contrast-agent 4.3.2 → 4.7.0

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/deadzone/policy/deadzone_node'
@@ -8,8 +8,8 @@ module Contrast
   module Agent
     module Deadzone
       module Policy
-        # This is just a holder for our policy. Takes the policy JSON and
-        # converts it into hashes that we can access nicely
+        # This is just a holder for our policy. Takes the policy JSON and converts it into hashes that we can access
+        # nicely.
         class Policy < Contrast::Agent::Patching::Policy::Policy
           def self.policy_folder
             'deadzone'
@@ -35,6 +35,10 @@ module Contrast
             end
           end
 
+          def module_names
+            @_module_names ||= Set.new(deadzones.map(&:class_name))
+          end
+
           def add_node node, _node_type = :deadzones
             unless node
               logger.error('Node was nil when adding node to policy')

data/lib/contrast/agent/disable_reaction.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -13,9 +13,7 @@ module Contrast
       access_component :agent, :logging
 
       def self.run _reaction, level
-        logger.with_level(
-            level,
-            'Contrast received instructions to disable itself - Disabling now')
+        logger.with_level(level, 'Contrast received instructions to disable itself - Disabling now')
         AGENT.disable!
       end
     end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -47,7 +47,7 @@ module Contrast
         return if @wildcard_url
         return unless @exclusion.urls&.any?
 
-        @wildcard_url ||= @exclusion.urls.any? { |test| test == '/.*' }
+        @wildcard_url ||= @exclusion.urls.any?('/.*')
         return if @wildcard_url
 
         @urls = []
@@ -95,8 +95,8 @@ module Contrast
         @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
       end
 
-      def name
-        @exclusion.name
+      def exc_name
+        @exclusion.name # rubocop:disable Security/Module/Name -- part of the API.
       end
 
       def match_all?
@@ -109,10 +109,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? &&
-            (@exclusion.protection_rules.empty? ||
-                @exclusion.protection_rules.include?(rule)
-            )
+        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
       end
 
       # Determine if the given rule is excluded by this exclusion.
@@ -121,10 +118,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def assess_rule? rule
-        assess? &&
-            (@exclusion.assessment_rules.empty? ||
-                @exclusion.assessment_rules.include?(rule)
-            )
+        assess? && (@exclusion.assessment_rules.empty? || @exclusion.assessment_rules.include?(rule))
       end
 
       def match_code? stack_trace

data/lib/contrast/agent/inventory.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -10,6 +10,5 @@ module Contrast
 end
 
 require 'contrast/agent/inventory/dependencies'
-require 'contrast/agent/inventory/gemfile_digest_cache'
 require 'contrast/agent/inventory/dependency_usage_analysis'
 require 'contrast/agent/inventory/dependency_analysis'

data/lib/contrast/agent/inventory/dependencies.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -33,6 +33,7 @@ module Contrast
         # then contrast depends on it. If its array of dependents is 1, then contrast is the
         # only dependency in that list. Since only contrast depends on it, we should ignore it.
         def find_contrast_gems
+          # rubocop:disable Security/Module/Name -- here name is part of Ruby Gems.
           ignore = Set.new([CONTRAST_AGENT])
           contrast_specs = Gem::DependencyList.from_specs.specs.find do |dependency|
             dependency.name == CONTRAST_AGENT
@@ -43,6 +44,7 @@ module Contrast
             ignore.add(dependency.name) if contrast_dep_set.include?(dependency.name) && dependents.length == 1
           end
           ignore
+          # rubocop:enable Security/Module/Name
         end
       end
     end

data/lib/contrast/agent/inventory/dependency_analysis.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/inventory/dependencies'

data/lib/contrast/agent/inventory/dependency_usage_analysis.rb

@@ -1,10 +1,10 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/inventory/gemfile_digest_cache'
 require 'contrast/agent/inventory/dependencies'
 require 'contrast/components/interface'
 require 'contrast/utils/object_share'
+require 'set'
 
 module Contrast
   module Agent
@@ -20,33 +20,35 @@ module Contrast
         def initialize
           return unless enabled?
 
