contrast-agent 4.6.0 → 4.7.0

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -186,13 +186,7 @@ module Contrast
 
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 args = preshift.args
-                properties.build_event(
-                    patcher,
-                    ret,
-                    preshift.object,
-                    ret,
-                    args,
-                    2)
+                properties.build_event(patcher, ret, preshift.object, ret, args, 2)
                 properties.event.instance_variable_set(:@_parent_events, parent_events)
               end
             end

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -12,7 +12,6 @@ module Contrast
           # right' state soon.
           module Trim
             class << self
-
               # @param policy_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
               #   propagation event.
               # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
@@ -26,13 +25,7 @@ module Contrast
                 properties.copy_from(preshift.object, ret)
                 handle_tr(policy_node, preshift, ret, properties)
 
-                properties.build_event(
-                    policy_node,
-                    ret,
-                    preshift.object,
-                    ret,
-                    preshift.args,
-                    1)
+                properties.build_event(policy_node, ret, preshift.object, ret, preshift.args, 1)
                 ret
               end
 
@@ -43,12 +36,7 @@ module Contrast
                 source = preshift.object
                 args = preshift.args
                 properties.splat_from(source, ret)
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args)
+                properties.build_event(patcher, ret, source, ret, args)
                 ret
               end
 
@@ -72,7 +60,7 @@ module Contrast
                 end
 
                 # Otherwise, we need to target each insertion point. Based on the spec for #tr & #tr_s, the find is
-                # treated as a regex range, excepting the `\` character, which we'll need to escape. This converts to
+                # treated as a regexp range, excepting the `\` character, which we'll need to escape. This converts to
                 # that form, wrapping the input in `[]`.
                 find_string = preshift.args[0]
                 find_string += '\\' if find_string.end_with?('\\')

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 require 'contrast/agent/patching/policy/patch_status'
 require 'contrast/agent/module_data'
 require 'contrast/agent/rewriter'
@@ -41,7 +43,9 @@ module Contrast
               module_name = mod.cs__name
               return unless module_name
 
-              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START, Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START,
+                                         Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+
                 status.no_rewrite!
                 return
 
@@ -64,8 +68,7 @@ module Contrast
             # To get around this, we have those methods tell us the class
             # isn't ready
             def mid_defining? mod
-              mod.instance_variable_defined?(:@cs__defining_class) &&
-                  mod.instance_variable_get(:@cs__defining_class)
+              mod.instance_variable_defined?(:@cs__defining_class) && mod.instance_variable_get(:@cs__defining_class)
             end
 
             def agent_should_rewrite?

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -56,7 +56,8 @@ module Contrast
                 # double check that we were able to finalize the replaced return
                 return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-              apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret, source_node.type, nil, *args)
+              apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
+                           source_node.type, nil, *args)
               restore_frozen_state ? ret : nil
             end
 
@@ -88,7 +89,9 @@ module Contrast
                 # While we don't taint arrays themselves, we may taint the things they hold. Let's pass their keys and
                 # values back to ourselves and try again
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
-                target.each { |value| apply_source(context, source_node, value, object, ret, source_type, source_name, *args) }
+                target.each do |value|
+                  apply_source(context, source_node, value, object, ret, source_type, source_name, *args)
+                end
               end
             rescue StandardError => e
               logger.warn('Unable to apply source', e, node_id: source_node.id)
@@ -169,10 +172,7 @@ module Contrast
                 length = Contrast::Utils::StringUtils.ret_length(target)
                 properties.add_tag(tag, 0...length)
                 properties.add_properties(source_node.properties)
-                logger.trace('Source detected',
-                             node_id: source_node.id,
-                             target_id: target.__id__,
-                             tag: tag)
+                logger.trace('Source detected', node_id: source_node.id, target_id: target.__id__, tag: tag)
               end
               # make a representation of this method that TeamServer can render
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb

@@ -11,9 +11,7 @@ module Contrast
         # certain tags in a given context. This provides a single place from
         # which those validations can be called.
         module SourceValidation
-          VALIDATORS = [
-            Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator
-          ].cs__freeze
+          VALIDATORS = [Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator].cs__freeze
 
           # Determines if the conditions in which this source was called are
           # valid and should result in the application of a tag

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -44,7 +44,11 @@ module Contrast
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                               ret,
+                                                                               erb_template_prerender,
+                                                                               ret,
+                                                                               interpolated_inputs)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -42,18 +42,10 @@ module Contrast
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
                   source = determine_source(marker, object, ret, args)
-                  apply_trigger(trigger_node,
-                                source,
-                                object,
-                                ret,
-                                *args)
+                  apply_trigger(trigger_node, source, object, ret, *args)
                 end
               else
-                apply_trigger(trigger_node,
-                              nil,
-                              object,
-                              ret,
-                              *args)
+                apply_trigger(trigger_node, nil, object, ret, *args)
               end
             end
 
