contrast-agent 4.5.0 → 4.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 34510a6c078720ccde6e95d4c0ee3a59eb6fa7db96da03ad7d047a3e926979ad
-  data.tar.gz: c9bceacdf3de12ef0554e066d8275084d4ff199cdff143077f32f08fc5415b31
+  metadata.gz: f9748bb3a9e7e6ce4722edc88dbb3bd8d3a59b11dd691f47ac29b3ee9e6a00ba
+  data.tar.gz: d5b5ff651f2914bff6da5cbd2fdcdc28a2dd1a2ea8ad4eced6c416cbab72b632
 SHA512:
-  metadata.gz: d5a507dcf5c610fbd2dd05b711ea9b1a553bbca720b769fc54f034d2d323184f23fb39ff793edf2d5074b568a4b557f817779f07d7937b966ab19d1acd3bdfb5
-  data.tar.gz: c00857ade1593231404e02583d9726e29e474a49b984f46a57d9a103591259757c94677cb01075de92c63e096eee0d9dd68c2f7f9703ebf0b9d09ea267c282e4
+  metadata.gz: 6e03ec0934d333e79f957515dfdc851861d395e9c768d09ffdfbf56b6e818d27361cffb2f010985f6da2182b1a4b070ef2291b86ccd9280fb117c4125611ae8f
+  data.tar.gz: bb60224de8c19b547f311aca8d78a2b99593e329696ab6acbaf59336316109be5e9419d02e6e4cd06d0714627c0942fea6d1c0872a6c69faff531838e1dbc359

data/lib/contrast/agent.rb

@@ -27,8 +27,6 @@ require 'contrast/utils/string_utils'
 require 'contrast/utils/io_util'
 require 'contrast/utils/os'
 
-require 'contrast/common_agent_configuration'
-
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/invalid_configuration_util'
 

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -6,28 +6,35 @@ module Contrast
     module Assess
       module Policy
         module Propagator
-          # Propagation that results in all the tags of the source being
-          # applied to the totality of the target and then those sections
-          # which have been removed from the target are removed from the
-          # tags. The target's preexisting tags are also updated by this
-          # removal.
+          # Propagation that results in all the tags of the source being applied to the totality of the target and then
+          # those sections which have been removed from the target are removed from the tags. The target's preexisting
+          # tags are also updated by this removal.
           class Remove < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
-              # For the source, append its tags to the target.
-              # Once the tag is applied, remove the section that was removed by the delete.
-              # Unlike additive propagation, this currently only supports one source
+              # For the source, append its tags to the target. Once the tag is applied, remove the section that was
+              # removed by the delete. Unlike additive propagation, this currently only supports one source.
               def propagate propagation_node, preshift, target
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source = find_source(propagation_node.sources[0], preshift)
                 properties.copy_from(source, target, 0, propagation_node.untags)
-                source_chars = source.is_a?(String) ? source.chars : source.string.chars
-                handle_removal(source_chars, target)
+                handle_removal(propagation_node, source, target)
               end
 
-              def handle_removal source_chars, target
+              def handle_removal propagation_node, source, target
+                return unless source
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
+                source_string = source.is_a?(String) ? source : source.to_s
+
+                # If the lengths are the same, we should just copy the tags because nothing was removed, but a new
+                # instance could have been created. copy_from will handle the case where the source is the target.
+                if source_string.length == target.length
+                  properties.copy_from(source, target, 0, propagation_node.untags)
+                  return
+                end
+
+                source_chars = source_string.chars
                 source_idx = 0
 
                 target_chars = target.chars
@@ -36,10 +43,8 @@ module Contrast
                 remove_ranges = []
                 start = nil
 
-                # loop over the target, the result of the delete
-                # every range of characters that it differs from the source
-                # represents a section that was deleted. these sections
-                # need to have their tags updated
+                # loop over the target, the result of the delete every range of characters that it differs from the
+                # source represents a section that was deleted. these sections need to have their tags updated
                 target_len = target_chars.length
                 while target_idx < target_len
                   target_char = target_chars[target_idx]
@@ -56,9 +61,8 @@ module Contrast
                   source_idx += 1
                 end
 
-                # once we're done looping over the target, anything left
-                # over is extra from the source that was deleted. tags
-                # applying to it need to be removed.
+                # once we're done looping over the target, anything left over is extra from the source that was
+                # deleted. tags applying to it need to be removed.
                 remove_ranges << (source_idx...source_chars.length) if source_idx != source_chars.length
 