-          @gemdigest_cache = Contrast::Agent::Inventory::GemfileDigestCache.new
+          @lock = Mutex.new
+          @lock.synchronize { @gemdigest_cache = Hash.new { |hash, key| hash[key] = Set.new } }
         end
 
-        # This method is invoked once, along with the rest of our catchup code
-        # to report libraries and their associated files that have already been loaded pre-contrast
+        # This method is invoked once, along with the rest of our catchup code to report libraries and their associated
+        # files that have already been loaded pre-contrast.
         def catchup
           return unless enabled?
 
           loaded_specs.each do |_name, spec|
-            # Get a digest of the Gem file itself
+            # Get a digest of the Gem file itself.
             next unless (digest = Contrast::Utils::Sha256Builder.instance.build_from_spec(spec))
 
-            @gemdigest_cache.use_cache(digest) do |existing_files|
-              loaded_files_from_gem = $LOADED_FEATURES.select { |f| f.start_with?(spec.full_gem_path) }
-              loaded_files_from_gem.each do |file_path|
-                logger.trace('Recording loaded file for inventory analysis', line: file_path)
-                existing_files << adjust_path_for_reporting(file_path, spec)
-              end
+            loaded_files_from_gem = $LOADED_FEATURES.select { |f| f.start_with?(spec.full_gem_path) }
+
+            new_files = loaded_files_from_gem.each_with_object(Set.new) do |file_path, set|
+              set << adjust_path_for_reporting(file_path, spec)
+              logger.trace('Recording loaded file for inventory analysis', line: file_path)
             end
+
+            # Even if new_files is empty, still need to add digest key for library discovery.
+            @lock.synchronize { @gemdigest_cache[digest].merge(new_files) }
           end
         end
 
-        # This method is invoked once per TracePoint :end - to map a specific
-        # file being required to the gem it belongs to
+        # This method is invoked once per TracePoint :end - to map a specific file being required to the gem to which
+        # it belongs.
         #
-        # @param path [String] the result of TracePoint#path from the :end
-        #   event in which the Module was defined
+        # @param path [String] the result of TracePoint#path from the :end event in which the Module was defined.
         def associate_file path
           return unless enabled?
 
@@ -64,21 +66,31 @@ module Contrast
             return
           end
           report_path = adjust_path_for_reporting(path, spec)
-          @gemdigest_cache.get(digest) << report_path
+          @lock.synchronize { @gemdigest_cache[digest] << report_path }
         rescue StandardError => e
           logger.error('Unable to inventory file path', e, path: path)
         end
 
-        # Populate the library_usages filed of the Activity message using the
-        # data stored in the @gemdigest_cache
+        # Populate the library_usages field of the Activity message using the data stored in the @gemdigest_cache.
         #
-        # @param activity [Contrast::Api::Dtm::Activity] the message to which
-        #   to append the usage data
+        # @param activity [Contrast::Api::Dtm::Activity] the message to which to append the usage data
         def generate_library_usage activity
           return unless enabled?
-          return if @gemdigest_cache.empty?
+          return unless activity
+
+          # Copy gemdigest_cache and clear it in sync.
+          gem_spec_digest_to_files = @lock.synchronize do
+            copy = @gemdigest_cache.dup
+            @gemdigest_cache.clear
+            copy
+          end
 
-          @gemdigest_cache.generate_usage_data(activity)
+          gem_spec_digest_to_files.each_pair do |digest, files|
+            usage = Contrast::Api::Dtm::LibraryUsageUpdate.build(digest, files)
+            activity.library_usages[usage.hash_code] = usage
+          end
+        rescue StandardError => e
+          logger.error('Unable to generate library usage.', e)
         end
 
         private

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'

data/lib/contrast/agent/inventory/policy/policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/inventory/policy/trigger_node'

data/lib/contrast/agent/inventory/policy/trigger_node.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/trigger_node'

data/lib/contrast/agent/middleware.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'ipaddr'
@@ -16,18 +16,17 @@ require 'contrast/utils/timer'
 
 module Contrast
   module Agent
-    # This class allows the Agent to plug into the Rack middleware stack. When the
-    # application is first started, we initialize ourselves as a rack middleware
-    # inside of #initialize. Afterwards, we process each http request and response
-    # as it goes through the middleware stack inside of #call.
+    # This class allows the Agent to plug into the Rack middleware stack. When the application is first started, we
+    # initialize ourselves as a rack middleware inside of #initialize. Afterwards, we process each http request and
+    # response as it goes through the middleware stack inside of #call.
     class Middleware
       include Contrast::Components::Interface
       access_component :agent, :config, :logging, :scope, :settings
 
       attr_reader :app
 
-      # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here
-      # since we're only going to be initialized a single time. Our initialization order is:
+      # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here since
+      # we're only going to be initialized a single time. Our initialization order is:
       # - capture the application
       # - setup the Agent
       # - startup the Agent
@@ -38,52 +37,27 @@ module Contrast
         @app = app  # THIS MUST BE FIRST AND ALWAYS SET!
         setup_agent # THIS MUST BE SECOND AND ALWAYS CALLED!
         unless AGENT.enabled?
-          logger.error(
-              'The Agent was unable to initialize before the application middleware was initialized. Disabling permanently.')
+          logger.error('The Agent was unable to initialize before the application middleware was initialized. '\
+                       'Disabling permanently.')
           AGENT.disable! # ensure the agent is disabled (probably redundant)
           return
         end
         agent_startup_routine
       end
 
