RubyGems - contrast-agent - Versions diffs - 4.3.2 → 4.7.0 - Mend

contrast-agent 4.3.2 → 4.7.0

Files changed (317) hide show

checksums.yaml +4 -4
data/.gitmodules +1 -1
data/.simplecov +1 -1
data/Gemfile +1 -1
data/LICENSE.txt +1 -1
data/Rakefile +2 -3
data/exe/contrast_service +1 -1
data/ext/build_funchook.rb +4 -4
data/ext/cs__assess_active_record_named/cs__active_record_named.c +1 -1
data/ext/cs__assess_active_record_named/extconf.rb +1 -1
data/ext/cs__assess_array/cs__assess_array.c +1 -1
data/ext/cs__assess_array/extconf.rb +1 -1
data/ext/cs__assess_basic_object/cs__assess_basic_object.c +1 -1
data/ext/cs__assess_basic_object/extconf.rb +1 -1
data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +1 -1
data/ext/cs__assess_fiber_track/extconf.rb +1 -1
data/ext/cs__assess_hash/cs__assess_hash.c +4 -2
data/ext/cs__assess_hash/extconf.rb +1 -1
data/ext/cs__assess_kernel/cs__assess_kernel.c +1 -1
data/ext/cs__assess_kernel/extconf.rb +1 -1
data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +1 -1
data/ext/cs__assess_marshal_module/extconf.rb +1 -1
data/ext/cs__assess_module/cs__assess_module.c +1 -1
data/ext/cs__assess_module/extconf.rb +1 -1
data/ext/cs__assess_regexp/cs__assess_regexp.c +1 -1
data/ext/cs__assess_regexp/extconf.rb +1 -1
data/ext/cs__assess_string/cs__assess_string.c +1 -1
data/ext/cs__assess_string/extconf.rb +1 -1
data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +1 -1
data/ext/cs__assess_string_interpolation26/extconf.rb +1 -1
data/ext/cs__assess_yield_track/cs__assess_yield_track.c +1 -1
data/ext/cs__assess_yield_track/extconf.rb +1 -1
data/ext/cs__common/cs__common.c +5 -5
data/ext/cs__common/cs__common.h +4 -4
data/ext/cs__common/extconf.rb +1 -1
data/ext/cs__contrast_patch/cs__contrast_patch.c +22 -25
data/ext/cs__contrast_patch/extconf.rb +1 -1
data/ext/cs__protect_kernel/cs__protect_kernel.c +1 -1
data/ext/cs__protect_kernel/extconf.rb +1 -1
data/ext/extconf_common.rb +2 -6
data/lib/contrast-agent.rb +1 -1
data/lib/contrast.rb +20 -1
data/lib/contrast/agent.rb +6 -4
data/lib/contrast/agent/assess.rb +2 -11
data/lib/contrast/agent/assess/contrast_event.rb +54 -71
data/lib/contrast/agent/assess/contrast_object.rb +7 -4
data/lib/contrast/agent/assess/events/event_factory.rb +3 -2
data/lib/contrast/agent/assess/events/source_event.rb +7 -2
data/lib/contrast/agent/assess/finalizers/freeze.rb +1 -1
data/lib/contrast/agent/assess/finalizers/hash.rb +33 -34
data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb +34 -16
data/lib/contrast/agent/assess/policy/patcher.rb +11 -18
data/lib/contrast/agent/assess/policy/policy.rb +1 -1
data/lib/contrast/agent/assess/policy/policy_node.rb +26 -34
data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
data/lib/contrast/agent/assess/policy/preshift.rb +4 -2
data/lib/contrast/agent/assess/policy/propagation_method.rb +32 -30
data/lib/contrast/agent/assess/policy/propagation_node.rb +20 -9
data/lib/contrast/agent/assess/policy/propagator.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/append.rb +29 -14
data/lib/contrast/agent/assess/policy/propagator/base.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/center.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/custom.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/database_write.rb +22 -17
data/lib/contrast/agent/assess/policy/propagator/insert.rb +4 -2
data/lib/contrast/agent/assess/policy/propagator/keep.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/match_data.rb +3 -2
data/lib/contrast/agent/assess/policy/propagator/next.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/prepend.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/remove.rb +23 -19
data/lib/contrast/agent/assess/policy/propagator/replace.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/reverse.rb +1 -1
data/lib/contrast/agent/assess/policy/propagator/select.rb +3 -13
data/lib/contrast/agent/assess/policy/propagator/splat.rb +24 -14
data/lib/contrast/agent/assess/policy/propagator/split.rb +18 -15
data/lib/contrast/agent/assess/policy/propagator/substitution.rb +32 -22
data/lib/contrast/agent/assess/policy/propagator/trim.rb +64 -45
data/lib/contrast/agent/assess/policy/rewriter_patch.rb +7 -4
data/lib/contrast/agent/assess/policy/source_method.rb +92 -81
data/lib/contrast/agent/assess/policy/source_node.rb +1 -1
data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb +8 -6