                 # handle deleting the removed ranges

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -8,49 +8,30 @@ module Contrast
         module Propagator
           # This class is specifically for String#tr(_s) propagation
           #
-          # Disclaimer: there may be a better way, but we're
-          # in a 'get it work' state. hopefully, we'll be in
-          # a 'get it right' state soon.
+          # Disclaimer: there may be a better way, but we're in a 'get it work' state. hopefully, we'll be in a 'get it
+          # right' state soon.
           module Trim
             class << self
-              def tr_tagger patcher, preshift, ret, _block
+
+              # @param policy_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              # @param ret [nil, String] the target to which to propagate.
+              # @return [nil, String] ret
+              def tr_tagger policy_node, preshift, ret, _block
                 return ret unless ret && !ret.empty?
                 return ret unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
-                source = preshift.object
-                args = preshift.args
-                properties.copy_from(source, ret)
-                replace_string = args[1]
-                source_chars = source.chars
-                # if the replace string is empty, then there's a bunch of deletes. this
-                # functions the same as the Removal propagation.
-                if replace_string == Contrast::Utils::ObjectShare::EMPTY_STRING
-                  Contrast::Agent::Assess::Policy::Propagator::Remove.handle_removal(source_chars, ret)
-                else
-                  remove_ranges = []
-                  ret_chars = ret.chars
-                  start = nil
-                  source_chars.each_with_index do |char, idx|
-                    if ret_chars[idx] == char
-                      next unless start
-
-                      remove_ranges << (start...idx)
-                      start = nil
-                    else
-                      start ||= idx
-                    end
-                  end
-                  # account for the last char being different
-                  remove_ranges << (start...source_chars.length) if start
-                  properties.delete_tags_at_ranges(remove_ranges, false)
-                end
+                properties.copy_from(preshift.object, ret)
+                handle_tr(policy_node, preshift, ret, properties)
 
                 properties.build_event(
-                    patcher,
+                    policy_node,
                     ret,
-                    source,
+                    preshift.object,
                     ret,
-                    args,
+                    preshift.args,
                     1)
                 ret
               end
@@ -70,6 +51,56 @@ module Contrast
                     args)
                 ret
               end
+
+              private
+
+              # @param policy_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              # @param ret [String] the target to which to propagate.
+              # @param properties [Contrast::Agent::Assess::Properties] the properties of the ret
+              def handle_tr policy_node, preshift, ret, properties
+                source = preshift.object
+                replace_string = preshift.args[1]
+
+                # if the replace string is empty, then there's a bunch of deletes. this functions the same as the
+                # Removal propagation.
+                if replace_string == Contrast::Utils::ObjectShare::EMPTY_STRING
+                  Contrast::Agent::Assess::Policy::Propagator::Remove.handle_removal(policy_node, source, ret)
+                  return
+                end
+
+                # Otherwise, we need to target each insertion point. Based on the spec for #tr & #tr_s, the find is
+                # treated as a regex range, excepting the `\` character, which we'll need to escape. This converts to
+                # that form, wrapping the input in `[]`.
+                find_string = preshift.args[0]
+                find_string += '\\' if find_string.end_with?('\\')
+                find_regexp = Regexp.new("[#{ find_string }]")
+
+                # Find the first instance to be replaced. If there isn't one, than nothing changed here.
+                idx = source.index(find_regexp)
+                return unless idx
+
+                # Iterate over each change and record where it happened. B/c this is a one to one replace, the index of
+                # the replacement is always one; however, there may be adjacent replacements which become a single
+                # range.
+                start = idx
+                stop = idx + 1
+                remove_ranges = []
+                while (idx = source.index(find_regexp, idx + 1))
+                  # If the previous range ends at this index, we can expand that range to include this index.
+                  # Otherwise, we need to record the held range and start a new one.
+                  if stop != idx
+                    remove_ranges << (start...stop)
+                    start = idx
+                  end
+                  stop = idx + 1
+                end
+                # Be sure to capture the last range in the holder.
+                remove_ranges << (start...stop)
+                properties.delete_tags_at_ranges(remove_ranges, false)
+              end
             end
           end
         end

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -8,8 +8,8 @@ module Contrast
   module Agent
     module Deadzone
       module Policy
-        # This is just a holder for our policy. Takes the policy JSON and
-        # converts it into hashes that we can access nicely
+        # This is just a holder for our policy. Takes the policy JSON and converts it into hashes that we can access
+        # nicely.
         class Policy < Contrast::Agent::Patching::Policy::Policy
           def self.policy_folder
             'deadzone'
@@ -35,6 +35,10 @@ module Contrast
             end
           end
 
