contrast-agent 4.3.2 → 4.7.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -95,10 +95,8 @@ module Contrast
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
-                parent_event = incoming_properties&.event
-                parent_events << parent_event if parent_event
+                parent_events << incoming_properties&.event if incoming_properties&.event
 
-                pattern = preshift.args[0]
                 source = preshift.object
 
                 # We can't efficiently find the places that things were
@@ -111,6 +109,34 @@ module Contrast
 
                 # if it's just a straight insert, that we can do
                 # Copy the tags from us to the return
+                ranges = find_string_sub_insert(properties, preshift, incoming, ret, global)
+
+                properties.delete_tags_at_ranges(ranges)
+                properties.shift_tags(ranges)
+                return unless incoming_tracked
+                return unless incoming_properties
+
+                tags = incoming_properties.tag_keys
+                ranges.each do |range|
+                  tags.each do |tag|
+                    properties.add_tag(tag, range)
+                  end
+                end
+              end
+
+              # Find the points at which the new String was placed into the original
+              #
+              # @param properties [Contrast::Agent::Assess::Properties] the Properties of the ret
+              # @param preshift [Contrast::Agent::Assess::PreShift] the capture of the state of the code just prior to
+              #   the invocation of the patched method
+              # @param incoming [String] the new String going into the substitution
+              # @param ret [String] the result of the substitution
+              # @param global [Boolean] if this was a global or single substitution
+              # @return [Array<Range>] the Ranges where substitution occurred
+              def find_string_sub_insert properties, preshift, incoming, ret, global
+                pattern = preshift.args[0]
+                source = preshift.object
+
                 properties.copy_from(source, ret)
                 # Figure out where inserts occurred
                 last_idx = 0
@@ -126,17 +152,7 @@ module Contrast
                   ranges << (start_index...end_index)
                   break unless global
                 end
-                properties.delete_tags_at_ranges(ranges)
-                properties.shift_tags(ranges)
-                return unless incoming_tracked
-                return unless incoming_properties
-
-                tags = incoming_properties.tag_keys
-                ranges.each do |range|
-                  tags.each do |tag|
-                    properties.add_tag(tag, range)
-                  end
-                end
+                ranges
               end
 
               def block_sub self_tracked, source, ret
@@ -170,13 +186,7 @@ module Contrast
 
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 args = preshift.args
-                properties.build_event(
-                    patcher,
-                    ret,
-                    preshift.object,
-                    ret,
-                    args,
-                    2)
+                properties.build_event(patcher, ret, preshift.object, ret, args, 2)
                 properties.event.instance_variable_set(:@_parent_events, parent_events)
               end
             end

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -8,50 +8,24 @@ module Contrast
         module Propagator
           # This class is specifically for String#tr(_s) propagation
           #
-          # Disclaimer: there may be a better way, but we're
-          # in a 'get it work' state. hopefully, we'll be in
-          # a 'get it right' state soon.
+          # Disclaimer: there may be a better way, but we're in a 'get it work' state. hopefully, we'll be in a 'get it
+          # right' state soon.
           module Trim
             class << self
-              def tr_tagger patcher, preshift, ret, _block
+              # @param policy_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              # @param ret [nil, String] the target to which to propagate.
+              # @return [nil, String] ret
+              def tr_tagger policy_node, preshift, ret, _block
                 return ret unless ret && !ret.empty?
                 return ret unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
-                source = preshift.object
-                args = preshift.args
-                properties.copy_from(source, ret)
-                replace_string = args[1]
-                source_chars = source.chars
-                # if the replace string is empty, then there's a bunch of deletes. this
-                # functions the same as the Removal propagation.
-                if replace_string == Contrast::Utils::ObjectShare::EMPTY_STRING
-                  Contrast::Agent::Assess::Policy::Propagator::Remove.handle_removal(source_chars, ret)
-                else
-                  remove_ranges = []
-                  ret_chars = ret.chars
-                  start = nil
-                  source_chars.each_with_index do |char, idx|
-                    if ret_chars[idx] == char
-                      next unless start
+                properties.copy_from(preshift.object, ret)
+                handle_tr(policy_node, preshift, ret, properties)
 