data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb +2 -4
data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb +7 -3
data/lib/contrast/agent/assess/policy/trigger/xpath.rb +7 -8
data/lib/contrast/agent/assess/policy/trigger_method.rb +109 -76
data/lib/contrast/agent/assess/policy/trigger_node.rb +33 -11
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +60 -0
data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +3 -5
data/lib/contrast/agent/assess/policy/trigger_validation/trigger_validation.rb +7 -5
data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb +4 -13
data/lib/contrast/agent/assess/properties.rb +1 -3
data/lib/contrast/agent/assess/property/evented.rb +9 -6
data/lib/contrast/agent/assess/property/tagged.rb +38 -20
data/lib/contrast/agent/assess/property/updated.rb +1 -1
data/lib/contrast/agent/assess/rule/provider.rb +1 -1
data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb +12 -6
data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb +5 -2
data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +4 -6
data/lib/contrast/agent/assess/tag.rb +1 -1
data/lib/contrast/agent/assess/tracker.rb +2 -2
data/lib/contrast/agent/at_exit_hook.rb +1 -1
data/lib/contrast/agent/class_reopener.rb +4 -2
data/lib/contrast/agent/deadzone/policy/deadzone_node.rb +1 -1
data/lib/contrast/agent/deadzone/policy/policy.rb +7 -3
data/lib/contrast/agent/disable_reaction.rb +2 -4
data/lib/contrast/agent/exclusion_matcher.rb +6 -12
data/lib/contrast/agent/inventory.rb +1 -2
data/lib/contrast/agent/inventory/dependencies.rb +3 -1
data/lib/contrast/agent/inventory/dependency_analysis.rb +1 -1
data/lib/contrast/agent/inventory/dependency_usage_analysis.rb +35 -23
data/lib/contrast/agent/inventory/policy/datastores.rb +1 -1
data/lib/contrast/agent/inventory/policy/policy.rb +1 -1
data/lib/contrast/agent/inventory/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/middleware.rb +111 -110
data/lib/contrast/agent/module_data.rb +4 -4
data/lib/contrast/agent/patching/policy/after_load_patch.rb +1 -1
data/lib/contrast/agent/patching/policy/after_load_patcher.rb +9 -4
data/lib/contrast/agent/patching/policy/method_policy.rb +7 -3
data/lib/contrast/agent/patching/policy/module_policy.rb +15 -8
data/lib/contrast/agent/patching/policy/patch.rb +23 -29
data/lib/contrast/agent/patching/policy/patch_status.rb +8 -9
data/lib/contrast/agent/patching/policy/patcher.rb +72 -64
data/lib/contrast/agent/patching/policy/policy.rb +14 -21
data/lib/contrast/agent/patching/policy/policy_node.rb +15 -5
data/lib/contrast/agent/patching/policy/trigger_node.rb +26 -10
data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb +3 -4
data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb +2 -2
data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb +6 -10
data/lib/contrast/agent/protect/policy/policy.rb +1 -1
data/lib/contrast/agent/protect/policy/rule_applicator.rb +6 -6
data/lib/contrast/agent/protect/policy/trigger_node.rb +1 -1
data/lib/contrast/agent/protect/rule.rb +1 -1
data/lib/contrast/agent/protect/rule/base.rb +19 -33
data/lib/contrast/agent/protect/rule/base_service.rb +10 -6
data/lib/contrast/agent/protect/rule/cmd_injection.rb +15 -19
data/lib/contrast/agent/protect/rule/default_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/deserialization.rb +7 -14
data/lib/contrast/agent/protect/rule/http_method_tampering.rb +4 -15
data/lib/contrast/agent/protect/rule/no_sqli.rb +7 -3
data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb +2 -4
data/lib/contrast/agent/protect/rule/path_traversal.rb +6 -6
data/lib/contrast/agent/protect/rule/sqli.rb +19 -13
data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb +2 -2
data/lib/contrast/agent/protect/rule/sqli/sqlite_sql_scanner.rb +1 -1
data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -2
data/lib/contrast/agent/protect/rule/xss.rb +2 -2
data/lib/contrast/agent/protect/rule/xxe.rb +6 -13
data/lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb +2 -3
data/lib/contrast/agent/railtie.rb +1 -1
data/lib/contrast/agent/reaction_processor.rb +12 -11
data/lib/contrast/agent/request.rb +25 -24
data/lib/contrast/agent/request_context.rb +25 -23
data/lib/contrast/agent/request_handler.rb +1 -1
data/lib/contrast/agent/response.rb +1 -1
data/lib/contrast/agent/rewriter.rb +6 -4
data/lib/contrast/agent/rule_set.rb +3 -3
data/lib/contrast/agent/scope.rb +1 -1
data/lib/contrast/agent/service_heartbeat.rb +3 -4