+          def module_names
+            @_module_names ||= Set.new(deadzones.map(&:class_name))
+          end
+
           def add_node node, _node_type = :deadzones
             unless node
               logger.error('Node was nil when adding node to policy')

data/lib/contrast/agent/inventory/dependency_usage_analysis.rb

@@ -24,8 +24,8 @@ module Contrast
           @lock.synchronize { @gemdigest_cache = Hash.new { |hash, key| hash[key] = Set.new } }
         end
 
-        # This method is invoked once, along with the rest of our catchup code to report libraries and their
-        # associated files that have already been loaded pre-contrast.
+        # This method is invoked once, along with the rest of our catchup code to report libraries and their associated
+        # files that have already been loaded pre-contrast.
         def catchup
           return unless enabled?
 
@@ -45,8 +45,8 @@ module Contrast
           end
         end
 
-        # This method is invoked once per TracePoint :end - to map a specific file being required to the gem
-        # it belongs to.
+        # This method is invoked once per TracePoint :end - to map a specific file being required to the gem to which
+        # it belongs.
         #
         # @param path [String] the result of TracePoint#path from the :end event in which the Module was defined.
         def associate_file path
@@ -71,7 +71,7 @@ module Contrast
           logger.error('Unable to inventory file path', e, path: path)
         end
 
-        # Populate the library_usages field of the Activity message using the data stored in the @gemdigest_cache
+        # Populate the library_usages field of the Activity message using the data stored in the @gemdigest_cache.
         #
         # @param activity [Contrast::Api::Dtm::Activity] the message to which to append the usage data
         def generate_library_usage activity
@@ -79,7 +79,7 @@ module Contrast
           return unless activity
 
           # Copy gemdigest_cache and clear it in sync.
-          gem_spec_digest_to_files = @lock.synchronize do 
+          gem_spec_digest_to_files = @lock.synchronize do
             copy = @gemdigest_cache.dup
             @gemdigest_cache.clear
             copy

data/lib/contrast/agent/middleware.rb

@@ -16,18 +16,17 @@ require 'contrast/utils/timer'
 
 module Contrast
   module Agent
-    # This class allows the Agent to plug into the Rack middleware stack. When the
-    # application is first started, we initialize ourselves as a rack middleware
-    # inside of #initialize. Afterwards, we process each http request and response
-    # as it goes through the middleware stack inside of #call.
+    # This class allows the Agent to plug into the Rack middleware stack. When the application is first started, we
+    # initialize ourselves as a rack middleware inside of #initialize. Afterwards, we process each http request and
+    # response as it goes through the middleware stack inside of #call.
     class Middleware
       include Contrast::Components::Interface
       access_component :agent, :config, :logging, :scope, :settings
 
       attr_reader :app
 
-      # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here
-      # since we're only going to be initialized a single time. Our initialization order is:
+      # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here since
+      # we're only going to be initialized a single time. Our initialization order is:
       # - capture the application
       # - setup the Agent
       # - startup the Agent
@@ -47,14 +46,13 @@ module Contrast
         agent_startup_routine
       end
 
-      # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready
-      # to do some processing on a per request basis. If not, we just pass the request along to the
-      # next middleware in the stack.
+      # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
+      # processing on a per request basis. If not, we just pass the request along to the next middleware in the stack.
       #
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this Request
-      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
-      #   to the user up the Rack framework.
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user up
+      #   the Rack framework.
       def call env
         return app.call(env) unless AGENT.enabled?
 
@@ -100,43 +98,22 @@ module Contrast
         Contrast::Agent::AtExitHook.exit_hook
       end
 
-      # Some things have to wait until first request to happen, either because
-      # resolution is not complete or because the framework will preload
-      # classes, which confuses some of our instrumentation.
+      # Some things have to wait until first request to happen, either because resolution is not complete or because
+      # the framework will preload classes, which confuses some of our instrumentation.
       def handle_first_request
         @_handle_first_request ||= begin
           Contrast::Agent::StaticAnalysis.catchup
-          force_patching
           true
         end
       end
 