-                      remove_ranges << (start...idx)
-                      start = nil
-                    else
-                      start ||= idx
-                    end
-                  end
-                  # account for the last char being different
-                  remove_ranges << (start...source_chars.length) if start
-                  properties.delete_tags_at_ranges(remove_ranges, false)
-                end
-
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args,
-                    1)
+                properties.build_event(policy_node, ret, preshift.object, ret, preshift.args, 1)
                 ret
               end
 
@@ -62,14 +36,59 @@ module Contrast
                 source = preshift.object
                 args = preshift.args
                 properties.splat_from(source, ret)
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args)
+                properties.build_event(patcher, ret, source, ret, args)
                 ret
               end
+
+              private
+
+              # @param policy_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              # @param ret [String] the target to which to propagate.
+              # @param properties [Contrast::Agent::Assess::Properties] the properties of the ret
+              def handle_tr policy_node, preshift, ret, properties
+                source = preshift.object
+                replace_string = preshift.args[1]
+
+                # if the replace string is empty, then there's a bunch of deletes. this functions the same as the
+                # Removal propagation.
+                if replace_string == Contrast::Utils::ObjectShare::EMPTY_STRING
+                  Contrast::Agent::Assess::Policy::Propagator::Remove.handle_removal(policy_node, source, ret)
+                  return
+                end
+
+                # Otherwise, we need to target each insertion point. Based on the spec for #tr & #tr_s, the find is
+                # treated as a regexp range, excepting the `\` character, which we'll need to escape. This converts to
+                # that form, wrapping the input in `[]`.
+                find_string = preshift.args[0]
+                find_string += '\\' if find_string.end_with?('\\')
+                find_regexp = Regexp.new("[#{ find_string }]")
+
+                # Find the first instance to be replaced. If there isn't one, than nothing changed here.
+                idx = source.index(find_regexp)
+                return unless idx
+
+                # Iterate over each change and record where it happened. B/c this is a one to one replace, the index of
+                # the replacement is always one; however, there may be adjacent replacements which become a single
+                # range.
+                start = idx
+                stop = idx + 1
+                remove_ranges = []
+                while (idx = source.index(find_regexp, idx + 1))
+                  # If the previous range ends at this index, we can expand that range to include this index.
+                  # Otherwise, we need to record the held range and start a new one.
+                  if stop != idx
+                    remove_ranges << (start...stop)
+                    start = idx
+                  end
+                  stop = idx + 1
+                end
+                # Be sure to capture the last range in the holder.
+                remove_ranges << (start...stop)
+                properties.delete_tags_at_ranges(remove_ranges, false)
+              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 require 'contrast/agent/patching/policy/patch_status'
 require 'contrast/agent/module_data'
 require 'contrast/agent/rewriter'
@@ -41,7 +43,9 @@ module Contrast
               module_name = mod.cs__name
               return unless module_name
 
-              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START, Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START,
+                                         Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+
                 status.no_rewrite!
                 return
 
@@ -64,8 +68,7 @@ module Contrast
             # To get around this, we have those methods tell us the class
             # isn't ready
             def mid_defining? mod
-              mod.instance_variable_defined?(:@cs__defining_class) &&
-                  mod.instance_variable_get(:@cs__defining_class)
+              mod.instance_variable_defined?(:@cs__defining_class) && mod.instance_variable_get(:@cs__defining_class)
             end
 
             def agent_should_rewrite?