data/lib/contrast/agent/static_analysis.rb +1 -1
data/lib/contrast/agent/thread.rb +2 -2
data/lib/contrast/agent/thread_watcher.rb +21 -6
data/lib/contrast/agent/tracepoint_hook.rb +2 -2
data/lib/contrast/agent/version.rb +2 -2
data/lib/contrast/agent/worker_thread.rb +1 -1
data/lib/contrast/api.rb +1 -1
data/lib/contrast/api/communication.rb +1 -1
data/lib/contrast/api/communication/connection_status.rb +1 -1
data/lib/contrast/api/communication/messaging_queue.rb +19 -22
data/lib/contrast/api/communication/response_processor.rb +13 -8
data/lib/contrast/api/communication/service_lifecycle.rb +5 -3
data/lib/contrast/api/communication/socket.rb +1 -1
data/lib/contrast/api/communication/socket_client.rb +30 -35
data/lib/contrast/api/communication/speedracer.rb +6 -10
data/lib/contrast/api/communication/tcp_socket.rb +1 -1
data/lib/contrast/api/communication/unix_socket.rb +1 -1
data/lib/contrast/api/decorators.rb +3 -1
data/lib/contrast/api/decorators/address.rb +1 -1
data/lib/contrast/api/decorators/agent_startup.rb +58 -0
data/lib/contrast/api/decorators/application_settings.rb +1 -1
data/lib/contrast/api/decorators/application_startup.rb +57 -0
data/lib/contrast/api/decorators/application_update.rb +1 -1
data/lib/contrast/api/decorators/http_request.rb +1 -1
data/lib/contrast/api/decorators/input_analysis.rb +1 -1
data/lib/contrast/api/decorators/instrumentation_mode.rb +37 -0
data/lib/contrast/api/decorators/library.rb +9 -7
data/lib/contrast/api/decorators/library_usage_update.rb +1 -1
data/lib/contrast/api/decorators/message.rb +4 -4
data/lib/contrast/api/decorators/rasp_rule_sample.rb +1 -1
data/lib/contrast/api/decorators/route_coverage.rb +16 -6
data/lib/contrast/api/decorators/server_features.rb +1 -1
data/lib/contrast/api/decorators/trace_event.rb +46 -16
data/lib/contrast/api/decorators/trace_event_object.rb +2 -4
data/lib/contrast/api/decorators/trace_event_signature.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range.rb +1 -1
data/lib/contrast/api/decorators/trace_taint_range_tags.rb +2 -7
data/lib/contrast/api/decorators/user_input.rb +1 -1
data/lib/contrast/components/agent.rb +16 -15
data/lib/contrast/components/app_context.rb +11 -29
data/lib/contrast/components/assess.rb +6 -11
data/lib/contrast/components/config.rb +3 -2
data/lib/contrast/components/contrast_service.rb +8 -9
data/lib/contrast/components/heap_dump.rb +1 -1
data/lib/contrast/components/interface.rb +4 -3
data/lib/contrast/components/inventory.rb +1 -1
data/lib/contrast/components/logger.rb +1 -1
data/lib/contrast/components/protect.rb +11 -14
data/lib/contrast/components/sampling.rb +55 -7
data/lib/contrast/components/scope.rb +2 -1
data/lib/contrast/components/settings.rb +29 -99
data/lib/contrast/config.rb +1 -1
data/lib/contrast/config/agent_configuration.rb +1 -1
data/lib/contrast/config/application_configuration.rb +1 -1
data/lib/contrast/config/assess_configuration.rb +1 -1
data/lib/contrast/config/assess_rules_configuration.rb +2 -4
data/lib/contrast/config/base_configuration.rb +5 -6
data/lib/contrast/config/default_value.rb +1 -1
data/lib/contrast/config/exception_configuration.rb +2 -6
data/lib/contrast/config/heap_dump_configuration.rb +13 -7
data/lib/contrast/config/inventory_configuration.rb +1 -1
data/lib/contrast/config/logger_configuration.rb +2 -6
data/lib/contrast/config/protect_configuration.rb +1 -1
data/lib/contrast/config/protect_rule_configuration.rb +23 -1
data/lib/contrast/config/protect_rules_configuration.rb +1 -1
data/lib/contrast/config/root_configuration.rb +1 -1
data/lib/contrast/config/ruby_configuration.rb +1 -1
data/lib/contrast/config/sampling_configuration.rb +1 -1
data/lib/contrast/config/server_configuration.rb +1 -1
data/lib/contrast/config/service_configuration.rb +1 -1
data/lib/contrast/configuration.rb +4 -15
data/lib/contrast/delegators/input_analysis.rb +12 -0
data/lib/contrast/extension/assess.rb +1 -1
data/lib/contrast/extension/assess/array.rb +2 -7
data/lib/contrast/extension/assess/erb.rb +2 -8
data/lib/contrast/extension/assess/eval_trigger.rb +3 -11
data/lib/contrast/extension/assess/exec_trigger.rb +4 -14
data/lib/contrast/extension/assess/fiber.rb +3 -13
data/lib/contrast/extension/assess/hash.rb +1 -1
data/lib/contrast/extension/assess/kernel.rb +3 -10
data/lib/contrast/extension/assess/marshal.rb +3 -11
data/lib/contrast/extension/assess/regexp.rb +2 -7
data/lib/contrast/extension/assess/string.rb +4 -2
