contrast-agent 4.6.0 → 4.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f9748bb3a9e7e6ce4722edc88dbb3bd8d3a59b11dd691f47ac29b3ee9e6a00ba
-  data.tar.gz: d5b5ff651f2914bff6da5cbd2fdcdc28a2dd1a2ea8ad4eced6c416cbab72b632
+  metadata.gz: 8b3d1ce6b9794d3923d2054d9a20bd31989fd0c6b4df2883f81ad3e740c04de5
+  data.tar.gz: 894505c04e850858f83e2207c52cc944f738ce19183051d9530cfdaf09f72ab7
 SHA512:
-  metadata.gz: 6e03ec0934d333e79f957515dfdc851861d395e9c768d09ffdfbf56b6e818d27361cffb2f010985f6da2182b1a4b070ef2291b86ccd9280fb117c4125611ae8f
-  data.tar.gz: bb60224de8c19b547f311aca8d78a2b99593e329696ab6acbaf59336316109be5e9419d02e6e4cd06d0714627c0942fea6d1c0872a6c69faff531838e1dbc359
+  metadata.gz: 4df81e8b3d03efcdc952e9fce5330b34c6af6a965701ec7bbe02cf3dbd5b8a3c98d8d0745da91d7b0a43be6b03ac763ffb6e9eafb9f2b857bd2a76d325d10ad2
+  data.tar.gz: 0015e74007146cf741e6b7f6274460a948a147df54109de959856f0ff883262260685f74eff8767e6ae845847eaf3d8a17dfbd54061d5b9f561952a8c6b90fef

data/.gitmodules

@@ -1,6 +1,6 @@
 [submodule "agent-service-api"]
 	path = agent-service-api
-	url = git@bitbucket.org:contrastsecurity/agent-service-api
+	url = git@github.com:Contrast-Security-Inc/agent-service-api.git
 [submodule "funchook"]
 	path = funchook
 	url = https://github.com/kubo/funchook.git

data/Rakefile

@@ -23,8 +23,7 @@ task :contrast_pb_compile do
   # do some stuff before compile
 
   # Invoke the protobuf compile task with your sensible defaults
-  ::Rake::Task['protobuf:compile'].invoke('lib',
-                                          './agent-service-api/protobuf ./agent-service-api/protobuf/dtm.proto',
+  ::Rake::Task['protobuf:compile'].invoke('lib', './agent-service-api/protobuf ./agent-service-api/protobuf/dtm.proto',
                                           'lib/contrast/api',
                                           nil)
 

data/ext/build_funchook.rb

@@ -10,7 +10,8 @@ unless find_header('funchook.h', ext_path)
   COMMANDS = ['./autogen.sh', './configure', 'make clean', 'make'].freeze
   bundler_install_target_paths = []
 
-  possible_gem_paths = Gem.path # .path and .paths diverge in their return type - .path returns strings, .paths returns PathSupports
+  # .path and .paths diverge in their return type - .path returns strings, .paths returns PathSupports
+  possible_gem_paths = Gem.path
   possible_gem_paths.each do |base_path|
     contrast_gem_dir_search = File.join(base_path, 'extensions', '**', '*', 'contrast-agent-*')
     extension_paths = Dir[contrast_gem_dir_search]
@@ -31,8 +32,7 @@ unless find_header('funchook.h', ext_path)
   end
 
   SOURCE_PATHS = [
-    File.join('include', 'funchook.h'),
-    File.join('src', 'libfunchook.dylib'),
+    File.join('include', 'funchook.h'), File.join('src', 'libfunchook.dylib'),
     File.join('src', 'libfunchook.so')
   ].freeze
 

data/ext/extconf_common.rb

@@ -4,12 +4,8 @@
 require 'mkmf'
 require_relative '../lib/contrast/agent/version'
 
-def name
-  $TO_MAKE
-end
-
 def make!
-  create_makefile "#{ name }/#{ name }"
+  create_makefile "#{ $TO_MAKE }/#{ $TO_MAKE }"
 end
 
 def ext_path

data/lib/contrast/agent/assess.rb

@@ -10,7 +10,7 @@ module Contrast
     module Assess
       require 'contrast/agent/assess/tracker'
       require 'contrast/agent/module_data'
-      require 'contrast/agent/rewriter'
+      require 'contrast/agent/rewriter' if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
       require 'contrast/agent/assess/policy/preshift'
 