-      # TODO: RUBY-1090 remove this method and those it calls.
-      #
-      # These modules are auto-loaded by Rails, meaning they are defined at
-      # startup, but that they don't actually exist. We account for this in
-      # most cases by using the ClassUtil.truly_defined? method, but it appears
-      # to fail for these Modules. In the short term, we can forcing a re-patch
-      # so that their dead zones apply.
-      def force_patching
-        force_patch(ActionDispatch::FileHandler) if defined?(ActionDispatch::FileHandler)
-        force_patch(ActionDispatch::Http::MimeNegotiation) if defined?(ActionDispatch::Http::MimeNegotiation)
-        force_patch(ActionDispatch::Journey::Router) if defined?(ActionDispatch::Journey::Router)
-        force_patch(ActionView::Template) if defined?(ActionView::Template)
-      end
-
-      def force_patch mod
-        data = Contrast::Agent::ModuleData.new(mod)
-        Contrast::Agent::Patching::Policy::Patcher.send(:patch_into_module, data, true)
-      end
-
-      # This is where we process each request we intercept as a middleware. We make the request context
-      # available globally so that it can be accessed from anywhere. A RequestHandler object is made
-      # for each request, which handles prefilter and postfilter operations.
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this Request
-      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
-      #   to the user up the Rack framework.
+      # This is where we process each request we intercept as a middleware. We make the request context available
+      # globally so that it can be accessed from anywhere. A RequestHandler object is made for each request, which
+      # handles prefilter and postfilter operations.
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user
+      #   up the Rack framework.
       def call_with_agent env
         Contrast::Agent.thread_watcher.ensure_running?
         framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
@@ -211,8 +188,8 @@ module Contrast
       end
 
       SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
-      # We're only going to suppress SecurityExceptions indicating a blocked attack.
-      # And, only if the config.agent.ruby.exceptions.capture? is set
+      # We're only going to suppress SecurityExceptions indicating a blocked attack. And, only if the
+      # config.agent.ruby.exceptions.capture? is set
       def handle_exception exception
         if security_exception?(exception)
           exception_control = AGENT.exception_control
@@ -234,18 +211,15 @@ module Contrast
             exception.message&.include?(SECURITY_EXCEPTION_MARKER)
       end
 
-      # As we deprecate support to prepare to remove dead code, we need to
-      # inform our users still relying on the now deprecated and soon to be
-      # removed functionality. This method handles doing that by leveraging the
-      # standard Kernel#warn approach
+      # As we deprecate support to prepare to remove dead code, we need to inform our users still relying on the now
+      # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
+      # Kernel#warn approach
       def inform_deprecations
-        # Ruby 2.5 is currently in security maintenance, meaning int is only
-        # receiving updates for security issues. It will move to eol on 31
-        # March 2021. As such, we can remove support for it in Q2. We'll begin
-        # the deprecation warnings now so that customers have time to reach out
-        # if they'll be impacted.
-        # TODO: RUBY-715 remove this part of the method, leaving it empty if
-        #   there are no other deprecations, when we drop 2.5 support.
+        # Ruby 2.5 is currently in security maintenance, meaning int is only receiving updates for security issues. It
+        # will move to eol on 31 March 2021. As such, we can remove support for it in Q3. We'll begin the deprecation
+        # warnings now so that customers have time to reach out if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
+        #   drop 2.5 support.
         return unless RUBY_VERSION < '2.6.0'
 
         Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\

data/lib/contrast/agent/patching/policy/patch.rb

@@ -362,24 +362,21 @@ module Contrast
 
               case impl
               when :alias_instance, :alias_singleton
+                # Core to patching. Ignore define method usage cop.
+                # rubocop:disable Performance/Kernel/DefineMethod
                 unless target_module.instance_methods(false).include? underlying_method_name
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
-                  # TODO: RUBY-1052
-                  # rubocop:disable Performance/Kernel/DefineMethod
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                  # rubocop:enable Performance/Kernel/DefineMethod
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend
                 prepending_module = Module.new
-                # TODO: RUBY-1052
-                # rubocop:disable Performance/Kernel/DefineMethod
                 prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                # rubocop:enable Performance/Kernel/DefineMethod
                 prepending_module.send(visibility, method_name)
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module
+                # rubocop:enable Performance/Kernel/DefineMethod
               end
               # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
               # can't invoke this logging method or we'll seg fault as we'd
@@ -393,7 +390,7 @@ module Contrast
               #       method: method_name,
               #       visibility: visibility)
               # end
-              underlying_method_name.to_sym
+              underlying_method_name
             end
 
             # @return [Boolean]

data/lib/contrast/agent/patching/policy/policy.rb

@@ -13,8 +13,9 @@ module Contrast
   module Agent
     module Patching
       module Policy
-        # This is just a holder for our policy. Takes the policy JSON and
-        # converts it into hashes that we can access nicely
+        # This is just a holder for our policy. Takes the policy JSON and converts it into hashes that we can access
+        # nicely.
+        #
         # @abstract
         class Policy
           include Singleton
@@ -25,8 +26,8 @@ module Contrast
             raise(NoMethodError, 'specify policy_folder for patching')
           end
 