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'set'
@@ -11,10 +11,9 @@ module Contrast
   module Agent
     module Assess
       module Policy
-        # This class controls the actions we take on Sources, as determined by
-        # our Assess policy. It indicates what actions we should take in order
-        # to mark data as User Input and treat it as untrusted, starting the
-        # dataflows used in Assess vulnerability detection.
+        # This class controls the actions we take on Sources, as determined by our Assess policy. It indicates what
+        # actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows
+        # used in Assess vulnerability detection.
         module SourceMethod
           include Contrast::Components::Interface
           access_component :analysis, :logging
@@ -27,22 +26,17 @@ module Contrast
           COOKIE_KEY_TYPE    = 'COOKIE_KEY'
 
           class << self
-            # This is called from within our woven proc. It will be called as if it
-            # were inline in the Rack application.
+            # This is called from within our woven proc. It will be called as if it were inline in the Rack
+            # application.
             #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that applies to the method being called
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+            #   method being called
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [Object, nil] the tracked Return or nil if no changes were made
             def source_patchers method_policy, object, ret, args
-              return if method_policy.source_node.nil?
-
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless current_context&.analyze_request? && ASSESS.enabled?
+              return unless analyze?(method_policy, object, ret, args)
 
               source_node = method_policy.source_node
               target = determine_target(source_node, object, ret, args)
@@ -62,29 +56,26 @@ module Contrast
                 # double check that we were able to finalize the replaced return
                 return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-              apply_source(current_context, source_node, target, object, ret, source_node.type, nil, *args)
+              apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
+                           source_node.type, nil, *args)
               restore_frozen_state ? ret : nil
             end
 
             private
 
-            # This is our method that actually taints the object our
-            # source_node targets.
+            # This is our method that actually taints the object our source_node targets.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param context [Contrast::Utils::ThreadTracker] the current request context
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param target [Object] the target of the Source Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param source_type [String] the type of this source, from the
-            #   source_node, or a KEY_TYPE if invoked for a map
-            # @param source_name [String, nil] the name of this source, i.e.
-            #   the key used to accessed if from a map or nil if a type like
-            #   BODY
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
+            #   map
+            # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
+            #   nil if a type like BODY
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_source context, source_node, target, object, ret, source_type, source_name = nil, *args
               return unless context && source_node && target
 
@@ -95,37 +86,34 @@ module Contrast
                 apply_tags(source_node, target, object, ret, source_type, source_name, *args)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
                 apply_hash_tags(context, source_node, target, object, ret, source_type, *args)
-                # While we don't taint arrays themselves, we may taint the things
-                # they hold. Let's pass their keys and values back to ourselves and
-                # try again
+                # While we don't taint arrays themselves, we may taint the things they hold. Let's pass their keys and
+                # values back to ourselves and try again
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
-                target.each { |value| apply_source(context, source_node, value, object, ret, source_type, source_name, *args) }
+                target.each do |value|
+                  apply_source(context, source_node, value, object, ret, source_type, source_name, *args)
+                end
               end
             rescue StandardError => e
               logger.warn('Unable to apply source', e, node_id: source_node.id)
             end
 
-            # While we don't taint hashes themselves, we may taint the things
-            # they hold. Let's pass their keys and values back to ourselves and
-            # try again
+            # While we don't taint hashes themselves, we may taint the things they hold. Let's pass their keys and
+            # values back to ourselves and try again
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param context [Contrast::Utils::ThreadTracker] the current request context
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param target [Object] the target of the Source Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param source_type [String] the type of this source, from the
-            #   source_node, or a KEY_TYPE if invoked for a map
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
+            #   map
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_hash_tags context, source_node, target, object, ret, source_type, *args
               to_replace = []
               target.each_pair do |key, value|
-                # We only do this for Strings b/c of the way Hash lookup works.
-                # To replace another object would break hash lookup and,
-                # therefore, the application
+                # We only do this for Strings b/c of the way Hash lookup works. To replace another object would break
+                # hash lookup and, therefore, the application
                 if replace_hash_key?(key, target)
                   key = key.dup
                   to_replace << key
@@ -136,10 +124,8 @@ module Contrast
               handle_hash_key(target, to_replace)
             end
 
-            # Given an unfrozen hash, if the key is a String, we should replace
-            # it with one that we can finalize, allowing us to track that key.
-            # This method handles checking if that replace can and should
-            # occur.
+            # Given an unfrozen hash, if the key is a String, we should replace it with one that we can finalize,
+            # allowing us to track that key. This method handles checking if that replace can and should occur.
             #
             # @param key [Object] the key in the hash that may need replacing.
             # @param hash [Hash] the hash to which the key belongs.
@@ -160,9 +146,8 @@ module Contrast
               nil
             end
 
