contrast-agent 4.3.2 → 4.7.0

data/lib/contrast/agent/assess/policy/propagator.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/append.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -29,23 +29,38 @@ module Contrast
                 if source1.length == target.length
                   properties.copy_from(source1, target, 0, propagation_node.untags)
                 else
-                  # find original in the target, copy tags to the new position in
-                  # target
-                  original_start_index = target.index(source1)
-                  properties.copy_from(source1, target, original_start_index, propagation_node.untags)
+                  handle_append(propagation_node, source1, source2, target, properties)
+                end
+                properties.cleanup_tags
+              end
 
-                  start = original_start_index + source1.length
-                  while start < target.length
-                    properties.copy_from(source2, target, start, propagation_node.untags)
-                    start += source2.length
-                    next unless start > target.length
+              private
 
-                    properties.tags_at(start - source2.length).each do |tag|
-                      tag.update_end(target.length)
-                    end
+              # Given the append operation on source 1 added source 2 to it, changing the target output, modify the
+              # tags on the target to account for the change.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node responsible for the
+              #   propagation action required by this method
+              # @param source1 [Object] the thing being appended to
+              # @param source2 [Object] the thing being appended
+              # @param target [Object] the result of the append operation
+              # @param properties [Contrast::Agent::Assess::Properties] the properties of the target
+              def handle_append propagation_node, source1, source2, target, properties
+                # find original in the target, copy tags to the new position in
+                # target
+                original_start_index = target.index(source1)
+                properties.copy_from(source1, target, original_start_index, propagation_node.untags)
+
+                start = original_start_index + source1.length
+                while start < target.length
+                  properties.copy_from(source2, target, start, propagation_node.untags)
+                  start += source2.length
+                  next unless start > target.length
+
+                  properties.tags_at(start - source2.length).each do |tag|
+                    tag.update_end(target.length)
                   end
                 end
-                properties.cleanup_tags
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/base.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -31,7 +31,8 @@ module Contrast
                 return unless sources[1]
 
                 original_end_index = original_start_index + source1.length - 1
-                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index, original_end_index)
+                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index,
+                                     original_end_index)
               end
 
               private

data/lib/contrast/agent/assess/policy/propagator/custom.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/extension/module'

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -24,23 +24,8 @@ module Contrast
 
                 known_tainted = ASSESS.tainted_columns[class_name]
                 propagation_node.sources.each do |source|
-                  arg = preshift.args[source]
-                  next unless arg.cs__respond_to?(:each_pair)
-
-                  arg.each_pair do |key, value|
-                    next unless value
-                    next if known_tainted&.include?(key)
-                    next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
-
-                    # TODO: RUBY-540 handle sanitization, handle nested objects
-                    Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
-                    properties.build_event(propagation_node, value, preshift.object, target, preshift.args)
-                    next unless tracked_value?(value)
-
-                    tainted_columns[key] = properties
-                  end
+                  handle_write(propagation_node, source, preshift, target, known_tainted, tainted_columns)
                 end
-
                 return if tainted_columns.empty?
 
                 if known_tainted
@@ -51,6 +36,26 @@ module Contrast
 
                 Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns
               end
+
+              private
+
+              def handle_write propagation_node, source, preshift, target, known_tainted, tainted_columns
+                arg = preshift.args[source]
+                return unless arg.cs__respond_to?(:each_pair)
+
+                arg.each_pair do |key, value|
+                  next unless value
+                  next if known_tainted&.include?(key)
+                  next unless (properties = Contrast::Agent::Assess::Tracker.properties!(value))
+
+                  # TODO: RUBY-540 handle sanitization, handle nested objects
+                  Contrast::Agent::Assess::Policy::PropagationMethod.apply_tags(propagation_node, value)
+                  properties.build_event(propagation_node, value, preshift.object, target, preshift.args)
+                  next unless tracked_value?(value)
+
+                  tainted_columns[key] = properties
+                end
+              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/insert.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -33,7 +33,9 @@ module Contrast
                 # point on which all tags need to be adjusted
                 # If the insertion point is the end of the string, preshift length is returned
                 # https://stackoverflow.com/questions/31714522/find-the-first-differing-character-between-two-strings-in-ruby
-                insert_point = (0...preshift_target.length).find { |i| preshift_target[i] != target[i] } || preshift_target.length
+                insert_point = (0...preshift_target.length).find do |i|
+                  preshift_target[i] != target[i]
+                end || preshift_target.length
                 # Depending what's inserted, we might be wrong. For instance, inserting 'foo'
                 # into 'asdfasdf' could result in 'asdfoofasdf'. we'd be off by one b/c of the 'f'
                 insert_point = target.rindex(source, insert_point)