-          # Indicates is this feature has been disabled by the configuration,
-          # read at startup, and therefore can never be enabled.
+          # Indicates is this feature has been disabled by the configuration, read at startup, and therefore can never
+          # be enabled.
           def disabled_globally?
             raise(NoMethodError, 'specify disabled_globally? conditions for patching')
           end
@@ -58,17 +59,15 @@ module Contrast
             from_hash_string(json)
           end
 
-          # Our policy for patching rules is a 'dope ass' JSON file. Rather than
-          # hard code in a bunch of things to monkey patch, we let the JSON file
-          # define the conditions in which modifications are applied.
-          # This let's us be flexible and extensible.
+          # Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
+          # monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
+          # be flexible and extensible.
           def from_hash_string string
-            # The default behavior of the agent is to load the policy on startup,
-            # as at this point we do not know in which mode we'll be run.
+            # The default behavior of the agent is to load the policy on startup, as at this point we do not know in
+            # which mode we'll be run.
             #
-            # If the configuration file explicitly disables a feature, we know
-            # that we will not ever be able to enable it, so in that case, we
-            # can skip policy loading.
+            # If the configuration file explicitly disables a feature, we know that we will not ever be able to enable
+            # it, so in that case, we can skip policy loading.
             return if disabled_globally?
 
             policy_data = JSON.parse(string)
@@ -110,13 +109,7 @@ module Contrast
           end
 
           def module_names
-            @_module_names ||= begin
-              m = Set.new
-              sources.each { |source| m << source.class_name }
-              propagators.each { |propagator| m << propagator.class_name }
-              triggers.each { |trigger| m << trigger.class_name }
-              m
-            end
+            @_module_names ||= Set.new([sources, propagators, triggers].flatten.map!(&:class_name))
           end
 
           def find_triggers_by_rule rule_id

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.5.0'
+    VERSION = '4.6.0'
   end
 end

data/lib/contrast/api/communication/response_processor.rb

@@ -70,12 +70,12 @@ module Contrast
 
           logger.trace_with_time('Rebuilding rule modes') do
             SETTINGS.build_protect_rules if PROTECT.enabled?
-            SETTINGS.build_assess_rules  if ASSESS.enabled?
             AGENT.reset_ruleset
 
             logger.info('Current rule settings:')
+
             PROTECT.rules.each { |k, v| logger.info('Protect Rule mode set', rule: k, mode: v.mode) }
-            ASSESS.rules.each { |k, v| logger.info('Assess Rule mode set', rule: k, mode: v.enabled?) }
+            logger.info('Disabled Assess Rules', rules: ASSESS.disabled_rules)
           end
         end
       end

data/lib/contrast/components/agent.rb

@@ -36,7 +36,7 @@ module Contrast
         end
 
         def ruleset
-          @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_ruleset&.values)
+          @_ruleset ||= Contrast::Agent::RuleSet.new(retrieve_protect_ruleset&.values)
         end
 
         def reset_ruleset
@@ -98,16 +98,10 @@ module Contrast
           @_interpolation_patch_possible
         end
 
-        def retrieve_ruleset
-          return {} unless enabled?
+        def retrieve_protect_ruleset
+          return {} unless enabled? && PROTECT.enabled?
 
-          if ASSESS.enabled? && PROTECT.enabled?
-            ASSESS.rules.merge(PROTECT.rules)
-          elsif ASSESS.enabled?
-            ASSESS.rules
-          else
-            PROTECT.rules
-          end
+          PROTECT.rules
         end
       end
 

data/lib/contrast/components/assess.rb

@@ -19,7 +19,7 @@ module Contrast
           return false if forcibly_disabled?
           return true  if forcibly_enabled?
 
-          SETTINGS.assess_enabled?
+          SETTINGS.assess_state.enabled == true
         end
 
         def tainted_columns
@@ -58,10 +58,9 @@ module Contrast
         # node types (SourceNode, PolicyNode, TriggerNode, PropagationNode)
         #
         # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode] The node in question.
-        # @param return [Boolean] to capture or not to capture, that is the question.
+        # @return [Boolean] to capture or not to capture, that is the question.
         def capture_stacktrace? policy_node
           return true if capture_stacktrace_value == :ALL
-
           return false if capture_stacktrace_value == :NONE
 
           # Below here capture_stacktrace_value must be :SOME.
@@ -90,8 +89,9 @@ module Contrast
           CONFIG.root.assess&.tags
         end
 