-      # Startup the Agent as part of the initialization process:
-      # - start the service sending thread, responsible for sending and
-      #   processing messages
-      # - start the heartbeat thread, which triggers service startup
-      # - start instrumenting libraries and do a 'catchup' patch for everything
-      #   we didn't see get loaded
-      # - enable TracePoint, which handles all class loads and required
-      #   instrumentation going forward
-      def agent_startup_routine
-        logger.debug_with_time('middleware: starting service') do
-          Contrast::Agent.thread_watcher.ensure_running?
-        end
-
-        logger.debug_with_time('middleware: instrument shared libraries and patch') do
-          Contrast::Agent::Patching::Policy::Patcher.patch
-        end
-
-        AGENT.enable_tracepoint
-        Contrast::Agent::AtExitHook.exit_hook
-      end
-
-      # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready
-      # to do some processing on a per request basis. If not, we just pass the request along to the
-      # next middleware in the stack.
+      # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
+      # processing on a per request basis. If not, we just pass the request along to the next middleware in the stack.
       #
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this Request
-      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
-      #   to the user up the Rack framework.
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user up
+      #   the Rack framework.
       def call env
-        Contrast::Utils::HeapDumpUtil.run
+        return app.call(env) unless AGENT.enabled?
 
-        if AGENT.enabled?
-          handle_first_request
-          call_with_agent(env)
-        else
-          app.call(env)
-        end
+        Contrast::Agent.heapdump_util.start_thread!
+        handle_first_request
+        call_with_agent(env)
       end
 
       private
@@ -103,73 +77,56 @@ module Contrast
         end
       end
 
-      # Some things have to wait until first request to happen, either because
-      # resolution is not complete or because the framework will preload
-      # classes, which confuses some of our instrumentation.
+      # Startup the Agent as part of the initialization process:
+      # - start the service sending thread, responsible for sending and processing messages
+      # - start the heartbeat thread, which triggers service startup
+      # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
+      # - enable TracePoint, which handles all class loads and required instrumentation going forward
+      def agent_startup_routine
+        logger.debug_with_time('middleware: starting service') do
+          Contrast::Agent.thread_watcher.ensure_running?
+        end
+
+        logger.debug_with_time('middleware: instrument shared libraries and patch') do
+          Contrast::Agent::Patching::Policy::Patcher.patch
+        end
+
+        logger.debug_with_time('middleware: enabling tracepoint') do
+          AGENT.enable_tracepoint
+        end
+        Contrast::Agent::AtExitHook.exit_hook
+      end
+
+      # Some things have to wait until first request to happen, either because resolution is not complete or because
+      # the framework will preload classes, which confuses some of our instrumentation.
       def handle_first_request
         @_handle_first_request ||= begin
           Contrast::Agent::StaticAnalysis.catchup
-          force_patching
           true
         end
       end
 
-      # TODO: RUBY-1090 remove this method and those it calls.
-      #
-      # These modules are auto-loaded by Rails, meaning they are defined at
-      # startup, but that they don't actually exist. We account for this in
-      # most cases by using the ClassUtil.truly_defined? method, but it appears
-      # to fail for these Modules. In the short term, we can forcing a re-patch
-      # so that their dead zones apply.
-      def force_patching
-        force_patch(ActionDispatch::FileHandler) if defined?(ActionDispatch::FileHandler)
-        force_patch(ActionDispatch::Http::MimeNegotiation) if defined?(ActionDispatch::Http::MimeNegotiation)
-        force_patch(ActionView::Template) if defined?(ActionView::Template)
-      end
-
-      def force_patch mod
-        data = Contrast::Agent::ModuleData.new(mod)
-        Contrast::Agent::Patching::Policy::Patcher.send(:patch_into_module, data, true)
-      end
-
-      # This is where we process each request we intercept as a middleware. We make the request context
-      # available globally so that it can be accessed from anywhere. A RequestHandler object is made
-      # for each request, which handles prefilter and postfilter operations.
+      # This is where we process each request we intercept as a middleware. We make the request context available
+      # globally so that it can be accessed from anywhere. A RequestHandler object is made for each request, which
+      # handles prefilter and postfilter operations.
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user
+      #   up the Rack framework.
       def call_with_agent env
         Contrast::Agent.thread_watcher.ensure_running?
-        return unless AGENT.enabled?
-
         framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
         context = Contrast::Agent::RequestContext.new(framework_request)
         response = nil
 