data/lib/contrast/extension/delegator.rb +1 -1
data/lib/contrast/extension/inventory.rb +1 -1
data/lib/contrast/extension/kernel.rb +5 -3
data/lib/contrast/extension/module.rb +1 -1
data/lib/contrast/extension/protect.rb +1 -1
data/lib/contrast/extension/protect/kernel.rb +1 -1
data/lib/contrast/extension/protect/psych.rb +1 -1
data/lib/contrast/extension/thread.rb +1 -1
data/lib/contrast/framework/base_support.rb +1 -1
data/lib/contrast/framework/manager.rb +14 -17
data/lib/contrast/framework/platform_version.rb +1 -1
data/lib/contrast/framework/rack/patch/session_cookie.rb +6 -19
data/lib/contrast/framework/rack/patch/support.rb +7 -5
data/lib/contrast/framework/rack/support.rb +1 -1
data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb +1 -1
data/lib/contrast/framework/rails/patch/assess_configuration.rb +8 -3
data/lib/contrast/framework/rails/patch/rails_application_configuration.rb +4 -4
data/lib/contrast/framework/rails/patch/support.rb +5 -3
data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb +5 -2
data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_named.rb +3 -1
data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb +3 -1
data/lib/contrast/framework/rails/support.rb +45 -46
data/lib/contrast/framework/sinatra/support.rb +103 -42
data/lib/contrast/funchook/funchook.rb +2 -6
data/lib/contrast/logger/application.rb +13 -10
data/lib/contrast/logger/format.rb +3 -6
data/lib/contrast/logger/log.rb +36 -19
data/lib/contrast/logger/request.rb +2 -3
data/lib/contrast/logger/time.rb +1 -1
data/lib/contrast/security_exception.rb +2 -2
data/lib/contrast/tasks/config.rb +1 -1
data/lib/contrast/tasks/service.rb +6 -2
data/lib/contrast/utils/assess/sampling_util.rb +1 -1
data/lib/contrast/utils/assess/tracking_util.rb +2 -3
data/lib/contrast/utils/class_util.rb +18 -12
data/lib/contrast/utils/duck_utils.rb +1 -1
data/lib/contrast/utils/env_configuration_item.rb +1 -1
data/lib/contrast/utils/hash_digest.rb +16 -24
data/lib/contrast/utils/heap_dump_util.rb +104 -88
data/lib/contrast/utils/invalid_configuration_util.rb +22 -13
data/lib/contrast/utils/inventory_util.rb +1 -1
data/lib/contrast/utils/io_util.rb +2 -2
data/lib/contrast/utils/job_servers_running.rb +10 -5
data/lib/contrast/utils/object_share.rb +1 -1
data/lib/contrast/utils/os.rb +3 -2
data/lib/contrast/utils/preflight_util.rb +1 -1
data/lib/contrast/utils/resource_loader.rb +1 -1
data/lib/contrast/utils/ruby_ast_rewriter.rb +3 -2
data/lib/contrast/utils/sha256_builder.rb +1 -1
data/lib/contrast/utils/stack_trace_utils.rb +1 -1
data/lib/contrast/utils/string_utils.rb +1 -1
data/lib/contrast/utils/tag_util.rb +1 -1
data/lib/contrast/utils/thread_tracker.rb +1 -1
data/lib/contrast/utils/timer.rb +1 -1
data/resources/assess/policy.json +8 -11
data/resources/deadzone/policy.json +7 -17
data/ruby-agent.gemspec +66 -27
data/service_executables/VERSION +1 -1
data/service_executables/linux/contrast-service +0 -0
data/service_executables/mac/contrast-service +0 -0
data/sonar-project.properties +9 -0
metadata +154 -156
data/lib/contrast/agent/assess/rule.rb +0 -18
data/lib/contrast/agent/assess/rule/base.rb +0 -52
data/lib/contrast/agent/assess/rule/redos.rb +0 -67
data/lib/contrast/agent/inventory/gemfile_digest_cache.rb +0 -38
data/lib/contrast/common_agent_configuration.rb +0 -87
data/lib/contrast/framework/sinatra/patch/base.rb +0 -83
data/lib/contrast/framework/sinatra/patch/support.rb +0 -27
data/lib/contrast/utils/prevent_serialization.rb +0 -52

data/lib/contrast/agent/module_data.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -6,11 +6,11 @@ module Contrast
     # A simple wrapper around a Module and a call to its name, used to avoid
     # calling the Module#name method and generating extra Strings
     class ModuleData
-      attr_reader :mod, :name
+      attr_reader :mod, :mod_name
-      def initialize mod, name = nil
+      def initialize mod, mod_name = nil
         @mod = mod
-        @name = name || mod.cs__name
+        @mod_name = mod_name || mod.cs__name
       end
     end
   end

data/lib/contrast/agent/patching/policy/after_load_patch.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/interface'

data/lib/contrast/agent/patching/policy/after_load_patcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/after_load_patch'
@@ -51,10 +51,15 @@ module Contrast
               next unless after_load_patch.target_defined?