-        def rules
-          SETTINGS.assess_rules
+        def disabled_rules
+          # TODO: RUBY-903
+          CONFIG.root.assess&.rules&.disabled_rules || SETTINGS.assess_state.disabled_assess_rules || []
         end
 
         private
@@ -100,11 +100,6 @@ module Contrast
           @_forcibly_enabled = true?(CONFIG.root.assess.enable) if @_forcibly_enabled.nil?
           @_forcibly_enabled
         end
-
-        def disabled_rules
-          # TODO: RUBY-903
-          CONFIG.root.assess&.rules&.disabled_rules || SETTINGS.disabled_assess_rules || []
-        end
       end
 
       COMPONENT_INTERFACE = Interface.new

data/lib/contrast/components/protect.rb

@@ -4,11 +4,8 @@
 module Contrast
   module Components
     module Protect
-      # A wrapper build around the Common Agent Configuration project to allow
-      # for access of the values contained in its
-      # parent_configuration_spec.yaml.
-      # Specifically, this allows for querying the state of the Protect
-      # product.
+      # A wrapper build around the Common Agent Configuration project to allow for access of the values contained in
+      # its parent_configuration_spec.yaml.  Specifically, this allows for querying the state of the Protect product.
       class Interface
         include Contrast::Components::ComponentBase
         include Contrast::Components::Interface
@@ -20,7 +17,7 @@ module Contrast
           return false if forcibly_disabled?
           return true  if forcibly_enabled?
 
-          SETTINGS.protect_enabled?
+          SETTINGS.protect_state.enabled == true
         end
 
         def rule_config
@@ -28,17 +25,17 @@ module Contrast
         end
 
         def rules
-          SETTINGS.protect_rules
+          SETTINGS.protect_state.rules
         end
 
         def rule_mode rule_id
           CONFIG.root.protect.rules[rule_id]&.applicable_mode ||
-              SETTINGS.modes_by_id[rule_id] ||
+              SETTINGS.application_state.modes_by_id[rule_id] ||
               Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
         end
 
         def rule name
-          SETTINGS.protect_rules[name]
+          SETTINGS.protect_state.rules[name]
         end
 
         def report_any_command_execution?
@@ -58,15 +55,13 @@ module Contrast
         end
 
         def forcibly_disabled?
-          @_forcibly_disabled = false?(CONFIG.root.protect.enable) if @_forcibly_disabled.nil?
-          @_forcibly_disabled
+          @_forcibly_disabled ||= false?(CONFIG.root.protect.enable)
         end
 
         private
 
         def forcibly_enabled?
-          @_forcibly_enabled = true?(CONFIG.root.protect.enable) if @_forcibly_enabled.nil?
-          @_forcibly_enabled
+          @_forcibly_enabled ||= true?(CONFIG.root.protect.enable)
         end
       end
 

data/lib/contrast/components/scope.rb

@@ -109,6 +109,7 @@ module Contrast
 
         def with_deserialization_scope
           scope_for_current_ec.enter_deserialization_scope!
+          yield
         ensure
           scope_for_current_ec.exit_deserialization_scope!
         end

data/lib/contrast/components/settings.rb

@@ -8,134 +8,61 @@ module Contrast
     # directives (likely provided by TeamServer) about product operation.
     # 'Settings' is not a generic term for 'configurable stuff'.
     module Settings
+      APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).new(
+          Hash.new { Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION }, [])
+      PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
+      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules).new(false, nil, []) do
+        def sampling_settings= new_val
+          @sampling_settings = new_val
+          Contrast::Utils::Assess::SamplingUtil.instance.update
+        end
+      end
+
       # This is a class.
       class Interface
         include Contrast::Components::ComponentBase
         include Contrast::Components::Interface
         access_component :config
 