-        # make the context available for the lifecycle of this request
+        # Make the context available for the lifecycle of this request.
         Contrast::Agent::REQUEST_TRACKER.lifespan(context) do
           logger.request_start
           request_handler = Contrast::Agent::RequestHandler.new(context)
 
-          # prefilter sequence
-          with_contrast_scope do
-            context.service_extract_request
-            request_handler.ruleset.prefilter
-          end
-
-          response = application_code(env) # pass request down the Rack chain with original env
-
-          # postfilter sequence
-          with_contrast_scope do
-            context.extract_after(response) # update context with final response information
-
-            if Contrast::Agent.framework_manager.streaming?(env)
-              context.reset_activity
-              request_handler.stream_safe_postfilter
-            else
-              request_handler.ruleset.postfilter
-              # return response stored in the context in case any postfilter rules updated the response data
-              response = context.response&.rack_response || response
-              request_handler.send_activity_messages
-            end
-          end
+          pre_call_with_agent(context, request_handler)
+          response = application_code(env)
+          post_call_with_agent(context, env, request_handler, response)
         ensure
           logger.request_end
         end
@@ -179,6 +136,47 @@ module Contrast
         handle_exception(e)
       end
 
+      # Handle the operations the Agent needs to accomplish prior to the Application code executing during this
+      # request.
+      #
+      # @param context [Contrast::Agent::RequestContext]
+      # @param request_handler [Contrast::Agent::RequestHandler]
+      def pre_call_with_agent context, request_handler
+        with_contrast_scope do
+          context.service_extract_request
+          request_handler.ruleset.prefilter
+        end
+      rescue StandardError => e
+        raise e if security_exception?(e)
+
+        logger.error('Unable to execute agent pre_call', e)
+      end
+
+      # Handle the operations the Agent needs to accomplish after the Application code executes during this request.
+      #
+      # @param context [Contrast::Agent::RequestContext]
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @param request_handler [Contrast::Agent::RequestHandler]
+      # @param response [Array,Rack::Response]
+      def post_call_with_agent context, env, request_handler, response
+        with_contrast_scope do
+          context.extract_after(response) # update context with final response information
+
+          if Contrast::Agent.framework_manager.streaming?(env)
+            context.reset_activity
+            request_handler.stream_safe_postfilter
+          else
+            request_handler.ruleset.postfilter
+            request_handler.send_activity_messages
+          end
+        end
+      rescue StandardError => e
+        raise e if security_exception?(e)
+
+        logger.error('Unable to execute agent post_call', e)
+      end
+
       def application_code env
         logger.trace_with_time('application') do
           app.call(env)
@@ -189,12 +187,10 @@ module Contrast
       end
 
       SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
-      # We're only going to suppress SecurityExceptions indicating a blocked attack.
-      # And, only if the config.agent.ruby.exceptions.capture? is set
+      # We're only going to suppress SecurityExceptions indicating a blocked attack. And, only if the
+      # config.agent.ruby.exceptions.capture? is set
       def handle_exception exception
-        if exception.is_a?(Contrast::SecurityException) ||
-              exception.message&.include?(SECURITY_EXCEPTION_MARKER)
-
+        if security_exception?(exception)
           exception_control = AGENT.exception_control
           raise exception unless exception_control[:enable]
 
@@ -205,18 +201,23 @@ module Contrast
         end
       end
 
-      # As we deprecate support to prepare to remove dead code, we need to
-      # inform our users still relying on the now deprecated and soon to be
-      # removed functionality. This method handles doing that by leveraging the
-      # standard Kernel#warn approach
+      # Is the given exception one raised by our Protect code?
+      #
+      # @param exception [Exception]
+      # @return [Boolean]
+      def security_exception? exception
+        exception.is_a?(Contrast::SecurityException) || exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+      end
+
+      # As we deprecate support to prepare to remove dead code, we need to inform our users still relying on the now
+      # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
+      # Kernel#warn approach
       def inform_deprecations
-        # Ruby 2.5 is currently in security maintenance, meaning int is only
-        # receiving updates for security issues. It will move to eol on 31
-        # March 2021. As such, we can remove support for it in Q2. We'll begin
-        # the deprecation warnings now so that customers have time to reach out
-        # if they'll be impacted.
-        # TODO: RUBY-715 remove this part of the method, leaving it empty if
-        #   there are no other deprecations, when we drop 2.5 support.
+        # Ruby 2.5 is currently in security maintenance, meaning int is only receiving updates for security issues. It
+        # will move to eol on 31 March 2021. As such, we can remove support for it in Q3. We'll begin the deprecation
+        # warnings now so that customers have time to reach out if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
+        #   drop 2.5 support.
         return unless RUBY_VERSION < '2.6.0'
 
         Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\