               next if AGENT.skip_instrumentation?(after_load_patch.module_name)
-              logger.trace(
-                  'Catching up on already loaded afterload patch - applying instrumentation',
-                  module: after_load_patch.module_name)
+              logger.trace('Catching up on already loaded afterload patch - applying instrumentation',
+                           module: after_load_patch.module_name)
               after_load_patch.instrument!
+            rescue NameError => e
+              logger.error('Method undefined in afterload patch', e, module: after_load_patch.module_name,
+                                                                     method: after_load_patch.method_to_instrument)
+            rescue StandardError => e
+              logger.error('Afterload patch failed to apply', e, module: after_load_patch.module_name,
+                                                                 method: after_load_patch.method_to_instrument)
             end
             after_load_patches.delete_if(&:applied?)
           end

data/lib/contrast/agent/patching/policy/method_policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -49,7 +49,10 @@ module Contrast
           private
           def nodes
-            @_nodes ||= [source_node, propagation_node, trigger_node, inventory_node, protect_node, deadzone_node].compact
+            @_nodes ||= [
+              source_node, propagation_node, trigger_node, inventory_node, protect_node,
+              deadzone_node
+            ].compact
           end
           def method_scopes
@@ -76,7 +79,8 @@ module Contrast
               protect_node =     find_method_node(module_policy.protect_nodes, method_name, instance_method)
               inventory_node =   find_method_node(module_policy.inventory_nodes, method_name, instance_method)
               deadzone_node =    find_method_node(module_policy.deadzone_nodes, method_name, instance_method)
-              method_visibility = find_visibility(source_node, propagation_node, trigger_node, protect_node, inventory_node, deadzone_node)
+              method_visibility = find_visibility(source_node, propagation_node, trigger_node, protect_node,
+                                                  inventory_node, deadzone_node)
               MethodPolicy.new(method_name: method_name,
                                method_visibility: method_visibility,
                                instance_method: instance_method,

data/lib/contrast/agent/patching/policy/module_policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/method_policy'
@@ -20,12 +20,18 @@ module Contrast
             # @return [Contrast::Agent::Patching::Policy::ModulePolicy]
             def create_module_policy module_name
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.new
-              module_policy.source_nodes =      nodes_for_module(Contrast::Agent::Assess::Policy::Policy.instance.sources, module_name)
-              module_policy.propagator_nodes =  nodes_for_module(Contrast::Agent::Assess::Policy::Policy.instance.propagators, module_name)
-              module_policy.trigger_nodes =     nodes_for_module(Contrast::Agent::Assess::Policy::Policy.instance.triggers, module_name)
-              module_policy.protect_nodes =     nodes_for_module(Contrast::Agent::Protect::Policy::Policy.instance.triggers, module_name)
-              module_policy.inventory_nodes =   nodes_for_module(Contrast::Agent::Inventory::Policy::Policy.instance.triggers, module_name)
-              module_policy.deadzone_nodes =    nodes_for_module(Contrast::Agent::Deadzone::Policy::Policy.instance.deadzones, module_name)
+              module_policy.source_nodes =      nodes_for_module(
+                  Contrast::Agent::Assess::Policy::Policy.instance.sources, module_name)
+              module_policy.propagator_nodes =  nodes_for_module(
+                  Contrast::Agent::Assess::Policy::Policy.instance.propagators, module_name)
+              module_policy.trigger_nodes =     nodes_for_module(
+                  Contrast::Agent::Assess::Policy::Policy.instance.triggers, module_name)
+              module_policy.protect_nodes =     nodes_for_module(
+                  Contrast::Agent::Protect::Policy::Policy.instance.triggers, module_name)
+              module_policy.inventory_nodes =   nodes_for_module(
+                  Contrast::Agent::Inventory::Policy::Policy.instance.triggers, module_name)
+              module_policy.deadzone_nodes =    nodes_for_module(
+                  Contrast::Agent::Deadzone::Policy::Policy.instance.deadzones, module_name)
               module_policy
             end
@@ -42,7 +48,8 @@ module Contrast
             end
           end
-          attr_accessor :source_nodes, :propagator_nodes, :trigger_nodes, :inventory_nodes, :protect_nodes, :deadzone_nodes
+          attr_accessor :source_nodes, :propagator_nodes, :trigger_nodes, :inventory_nodes, :protect_nodes,
+                        :deadzone_nodes
           def empty?
             return false if source_nodes.any?