-        attr_reader :assess_rules,
-                    :protect_rules
-
-        # Other stateful information that doesn't yet cleanly fit anywhere:
-
         # tainted_columns are database columns that receive unsanitized input.
-        # this statefulness
         attr_reader :tainted_columns # This can probably go into assess_state?
-
-        # These three 'state' variables represent atomic config/setting state,
-        # outside of things like rule defs.
-
-        def assess_state
-          @assess_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
-              enabled: false,        # Boolean
-              sampling_features: nil # Contrast::Api::Settings::Sampling
-          }
-        end
-
-        def protect_state
-          @protect_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
-              enabled: false
-          }
-        end
-
-        def application_state
-          @application_state ||= { # rubocop:disable Naming/MemoizedInstanceVariableName
-              modes_by_id: Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION),
-              exclusion_matchers: [],
-              disabled_assess_rules: []
-          }
-        end
-
-        # These are settings that we receive & store.
-        # Rules are settings too, but they're more involved.
-        # So, between this block and rules, that's setting state.
-        PROTECT_STATE_ATTRS       = %i[].cs__freeze
-        ASSESS_STATE_ATTRS        = %i[sampling_features].cs__freeze
-        APPLICATION_STATE_ATTRS   = %i[modes_by_id exclusion_matchers disabled_assess_rules].cs__freeze
-
-        # Meta-define an accessor for each state attribute.
-
-        PROTECT_STATE_ATTRS.each do |attr|
-          # TODO: RUBY-1052
-          define_method(attr) do # rubocop:disable Performance/Kernel/DefineMethod
-            protect_state[attr]
-          end
-        end
-
-        ASSESS_STATE_ATTRS.each do |attr|
-          # TODO: RUBY-1052
-          define_method(attr) do # rubocop:disable Performance/Kernel/DefineMethod
-            assess_state[attr]
-          end
-        end
-
-        APPLICATION_STATE_ATTRS.each do |attr|
-          # TODO: RUBY-1052
-          define_method(attr) do # rubocop:disable Performance/Kernel/DefineMethod
-            application_state[attr]
-          end
-        end
+        attr_reader :assess_state, :protect_state, :application_state
 
         def initialize
           reset_state
         end
 
-        def protect_enabled?
-          @_protect_enabled = !!protect_state[:enabled] if @_protect_enabled.nil?
-          @_protect_enabled
-        end
-
-        def assess_enabled?
-          @_assess_enabled = !!assess_state[:enabled] if @_assess_enabled.nil?
-          @_assess_enabled
-        end
-
         def code_exclusions
-          exclusion_matchers.select(&:code?)
+          @application_state.exclusion_matchers.select(&:code?)
         end
 
         # @param server_features [Contrast::Api::Settings::ServerFeatures]
         def update_from_server_features server_features
-          # protect
-
-          @_protect_enabled = nil
-          protect_state[:enabled] = server_features.protect_enabled?
-
-          # assess
-
-          @_assess_enabled = nil
-          assess_state[:enabled] = server_features.assess_enabled?
-          assess_state[:sampling_settings] = server_features.assess.sampling
-          Contrast::Utils::Assess::SamplingUtil.instance.update
+          @protect_state.enabled = server_features.protect_enabled?
+          @assess_state.enabled = server_features.assess_enabled?
+          @assess_state.sampling_settings = server_features.assess.sampling
         end
 
         # @param application_settings [Contrast::Api::Settings::ApplicationSettings]
         def update_from_application_settings application_settings
-          application_state.merge!(application_settings.application_state_translation)
+          new_vals = application_settings.application_state_translation
+          @application_state.modes_by_id = new_vals[:modes_by_id]
+          @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
+          @assess_state.disabled_assess_rules = new_vals[:disabled_assess_rules]
         end
 
         # Wipe state to zero.
         def reset_state
-          @assess_rules = {}
-          @protect_rules = {}
-
+          @protect_state = PROTECT_STATE_BASE.dup
+          @assess_state = ASSESS_STATE_BASE.dup
+          @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
-
-          @assess_state = nil
-          @protect_state = nil
-          @application_state = nil
-        end
-
-        def build_assess_rules
-          # TODO: RUBY-1120 actually build assess_rules.
-          @assess_rules = {}
         end
 
         def build_protect_rules
-          @protect_rules = {}
+          @protect_state.rules = {}
 
-          # rules
+          # Rules. They add themselves on initialize.
           Contrast::Agent::Protect::Rule::CmdInjection.new
           Contrast::Agent::Protect::Rule::Deserialization.new
           Contrast::Agent::Protect::Rule::HttpMethodTampering.new

data/lib/contrast/framework/manager.rb

@@ -107,11 +107,8 @@ module Contrast
       #
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
-      # TODO: RUBY-1075 add unit test.
       def get_route_dtm request
-        result = nil
-        @_frameworks.find { |framework_klass| result = framework_klass.current_route(request) }
-        result
+        @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
       end
 
       private

data/ruby-agent.gemspec

@@ -67,6 +67,8 @@ def self.add_specs spec
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-benchmark'
   spec.add_development_dependency 'rspec_junit_formatter', '0.3.0'
+  spec.add_development_dependency 'rspec-rails', '5.0'
+  spec.add_development_dependency 'tzinfo-data' # Alpine rspec-rails requirement.
 end
 