data/lib/contrast/agent/assess/policy/propagator/keep.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -76,7 +76,8 @@ module Contrast
                 applicable_tags.each do |tag_name, tag_ranges|
                   return_properties.set_tags(tag_name, tag_ranges)
                 end
-                return_properties.build_event(propagation_node, return_value, preshift.object, return_value, preshift.args)
+                return_properties.build_event(propagation_node, return_value, preshift.object, return_value,
+                                              preshift.args)
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/next.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/prepend.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -6,28 +6,35 @@ module Contrast
     module Assess
       module Policy
         module Propagator
-          # Propagation that results in all the tags of the source being
-          # applied to the totality of the target and then those sections
-          # which have been removed from the target are removed from the
-          # tags. The target's preexisting tags are also updated by this
-          # removal.
+          # Propagation that results in all the tags of the source being applied to the totality of the target and then
+          # those sections which have been removed from the target are removed from the tags. The target's preexisting
+          # tags are also updated by this removal.
           class Remove < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
-              # For the source, append its tags to the target.
-              # Once the tag is applied, remove the section that was removed by the delete.
-              # Unlike additive propagation, this currently only supports one source
+              # For the source, append its tags to the target. Once the tag is applied, remove the section that was
+              # removed by the delete. Unlike additive propagation, this currently only supports one source.
               def propagate propagation_node, preshift, target
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.copy_from(source, target, 0, propagation_node.untags)
-                source_chars = source.is_a?(String) ? source.chars : source.string.chars
-                handle_removal(source_chars, target)
+                handle_removal(propagation_node, source, target)
               end
 
-              def handle_removal source_chars, target
+              def handle_removal propagation_node, source, target
+                return unless source
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
+                source_string = source.is_a?(String) ? source : source.to_s
+
+                # If the lengths are the same, we should just copy the tags because nothing was removed, but a new
+                # instance could have been created. copy_from will handle the case where the source is the target.
+                if source_string.length == target.length
+                  properties.copy_from(source, target, 0, propagation_node.untags)
+                  return
+                end
+
+                source_chars = source_string.chars
                 source_idx = 0
 
                 target_chars = target.chars
@@ -36,10 +43,8 @@ module Contrast
                 remove_ranges = []
                 start = nil
 
-                # loop over the target, the result of the delete
-                # every range of characters that it differs from the source
-                # represents a section that was deleted. these sections
-                # need to have their tags updated
+                # loop over the target, the result of the delete every range of characters that it differs from the
+                # source represents a section that was deleted. these sections need to have their tags updated
                 target_len = target_chars.length
                 while target_idx < target_len
                   target_char = target_chars[target_idx]
@@ -56,9 +61,8 @@ module Contrast
                   source_idx += 1
                 end
 
-                # once we're done looping over the target, anything left
-                # over is extra from the source that was deleted. tags
-                # applying to it need to be removed.
+                # once we're done looping over the target, anything left over is extra from the source that was
+                # deleted. tags applying to it need to be removed.
                 remove_ranges << (source_idx...source_chars.length) if source_idx != source_chars.length
 
                 # handle deleting the removed ranges

data/lib/contrast/agent/assess/policy/propagator/replace.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/reverse.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagator/select.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -21,22 +21,12 @@ module Contrast
                 # Additionally, an empty string is returned when the starting index for
                 # a character range is at the end of the string. Let's just skip that
                 # and only track a string that has length
-                unless ret &&
-                      !ret.empty? &&
-                      Contrast::Agent::Assess::Tracker.tracked?(source)
-
-                  return
-                end
+                return unless ret && !ret.empty? && Contrast::Agent::Assess::Tracker.tracked?(source)
 