data/lib/contrast/agent/patching/policy/patch.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'monitor'
@@ -130,11 +130,7 @@ module Contrast
               return unless AGENT.enabled?
               return unless PROTECT.enabled?
-              apply_trigger_only(method_policy&.protect_node,
-                                 method,
-                                 exception,
-                                 object,
-                                 args)
+              apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
             end
             # Apply the Inventory patch which applies to the given method.
@@ -151,11 +147,7 @@ module Contrast
             def apply_inventory method_policy, method, exception, object, args
               return unless INVENTORY.enabled?
-              apply_trigger_only(method_policy&.inventory_node,
-                                 method,
-                                 exception,
-                                 object,
-                                 args)
+              apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
             end
             # Apply the Assess patches which apply to the given method.
@@ -178,15 +170,18 @@ module Contrast
               return ret unless method_policy && ASSESS.enabled?
               current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return ret unless current_context.analyze_request?
+              return ret if current_context && !current_context.analyze_request?
               trigger_node = method_policy.trigger_node
-              Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args) if trigger_node
+              if trigger_node
+                Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
+              end
               if method_policy.source_node
                 # If we were given a frozen return, and it was the target of a
                 # source, and we have frozen sources enabled, we'll need to
                 # replace the return. Note, this is not the default case.
-                source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret, args)
+                source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret,
+                                                                                           args)
               end
               if method_policy.propagation_node
                 propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
@@ -277,9 +272,9 @@ module Contrast
             # <method_start>_unbound_<method_name>
             def build_unbound_method_name patcher_method
               (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-                  'unbound' +
-                  Contrast::Utils::ObjectShare::UNDERSCORE +
-                  patcher_method.to_s).to_sym
+                'unbound' +
+                Contrast::Utils::ObjectShare::UNDERSCORE +
+                patcher_method.to_s).to_sym
             end
             # @param mod [Module] the module in which the patch should be
@@ -339,7 +334,7 @@ module Contrast
             # @return [Symbol] new alias for the underlying method (presumably, so the patched method can call it)
             def register_c_patch target_module_name, unbound_method, impl = :alias_instance
               # These could be set as AfterLoadPatches.
-              method_name = unbound_method.name.to_sym
+              method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
               underlying_method_name = build_unbound_method_name(method_name).to_sym
               target_module = Module.cs__const_get(target_module_name)
@@ -362,29 +357,27 @@ module Contrast
               case impl
               when :alias_instance, :alias_singleton
+                # Core to patching. Ignore define method usage cop.
+                # rubocop:disable Performance/Kernel/DefineMethod
                 unless target_module.instance_methods(false).include? underlying_method_name
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
-                  # TODO: RUBY-1052
-                  # rubocop:disable Performance/Kernel/DefineMethod
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                  # rubocop:enable Performance/Kernel/DefineMethod
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend
                 prepending_module = Module.new
-                # TODO: RUBY-1052
-                # rubocop:disable Performance/Kernel/DefineMethod
                 prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                # rubocop:enable Performance/Kernel/DefineMethod
                 prepending_module.send(visibility, method_name)
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module
+                # rubocop:enable Performance/Kernel/DefineMethod
               end
               # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
               # can't invoke this logging method or we'll seg fault as we'd
               # change the method definition mid-call
-              # if method_name != :[]=
+              # if method_name != :[]= &&
+              #   Contrast::Agent::Logger.defined!
               #   logger.trace(
               #       'Registered C-defined patch',
               #       implementation: impl,
@@ -392,14 +385,15 @@ module Contrast
               #       method: method_name,
               #       visibility: visibility)
               # end
-              underlying_method_name.to_sym
+              underlying_method_name
             end
             # @return [Boolean]
             def skip_contrast_analysis?
               return true if in_contrast_scope?
-              return true unless defined?(Contrast::Agent::REQUEST_TRACKER)
-              return true unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+              return false unless defined?(Contrast::Agent::REQUEST_TRACKER)
+              return false unless Contrast::Agent::REQUEST_TRACKER.current
+              return true unless Contrast::Agent::REQUEST_TRACKER.current.analyze_request?
               false
             end
@@ -411,7 +405,7 @@ module Contrast
             def skip_assess_analysis?
               return true if skip_contrast_analysis?
-              !ASSESS.enabled?