       # Dynamic Sources

data/lib/contrast/agent/assess/contrast_object.rb

@@ -34,14 +34,14 @@ module Contrast
         def initialize object
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
-            @object_type = object.cs__class.name
+            @object_type = object.cs__class.cs__name
             # TODO: RUBY-1084 determine if we need to copy these tags to
             #   restore immutability. For instance, if these tags were on a
             #   String that was then #reverse!'d, would our tags be wrong?
             @tags = Contrast::Agent::Assess::Tracker.properties(object)&.tags
           else
             @object = Contrast::Utils::ObjectShare::NIL_STRING
-            @object_type = nil.cs__class.name
+            @object_type = nil.cs__class.cs__name
           end
         end
 

data/lib/contrast/agent/assess/events/event_factory.rb

@@ -13,7 +13,8 @@ module Contrast
           def self.build policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
             case policy_node
             when Contrast::Agent::Assess::Policy::SourceNode
-              Contrast::Agent::Assess::Events::SourceEvent.new(policy_node, tagged, object, ret, args, source_type, source_name)
+              Contrast::Agent::Assess::Events::SourceEvent.new(policy_node, tagged, object, ret, args, source_type,
+                                                               source_name)
             when Contrast::Agent::Assess::Policy::PolicyNode
               Contrast::Agent::Assess::ContrastEvent.new(policy_node, tagged, object, ret, args)
             end

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -37,7 +37,8 @@ module Contrast
                 # Move on if we already know about this Dynamic Source
                 next if Contrast::Agent::Assess::Policy::Policy.instance.find_source_node(class_name, method_name, true)
 
-                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys), current_request)
+                dynamic_source_node = create_source_node(class_name, method_name, Set.new(properties.tag_keys),
+                                                         current_request)
                 Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
                 method_policy = build_source_policy(method_name, dynamic_source_node)
                 Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
@@ -130,8 +131,10 @@ module Contrast
             def append_properties! dynamic_source, request, source_node, field
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
-              dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
-              dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(request&.normalized_uri)
+              dynamic_source.properties[WRITE_QUERY_TIME] =
+                Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
+              dynamic_source.properties[WRITE_QUERY_URL] =
+                Contrast::Utils::StringUtils.force_utf8(request&.normalized_uri)
             end
 
             def append_events! dynamic_source, event

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -39,19 +39,13 @@ module Contrast
 
               patcher.patch_specific_module(mod)
             rescue StandardError => e
-              logger.warn(
-                  'Unable to patch assess during eval',
-                  e,
-                  module: mod.cs__name)
+              logger.warn('Unable to patch assess during eval', e, module: mod.cs__name)
             end
 
             # Exposed so that methods can be dynamically patched on creation at
             # runtime, like those generated by
             # ActiveRecord::AttributeMethods::Read::ClassMethods#define_method_attribute
-            CLASS_TYPES = [
-              Contrast::Utils::ObjectShare::CLASS,
-              Contrast::Utils::ObjectShare::MODULE
-            ].cs__freeze
+            CLASS_TYPES = [Contrast::Utils::ObjectShare::CLASS, Contrast::Utils::ObjectShare::MODULE].cs__freeze
             def patch_assess_method mod, method_name
               # Module.define_method is called a lot in Class and Module. We
               # currently do not expect these define_methods to result in methods
@@ -62,7 +56,8 @@ module Contrast
               return if CLASS_TYPES.include?(class_name)
               return unless ASSESS.enabled?
 