 def self.add_coverage spec
@@ -85,6 +87,7 @@ end
 
 # Dependencies not mocked out during RSpec that we test real code of, beyond just frameworks.
 def self.add_tested_gems spec
+  spec.add_development_dependency 'async'
   spec.add_development_dependency 'execjs'
   spec.add_development_dependency 'sqlite3'
   spec.add_development_dependency 'therubyracer'

data/service_executables/VERSION

@@ -1 +1 @@
-2.18.0
+2.19.0

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 4.5.0
+  version: 4.6.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-03-25 00:00:00.000000000 Z
+date: 2021-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -253,6 +253,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+- !ruby/object:Gem::Dependency
+  name: async
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: execjs
   requirement: !ruby/object:Gem::Requirement
@@ -435,6 +449,34 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.3.0
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: tzinfo-data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ougai
   requirement: !ruby/object:Gem::Requirement
@@ -499,20 +541,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_array/extconf.rb
 - ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
 - ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_yield_track/extconf.rb
+- ext/cs__assess_string/extconf.rb
 - ext/cs__protect_kernel/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
+- ext/cs__assess_regexp/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
-- ext/cs__assess_array/extconf.rb
-- ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_string/extconf.rb
 - ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_active_record_named/extconf.rb
 - ext/cs__assess_module/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_yield_track/extconf.rb
-- ext/cs__assess_regexp/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"
@@ -868,7 +910,6 @@ files:
 - lib/contrast/api/decorators/user_input.rb
 - lib/contrast/api/dtm.pb.rb
 - lib/contrast/api/settings.pb.rb
-- lib/contrast/common_agent_configuration.rb
 - lib/contrast/components/agent.rb
 - lib/contrast/components/app_context.rb
 - lib/contrast/components/assess.rb
@@ -1007,7 +1048,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Contrast Security's agent for rack-based applications.

data/lib/contrast/common_agent_configuration.rb

@@ -1,87 +0,0 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
-# frozen_string_literal: true
-
-# rubocop:disable Style/MissingRespondToMissing
-module Contrast
-  # A wrapper build around the Common Agent Configuration project to allow for
-  # access of the values contained in its parent_configuration_spec.yaml
-  class CommonAgentConfiguration
-    # The CAC spec, deserialized to a hash.
-
-    SPEC       = 'spec'
-    NODES      = 'nodes'
-    PROPERTIES = 'properties'
-
-    def initialize hsh
-      @hsh = hsh[SPEC]
-    end
-
-    # Used to indicate those sections of the configuration which have
-    # references to other nodes or properties, allowing for the parsing of and
-    # access to the nested configuration structure.
-    module IsANode
-      def children
-        hsh[NODES]&.map { |raw_node| Node.new(raw_node) } || []
-      end
-
-      def properties
-        hsh[PROPERTIES].map { |raw_property| Property.new(raw_property) }
-      end
-
-      def lookup *path
-        # Path will be N args, representing a path of nodes.
-        path.reduce(self) do |node, next_arg|
-          # If we can travel to a node by that name, do that.
-          candidate_node = node.children.find { |n| n.name == next_arg }
-          next candidate_node if candidate_node
-
-          # If there's a property, dereference that.
-          candidate_property = node.properties.find { |n| n.name == next_arg }
-          next candidate_property if candidate_property
-
-          raise IndexError, "couldn't traverse path:\t#{ path.join(Contrast::Utils::ObjectShare::PERIOD) }"
-        end
-      end
-
-      def method_missing method, *args, &block
-        if args.any?
-          lookup(method.to_s).public_send(args, block)
-        else
-          lookup(method.to_s)
-        end
-      rescue IndexError
-        super(method, args, block)
-      end
-    end
-
-    # Used to indicate those sections of the configuration which are for a
-    # single property, allowing for the parsing of and access to the
-    # information describing the property.
-    module IsAProperty
-      attr_reader :hsh
-
-      def initialize hsh
-        @hsh = hsh
-      end
-
-      %w[name default description required_languages display].each do |field|
-        # TODO: RUBY-1052
-        define_method(field) { hsh[field].dup } # rubocop:disable Performance/Kernel/DefineMethod
-      end
-    end
-
-    include IsANode
-    include IsAProperty
-
-    # A Property in the Common Agent Configuration
-    class Property
-      include IsAProperty
-    end
-
-    # A Node in the Common Agent Configuration
-    class Node < Property
-      include IsANode
-    end
-  end
-end
-# rubocop:enable Style/MissingRespondToMissing