArgumentError, "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
             end
           end
@@ -100,27 +89,26 @@ module Contrast
           # Trigger (trigger nodes) don't have targets (they are the target)
           # Everything else (propagation nodes) are Source2Target
           def build_action
-            @event_action ||= begin
-              case node_class
-              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
-                :CREATION
-              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
-                :TRIGGER
-              else
-                if source_string.nil?
-                  :CREATION
-                elsif target_string.nil?
-                  :TRIGGER
-                else
-                  # TeamServer can't handle the multi-source or multi-target
-                  # values. Give it some help by changing them to 'A'
-                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
-                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
-                  str = source[0] + TO_MARKER + target[0]
-                  str.to_sym
-                end
-              end
-            end
+            @event_action ||= case node_class
+                              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
+                                :CREATION
+                              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
+                                :TRIGGER
+                              else
+                                if source_string.nil?
+                                  :CREATION
+                                elsif target_string.nil?
+                                  :TRIGGER
+                                else
+                                  # TeamServer can't handle the multi-source or multi-target values. Give it some help
+                                  # by changing them to 'A'
+                                  source = all_type?(source_string) ? ALL_TYPE : source_string
+                                  target = all_type?(target_string) ? ALL_TYPE : target_string
+                                  str = source[0] + TO_MARKER + target[0]
+                                  str.to_sym
+                                end
+                              end
             @event_action
           end
@@ -158,6 +146,10 @@ module Contrast
             end
             converted
           end
+          def all_type? marker
+            marker.include?(Contrast::Utils::ObjectShare::COMMA)
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/policy_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'

data/lib/contrast/agent/assess/policy/preshift.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'
@@ -91,7 +91,9 @@ module Contrast
               Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map do |preshift_arg|
+              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'set'
@@ -86,10 +86,6 @@ module Contrast
                 SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
             }.cs__freeze
-            def context_available?
-              !!Contrast::Agent::REQUEST_TRACKER.current
-            end
             # I lied above. We had to figure out what the target of the
             # propagation was. Now that we know, we'll actually do things to
             # it. Note that the return of this method will replace the original
@@ -144,13 +140,7 @@ module Contrast
               !!target
             end
-            ZERO_LENGTH_ACTIONS = [
-              DB_WRITE_ACTION,
-              CUSTOM_ACTION,
-              KEEP_ACTION,
-              REPLACE_ACTION,
-              SPLAT_ACTION
-            ].cs__freeze
+            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
             # If the action required needs a length and the target does not have
             # one, the length is not valid
             def valid_length? target, action
@@ -225,7 +215,7 @@ module Contrast
             # This is checked right before actual propagation
             def propagation_possible? propagation_node, target
-              return false unless context_available? && propagation_node && valid_target?(target, propagation_node)
+              return false unless propagation_node && valid_target?(target, propagation_node)
               return false unless valid_length?(target, propagation_node.action)
               true
@@ -249,7 +239,7 @@ module Contrast
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
-                next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
+                next if target == value
                 apply_propagator(propagation_node, preshift, value, object, ret, args, block)
               end
@@ -258,22 +248,12 @@ module Contrast
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
+              return unless (propagation_class = find_propagation_class(propagation_node))
-              propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
-              unless propagation_class
-                logger.warn(
-                    'Unknown propagation action received. Unable to propagate.',
-                    node_id: propagation_node.id,
-                    action: propagation_node.action)
-                return
-              end
               restore_frozen_state = false
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
-                return unless ASSESS.track_frozen_sources?
-                return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-                dup = safe_dup(ret)
-                return unless dup
+                return unless can_handle_frozen?(propagation_node)
+                return unless (dup = safe_dup(ret))
                 restore_frozen_state = true
                 ret = dup
@@ -297,11 +277,33 @@ module Contrast
               properties.add_properties(propagation_node.properties)
               properties.build_event(propagation_node, target, object, ret, args)
-              logger.trace('Propagation detected',
-                           node_id: propagation_node.id,
-                           target_id: target.__id__)
+              logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
               restore_frozen_state ? ret : nil
             end
+            # Find the propagation class from the given node, if one exists.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
+            #   propagation event.
+            # @return [Contrast::Agent::Assess::Policy::Propagator, nil]
+            def find_propagation_class propagation_node
+              unless (propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil))
+                logger.warn('Unknown propagation action received. Unable to propagate.',
+                            node_id: propagation_node.id,
+                            action: propagation_node.action)
+              end
+              propagation_class
+            end
+            # We can handle frozen propagation iff we're allowed to, as determined by configuration, and the target of
+            # the propagation is a return, as that's a replaceable value.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs a
+            #   propagation event.
+            # @return [Boolean]
+            def can_handle_frozen? propagation_node
+              ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/assess/policy/policy_node'
@@ -62,11 +62,19 @@ module Contrast
             raise(ArgumentError, "Propagator #{ id } did not have a proper action. Unable to create.") unless action
             if @action == 'CUSTOM'
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.") unless patch_class
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.") unless patch_method.is_a?(Symbol)
+              unless patch_class
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.")
+              end
+              unless patch_method.is_a?(Symbol)
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.")
+              end
             else
-              raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.") unless targets&.any?
-              raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.") unless sources&.any?
+              unless targets&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.")
+              end
+              unless sources&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.")
+              end
             end
             validate_untags
           end
@@ -76,9 +84,12 @@ module Contrast
             untags.each do |tag|
               unless Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag)
-                raise(ArgumentError, "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+                raise(ArgumentError,
+                      "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+              end
+              if tags&.include?(tag)
+                raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.")
               end
-              raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.") if tags&.include?(tag)
             end
           end
@@ -86,8 +97,8 @@ module Contrast
             if @_needs_object.nil?
               @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
                   action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
-                  sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
-                  targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
+                  sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
+                  targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
             @_needs_object
           end