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args)
+                properties.build_event(patcher, ret, source, ret, args)
 
                 range = determine_select_range(source, args)
                 return unless range

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -19,19 +19,7 @@ module Contrast
                   when Contrast::Utils::ObjectShare::OBJECT_KEY
                     tracked_inputs << preshift.object if Contrast::Agent::Assess::Tracker.tracked?(preshift.object)
                   else
-                    arg = preshift.args[source]
-                    if arg.is_a?(String)
-                      tracked_inputs << arg if Contrast::Agent::Assess::Tracker.tracked?(arg)
-                    elsif Contrast::Utils::DuckUtils.iterable_hash?(arg)
-                      arg.each_pair do |key, value|
-                        tracked_inputs << key if tracked_value?(key)
-                        tracked_inputs << value if tracked_value?(value)
-                      end
-                    elsif Contrast::Utils::DuckUtils.iterable_enumerable?(arg)
-                      arg.each do |value|
-                        tracked_inputs << value if tracked_value?(value)
-                      end
-                    end
+                    find_argument_inputs(tracked_inputs, preshift.args[source])
                   end
                 end
 
@@ -50,6 +38,28 @@ module Contrast
                   properties.splat_from(input, target)
                 end
               end
+
+              private
+
+              # The arguments to the splat method are complex and of multiple types. As such, we need to handle
+              # Strings and iterables to determine the tracked inputs on which to act.
+              #
+              # @param tracked_inputs [Array] storage for the inputs to act on later
+              # @param arg [Object] an input to the method which act as sources for this propagation.
+              def find_argument_inputs tracked_inputs, arg
+                if arg.is_a?(String)
+                  tracked_inputs << arg if Contrast::Agent::Assess::Tracker.tracked?(arg)
+                elsif Contrast::Utils::DuckUtils.iterable_hash?(arg)
+                  arg.each_pair do |key, value|
+                    tracked_inputs << key if tracked_value?(key)
+                    tracked_inputs << value if tracked_value?(value)
+                  end
+                elsif Contrast::Utils::DuckUtils.iterable_enumerable?(arg)
+                  arg.each do |value|
+                    tracked_inputs << value if tracked_value?(value)
+                  end
+                end
+              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/preshift'
@@ -31,20 +31,12 @@ module Contrast
               # @return [nil] so as not to risk changing the result of the propagation.
 
               def propagate propagation_node, preshift, target
-                logger.trace('Propagation detected',
-                             node_id: propagation_node.id,
-                             target_id: target.__id__)
+                logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
 
                 source = find_source(propagation_node.sources[0], preshift)
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
 
-                # grapheme_clusters break the string apart based on each "user-perceived" character.
-                # Otherwise, the default for String#split is to use a single whitespace.
-                separator_length = if propagation_node.method_name == :grapheme_clusters
-                                     0
-                                   else
-                                     preshift&.args&.first&.to_s&.length || $FIELD_SEPARATOR&.to_s&.length || 1
-                                   end
+                separator_length = find_separator_length(propagation_node, preshift)
 
                 current_index = 0
                 target.each do |target_elem|
@@ -126,6 +118,19 @@ module Contrast
 
               private
 
+              # grapheme_clusters break the string apart based on each "user-perceived" character. Otherwise, the
+              # default for String#split is to use a single whitespace.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              def find_separator_length propagation_node, preshift
+                return 0 if propagation_node.method_name == :grapheme_clusters
+
+                preshift&.args&.first&.to_s&.length || $FIELD_SEPARATOR&.to_s&.length || 1
+              end
+
               # Save index of the current split object.
               # Create index tracking array as needed.
               def save_split_index!
@@ -155,10 +160,8 @@ module Contrast
               #
               # @return [Contrast::Agent::Assess::Policy::PropagationNode] String#split node
               def split_node
-                @_split_node ||= begin
-                  Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
-                    node.class_name == 'String' && node.method_name == :split && node.instance_method?
-                  end
+                @_split_node ||= Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
+                  node.class_name == 'String' && node.method_name == :split && node.instance_method?
                 end
               end
             end