-            # Hash is designed to keep one instance of the string key in it.
-            # We need to remove the existing one and replace it with our new
-            # tracked one.
+            # Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
+            # replace it with our new tracked one.
             def handle_hash_key target, to_replace
               to_replace.each do |key|
                 Contrast::Agent::Assess::Tracker.pre_freeze(key)
@@ -175,25 +160,19 @@ module Contrast
             def apply_tags source_node, target, object, ret, source_type, source_name, *args
               # don't apply tags if we can't track the thing
               return unless Contrast::Agent::Assess::Tracker.trackable?(target)
-              # don't apply second source -- probably needs tuning later if we
-              # use more than 'UNTRUSTED' in our sources
+              # don't apply second source -- probably needs tuning later if we use more than 'UNTRUSTED' in our sources
               return if Contrast::Agent::Assess::Tracker.tracked?(target)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
-              # otherwise for each tag this source_node applies, create a tag range
-              # on the target object
-              # I realize this looping is counter-intuitive from the above
-              # message, that's why we're revisiting.
+              # otherwise for each tag this source_node applies, create a tag range on the target object. I realize
+              # this looping is counter-intuitive from the above message, that's why we're revisiting.
               source_node.tags.each do |tag|
                 next unless Contrast::Agent::Assess::Policy::SourceValidation.valid?(tag, source_type, source_name)
 
                 length = Contrast::Utils::StringUtils.ret_length(target)
                 properties.add_tag(tag, 0...length)
                 properties.add_properties(source_node.properties)
-                logger.trace('Source detected',
-                             node_id: source_node.id,
-                             target_id: target.__id__,
-                             tag: tag)
+                logger.trace('Source detected', node_id: source_node.id, target_id: target.__id__, tag: tag)
               end
               # make a representation of this method that TeamServer can render
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
@@ -201,15 +180,13 @@ module Contrast
 
             # Find the name of the source
             #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [String, nil] the human readable name of the target to
-            #   which this source event applies, or nil if none provided by the
-            #   node
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
+            #   none provided by the node
             def determine_source_name source_node, object, ret, *args
               return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
 
@@ -226,14 +203,50 @@ module Contrast
               end
             end
 
+            # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
+            # information to build the context of this invocation, we're not disabled, and we can't immediately
+            # determine the invocation was done safely.
+            #
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+            #   method being called
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [boolean] if the invocation of this method should be analyzed
+            def analyze? method_policy, object, ret, args
+              return false unless method_policy&.source_node
+              return false unless ASSESS.enabled?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+
+              !safe_invocation?(method_policy.source_node, object, ret, args)
+            end
+
+            # Determine if the method was invoked safely.
+            #
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
+            # @param _object [Object] the Object on which the method was invoked
+            # @param _ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [boolean] if the invocation of this method was safe
+            def safe_invocation? source_node, _object, _ret, args
+              # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
+              # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
+              # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
+              # instance, uses action_dispatch. to store several values. Technically, you can't call
+              # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
+              source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
+                  args&.any? &&
+                  !args[0].to_s.start_with?('HTTP_')
+            end
+
             # Find the literal target of the propagation
             #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @return [Object] the target to which this source event applies
             def determine_target source_node, object, ret, args
               source_target = source_node.targets[0]
@@ -247,12 +260,10 @@ module Contrast
               end
             end
 
-            # Simple helper method to flip the type from value to key when the
-            # source is the key of a Hash
+            # Simple helper method to flip the type from value to key when the source is the key of a Hash
             #
             # @param source_type [String] the original value source type
-            # @return [String] the key form of the source type, if one exists,
-            #   else the original source type
+            # @return [String] the key form of the source type, if one exists, else the original source type
             def key_type source_type
               case source_type
               when PARAMETER_TYPE