+              !ASSESS&.enabled?
             end
           end
         end

data/lib/contrast/agent/patching/policy/patch_status.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -13,7 +13,7 @@ module Contrast
             # one does not exist.
             #
             # @param mod [Module] the Module for which the status is asked
-            # @return [Contrast::Agent::Patching::Policy::PolicyStatus]
+            # @return [Contrast::Agent::Patching::Policy::PatchStatus]
             def get_status mod
               if mod.cs__const_defined?(status_key, false)
                 mod.cs__const_get(status_key, false)
@@ -68,7 +68,10 @@ module Contrast
             def set_info_for mod, method, method_policy, is_instance_method, cs_method
               mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
               holder = mod.instance_variable_get(method_info_key)
-              holder[method_name_key(method, is_instance_method)] = [method_policy, cs_method] unless holder.key?(method)
+              # if we already have this information, then we don't need to set it as we'll update the info on access
+              return if holder.key?(method)
+              holder[method_name_key(method, is_instance_method)] = [method_policy, cs_method]
             end
             private
@@ -153,9 +156,7 @@ module Contrast
           end
           def patched?
-            @patch_status == :PATCHED ||
-                @patch_status == :NONE ||
-                @patch_status == :FAILED
+            @patch_status == :PATCHED || @patch_status == :NONE || @patch_status == :FAILED
           end
           def rewriting!
@@ -179,9 +180,7 @@ module Contrast
           end
           def rewritten?
-            @rewrite_status == :REWRITTEN ||
-                @rewrite_status == :NO_REWRITE ||
-                @rewrite_status == :FAILED_REWRITE
+            @rewrite_status == :REWRITTEN || @rewrite_status == :NO_REWRITE || @rewrite_status == :FAILED_REWRITE
           end
         end
       end

data/lib/contrast/agent/patching/policy/patcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'monitor'
@@ -13,7 +13,8 @@ require 'contrast/utils/class_util'
 # assess
 require 'contrast/agent/assess/policy/policy'
 require 'contrast/agent/assess/policy/policy_scanner'
-require 'contrast/agent/assess/policy/rewriter_patch'
+# TODO: RUBY-714 remove guard w/ EOL of 2.5
+require 'contrast/agent/assess/policy/rewriter_patch' if RUBY_VERSION < '2.6.0'
 require 'contrast/agent/assess/policy/source_method'
 require 'contrast/agent/assess/policy/trigger_method'
@@ -52,8 +53,8 @@ module Contrast
             # startup to catchup on everything we didn't see get loaded
             def patch
               catchup_after_load_patches
-              patch_methods
-              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
+              catchup_loaded_methods
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
             end
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -62,10 +63,11 @@ module Contrast
             # where only a subset of the Assess changes are needed.
             PATCH_MONITOR = Monitor.new
-            def patch_methods
+            # Iterate over and patch those Modules and Methods which were loaded before the Agent was enabled.
+            def catchup_loaded_methods
               PATCH_MONITOR.synchronize do
                 t = Contrast::Agent::Thread.new do
-                  synchronized_patch_methods
+                  synchronized_catchup_loaded_methods
                 end
                 # aborting on exception makes exceptions propagate.
                 t.abort_on_exception = true
@@ -84,7 +86,7 @@ module Contrast
                 load_patches_for_module(mod_name)
-                return unless all_module_names.any? { |name| name == mod_name }
+                return unless all_module_names.any?(mod_name)
                 module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
                 patch_into_module(module_data)
@@ -100,7 +102,7 @@ module Contrast
             # @param mod [Module] the module in which the patch should be
             #   placed.
             # @param methods [Array(Symbol)] all the instance or singleton
-            #   methods in this clazz.
+            #   methods in this mod.
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
             #   the policy that applies to the given method_name.
             # @return [Boolean] if patched, either by this invocation or a
@@ -142,14 +144,15 @@ module Contrast
             # @return [Array<String>] the names of all the Modules for which
             #   there patches in our policies
             def all_module_names
-              @_all_module_names ||= POLICIES.each_with_object(Set.new) { |policy, set| set.merge(policy.instance.module_names) }
+              @_all_module_names ||=
+                POLICIES.each_with_object(Set.new) { |policy, set| set.merge(policy.instance.module_names) }
             end
             # Hook to only monkeypatch Contrast. This will not trigger any
             # other functions, like rewriting or scanning. This method should
             # only be invoked by the patch_methods method above in order to
             # ensure it is wrapped in a synchronize call
-            def synchronized_patch_methods
+            def synchronized_catchup_loaded_methods
               logger.trace_with_time('Running patching') do
                 patched = []
                 all_module_names.each do |patchable_name|
@@ -166,59 +169,42 @@ module Contrast
               end
             end
-            # Given the patchers that apply to this class that may apply, patch
-            # Contrast method calls into the methods for which we have rules.
+            # Given the patchers that apply to this class that may apply, patch Contrast method calls into the methods
+            # for which we have rules.
             #
-            # @param module_data [Contrast::Agent::ModuleData] the module, and
-            #   its name, that's being patched into
-            # @param redo_patch [Boolean] a trigger to force patching
-            #   regardless of the state of the
-            #   Contrast::Agent::Patching::Policy::PatchStatus status on the
-            #   Module
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
+            # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
+            #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
             def patch_into_module module_data, redo_patch = false
               status = status_type.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
-              # Begin patching our sources into the given clazz (or module)
-              # Any patcher that has the name of the clazz will be evaluated for
-              # patching.