-              source_nodes = Contrast::Agent::Patching::Policy::ModulePolicy.nodes_for_module(policy.sources, class_name)
+              source_nodes = Contrast::Agent::Patching::Policy::ModulePolicy.nodes_for_module(policy.sources,
+                                                                                              class_name)
               return if source_nodes.empty?
 
               method_array = []
@@ -70,17 +65,15 @@ module Contrast
               source_nodes.each do |source_node|
                 next unless source_node.method_name.to_s == method_name
 
-                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.new(source_node: source_node,
-                                                                                    method_name: source_node.method_name,
-                                                                                    method_visibility: source_node.method_visibility,
-                                                                                    instance_method: true)
+                method_policy =
+                  Contrast::Agent::Patching::Policy::MethodPolicy.new(source_node: source_node,
+                                                                      method_name: source_node.method_name,
+                                                                      method_visibility: source_node.method_visibility,
+                                                                      instance_method: true)
                 patcher.patch_method(mod, method_array, method_policy)
               end
             rescue StandardError => e
-              logger.warn(
-                  'Unable to patch assess during define_method_attribute',
-                  e,
-                  module: mod.cs__name)
+              logger.warn('Unable to patch assess during define_method_attribute', e, module: mod.cs__name)
             end
           end
         end

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -35,16 +35,6 @@ module Contrast
             :TYPE_METHOD
           end
 
-          def target
-            @_target ||= begin
-              if targets&.any?
-                targets[0]
-              elsif sources&.any?
-                sources[0]
-              end
-            end
-          end
-
           def target_string= value
             @target_string = value
             @targets = convert_policy_markers(value)
@@ -85,8 +75,7 @@ module Contrast
               next if Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
                   Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
 
-              raise(ArgumentError,
-                    "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
+              raise(ArgumentError, "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
             end
           end
 
@@ -100,27 +89,26 @@ module Contrast
           # Trigger (trigger nodes) don't have targets (they are the target)
           # Everything else (propagation nodes) are Source2Target
           def build_action
-            @event_action ||= begin
-              case node_class
-              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
-                :CREATION
-              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
-                :TRIGGER
-              else
-                if source_string.nil?
-                  :CREATION
-                elsif target_string.nil?
-                  :TRIGGER
-                else
-                  # TeamServer can't handle the multi-source or multi-target
-                  # values. Give it some help by changing them to 'A'
-                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
-                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
-                  str = source[0] + TO_MARKER + target[0]
-                  str.to_sym
-                end
-              end
-            end
+            @event_action ||= case node_class
+                              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
+                                :CREATION
+                              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
+                                :TRIGGER
+                              else
+                                if source_string.nil?
+                                  :CREATION
+                                elsif target_string.nil?
+                                  :TRIGGER
+                                else
+                                  # TeamServer can't handle the multi-source or multi-target values. Give it some help
+                                  # by changing them to 'A'
+                                  source = all_type?(source_string) ? ALL_TYPE : source_string
+                                  target = all_type?(target_string) ? ALL_TYPE : target_string
+                                  str = source[0] + TO_MARKER + target[0]
+                                  str.to_sym
+                                end
+                              end
+
             @event_action
           end
 
@@ -158,6 +146,10 @@ module Contrast
             end
             converted
           end
+
+          def all_type? marker
+            marker.include?(Contrast::Utils::ObjectShare::COMMA)
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -91,7 +91,9 @@ module Contrast
 
               Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map do |preshift_arg|
+              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -140,13 +140,7 @@ module Contrast
               !!target
             end
 
-            ZERO_LENGTH_ACTIONS = [
-              DB_WRITE_ACTION,
-              CUSTOM_ACTION,
-              KEEP_ACTION,
-              REPLACE_ACTION,
-              SPLAT_ACTION
-            ].cs__freeze
+            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
             # If the action required needs a length and the target does not have
             # one, the length is not valid
             def valid_length? target, action
@@ -245,7 +239,7 @@ module Contrast
 
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
-                next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
+                next if target == value
 
                 apply_propagator(propagation_node, preshift, value, object, ret, args, block)
               end
@@ -283,9 +277,7 @@ module Contrast
 
               properties.add_properties(propagation_node.properties)
               properties.build_event(propagation_node, target, object, ret, args)
-              logger.trace('Propagation detected',
-                           node_id: propagation_node.id,
-                           target_id: target.__id__)
+              logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
               restore_frozen_state ? ret : nil
             end
 
@@ -296,10 +288,9 @@ module Contrast
             # @return [Contrast::Agent::Assess::Policy::Propagator, nil]
             def find_propagation_class propagation_node
               unless (propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil))
-                logger.warn(
-                    'Unknown propagation action received. Unable to propagate.',
-                    node_id: propagation_node.id,
-                    action: propagation_node.action)
+                logger.warn('Unknown propagation action received. Unable to propagate.',
+                            node_id: propagation_node.id,
+                            action: propagation_node.action)
               end
               propagation_class
             end