-              # Find all the patchers that apply to this class, sorted by type.
-              module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.name)
-              clazz = module_data.mod
+              # Begin patching our sources into the given module. Any patcher that has the name of the module will be
+              # evaluated for patching. Find all the patchers that apply to this class, sorted by type.
+              module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.mod_name)
+              # If there's nothing to match, then set that status and exit
+              if module_policy.empty?
+                status.no_patch!
+                return
+              end
               status.patching!
-              patched = false
-              counts = 0
-              # Monkey patch any methods in this class that have matching nodes in the policy
-              unless module_policy.empty?
-                instance_methods = all_instance_methods(clazz, true)
-                singleton_methods = clazz.singleton_methods(false)
-                counts += patch_into_methods(clazz, instance_methods, module_policy, true)
-                counts += patch_into_methods(clazz, singleton_methods, module_policy, false)
-                counts = module_policy.num_expected_patches if adjust_for_prepend(clazz)
-                patched = true
-              end
+              num_applied_patches = patch_into_instance_methods(module_data, module_policy)
+              num_applied_patches += patch_into_singleton_methods(module_data, module_policy)
+              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
-              if patched
-                if module_policy.num_expected_patches == counts
-                  status.patched!
-                else
-                  status.partial_patch!
-                end
+                status.patched!
               else
-                status.no_patch!
+                status.partial_patch!
               end
             rescue StandardError => e
-              status ||= status_type.get_status(module_data.mod)
-              status.failed_patch!
-              logger.warn('Patching failed', e, module: module_data.name)
+              status&.failed_patch!
+              logger.warn('Patching failed', e, module: module_data.mod_name)
             ensure
               logger.trace('Patching complete',
-                           module: module_data.name,
-                           result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(
-                               module_data.mod).patch_status)
+                           module: module_data.mod_name,
+                           result:
+                             Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod).patch_status)
             end
             # Get all of the instance methods on the given module, excluding
@@ -249,22 +235,45 @@ module Contrast
               instance_methods
             end
+            # Patch into the Instance Methods, including private, of the given Module that match the ModulePolicy
+            # provided.
+            #
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
+            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy] All the patchers that apply to
+            #   this module, sorted by type.
+            def patch_into_instance_methods module_data, module_policy
+              mod = module_data.mod
+              methods = all_instance_methods(mod, true)
+              patch_into_methods(mod, methods, module_policy, true)
+            end
+            # Patch into the Singleton Methods of the given Module that match the ModulePolicy provided.
+            #
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
+            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy] All the patchers that apply to
+            #   this module, sorted by type.
+            def patch_into_singleton_methods module_data, module_policy
+              mod = module_data.mod
+              methods = mod.singleton_methods(false)
+              patch_into_methods(mod, methods, module_policy, false)
+            end
             # We've found the patchers that apply to this class (or module). Now we'll
             # filter on the given method.
             #
-            # @param mod [Module] The module from which to retrieve instance
-            #   methods.
-            # @param methods [Array<Symbol>] The names of all the methods in
-            #   in this module
-            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy]
-            #   All the patchers that apply to this class, sorted by type.
-            # @param is_instance_method [Boolean] Indicates if these methods
-            #   are the instance or singleton methods for this module.
-            # @return [Integer] number of methods patched
+            # @param mod [Module] The module from which to retrieve instance methods.
+            # @param methods [Array<Symbol>] The names of all the methods in in this module
+            # @param module_policy [Contrast::Agent::Patching::Policy::ModulePolicy] All the patchers that apply to
+            #   this class, sorted by type.
+            # @param is_instance_method [Boolean] Indicates if these methods are the instance or singleton methods for
+            #   this module.
+            # @return [Integer] number of methods patched.
             def patch_into_methods mod, methods, module_policy, is_instance_method
               count = 0
               methods.each do |method|
-                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.build_method_policy(method, module_policy, is_instance_method)
+                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.build_method_policy(method,
+                                                                                                    module_policy,
+                                                                                                    is_instance_method)
                 next if method_policy.empty?
                 patched = patch_method(mod, methods, method_policy)
@@ -279,11 +288,10 @@ module Contrast
             # it has to be reapplied.
             # TODO: RUBY-620 should remove the need for this
             #
-            # @param mod[Module] the Module for which a prepend action needs to
-            #   be accounted
+            # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
             # @return [Boolean] if an adjustment was made or not
-            def adjust_for_prepend mod
-              return false unless mod.cs__name == 'CGI::Util'
+            def adjust_for_prepend module_data
+              return false unless module_data.mod.cs__name == 'CGI::Util'
               CGI.include(CGI::Util)
               CGI.extend(CGI::Util)