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -62,11 +62,19 @@ module Contrast
             raise(ArgumentError, "Propagator #{ id } did not have a proper action. Unable to create.") unless action
 
             if @action == 'CUSTOM'
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.") unless patch_class
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.") unless patch_method.is_a?(Symbol)
+              unless patch_class
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.")
+              end
+              unless patch_method.is_a?(Symbol)
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.")
+              end
             else
-              raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.") unless targets&.any?
-              raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.") unless sources&.any?
+              unless targets&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.")
+              end
+              unless sources&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.")
+              end
             end
             validate_untags
           end
@@ -76,9 +84,12 @@ module Contrast
 
             untags.each do |tag|
               unless Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag)
-                raise(ArgumentError, "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+                raise(ArgumentError,
+                      "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+              end
+              if tags&.include?(tag)
+                raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.")
               end
-              raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.") if tags&.include?(tag)
             end
           end
 
@@ -86,8 +97,8 @@ module Contrast
             if @_needs_object.nil?
               @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
                   action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
-                  sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
-                  targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
+                  sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
+                  targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
             @_needs_object
           end

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -31,7 +31,8 @@ module Contrast
                 return unless sources[1]
 
                 original_end_index = original_start_index + source1.length - 1
-                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index, original_end_index)
+                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index,
+                                     original_end_index)
               end
 
               private

data/lib/contrast/agent/assess/policy/propagator/insert.rb

@@ -33,7 +33,9 @@ module Contrast
                 # point on which all tags need to be adjusted
                 # If the insertion point is the end of the string, preshift length is returned
                 # https://stackoverflow.com/questions/31714522/find-the-first-differing-character-between-two-strings-in-ruby
-                insert_point = (0...preshift_target.length).find { |i| preshift_target[i] != target[i] } || preshift_target.length
+                insert_point = (0...preshift_target.length).find do |i|
+                  preshift_target[i] != target[i]
+                end || preshift_target.length
                 # Depending what's inserted, we might be wrong. For instance, inserting 'foo'
                 # into 'asdfasdf' could result in 'asdfoofasdf'. we'd be off by one b/c of the 'f'
                 insert_point = target.rindex(source, insert_point)

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -76,7 +76,8 @@ module Contrast
                 applicable_tags.each do |tag_name, tag_ranges|
                   return_properties.set_tags(tag_name, tag_ranges)
                 end
-                return_properties.build_event(propagation_node, return_value, preshift.object, return_value, preshift.args)
+                return_properties.build_event(propagation_node, return_value, preshift.object, return_value,
+                                              preshift.args)
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/select.rb

@@ -21,22 +21,12 @@ module Contrast
                 # Additionally, an empty string is returned when the starting index for
                 # a character range is at the end of the string. Let's just skip that
                 # and only track a string that has length
-                unless ret &&
-                      !ret.empty? &&
-                      Contrast::Agent::Assess::Tracker.tracked?(source)
-
-                  return
-                end
+                return unless ret && !ret.empty? && Contrast::Agent::Assess::Tracker.tracked?(source)
 
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args)
+                properties.build_event(patcher, ret, source, ret, args)
 
                 range = determine_select_range(source, args)
                 return unless range

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -31,9 +31,7 @@ module Contrast
               # @return [nil] so as not to risk changing the result of the propagation.
 
               def propagate propagation_node, preshift, target
-                logger.trace('Propagation detected',
-                             node_id: propagation_node.id,
-                             target_id: target.__id__)
+                logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
 
                 source = find_source(propagation_node.sources[0], preshift)
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
@@ -162,10 +160,8 @@ module Contrast
               #
               # @return [Contrast::Agent::Assess::Policy::PropagationNode] String#split node
               def split_node
-                @_split_node ||= begin
-                  Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
-                    node.class_name == 'String' && node.method_name == :split && node.instance_method?
-                  end
+                @_split_node ||= Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
+                  node.class_name == 'String' && node.method_name == :split && node.instance_method?
                 end
               end
             end