@@ -87,10 +79,8 @@ module Contrast
               append_route(finding, request)
               append_hash(finding, source, request)
               finding.version = determine_compliance_version(finding)
-              logger.trace('Finding created',
-                           node_id: trigger_node.id,
-                           source_id: source.__id__,
-                           rule: trigger_node.rule_id)
+              logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
+                                              rule: trigger_node.rule_id)
               report_finding(finding, request)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
@@ -285,7 +275,8 @@ module Contrast
 
             def append_events finding, trigger_node, source, object, ret, args
               append_from_source(finding, source)
-              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
+                                                                                    args).to_dtm_event
             end
 
             def append_from_source finding, source

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -104,7 +104,8 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
+                                                     required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -35,9 +35,10 @@ module Contrast
               # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
               def regexp_vulnerable? regexp
                 # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
-                # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
-                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
-                # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
+                # A level is defined as any set of opening and closing control characters immediately followed by a
+                #   multi match control character.
+                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS, or MULTI_MATCH_CHARS that
+                #   is not immediately preceded by an escaping \ character.
                 # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
 
                 # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -10,8 +10,7 @@ module Contrast
           # before serializing that finding as a DTM to report to the service.
           module SSRFValidator
             RULE_NAME = 'ssrf'
-            URL_PATTERN =
-              %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
+            URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength
             # The Net::HTTP class validates host format on instantiation. Since
             # our triggers for that class are on the instance, they already
             # have this validation done for them. We do not need to apply the

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -11,14 +11,7 @@ module Contrast
           # the service.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
-            SAFE_CONTENT_TYPES = %w[
-              /csv
-              /javascript
-              /json
-              /pdf
-              /x-javascript
-              /x-json
-            ].cs__freeze
+            SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
 
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe

data/lib/contrast/agent/assess/property/evented.rb

@@ -14,7 +14,7 @@ module Contrast
         # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
         #   latest event to track
         module Evented
-          attr_accessor :event
+          attr_reader :event
 
           # Create a new event and add it to the event set.
           #
@@ -31,7 +31,8 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args,
+                                                                         source_type, source_name)
             report_sources(tagged, event)
           end
 
@@ -46,10 +47,12 @@ module Contrast
             return unless tagged && !tagged.to_s.empty?
             return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
             return unless event.source_type
+            return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
+
+            if current_request.observed_route.sources.any? do |source|
+                 source.type == event.forced_source_type && source.name == event.forced_source_name
+               end
 
-            current_request = Contrast::Agent::REQUEST_TRACKER.current
-            return unless current_request
-            if current_request.observed_route.sources.any? { |source| source.type == event.forced_source_type && source.name == event.forced_source_name }
               return
             end
 

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -55,9 +55,12 @@ module Contrast
               value_node.children.each do |child|
                 next unless child
 
-                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
-                    child.type == :LIT &&
-                    child.children[0]&.cs__is_a?(Integer)
+                unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                      child.type == :LIT &&
+                      child.children[0]&.cs__is_a?(Integer)
+
+                  return false
+                end
               end
 
               true
@@ -84,8 +87,11 @@ module Contrast
               return false unless children.length >= 2
 
               potential_string_node = children[0]
-              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
-                  potential_string_node.type == :STR
+              unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    potential_string_node.type == :STR
+
+                return false
+              end
 
               children[1] == :bytes
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -29,7 +29,10 @@ module Contrast
             # These are markers whose presence indicates that a field is more
             # likely to be a descriptor or requirement than an actual password.
             # We should ignore fields that contain them.
-            NON_PASSWORD_PARTIAL_NAMES = %w[DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE URI].cs__freeze
+            NON_PASSWORD_PARTIAL_NAMES = %w[
+              DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE
+              URI
+            ].cs__freeze
 
             # If the constant looks like a password and it doesn't look like a
             # password descriptor, it passes for this rule

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -26,10 +26,7 @@ module Contrast
             end
 
             # TODO: RUBY-1014 - remove `#analyze`
-            COMMON_CONSTANTS = %i[
-              CONTRAST_ASSESS_POLICY_STATUS
-              VERSION
-            ].cs__freeze
+            COMMON_CONSTANTS = %i[CONTRAST_ASSESS_POLICY_STATUS VERSION].cs__freeze
             def analyze clazz
               return if disabled?
 
@@ -171,7 +168,8 @@ module Contrast
 
               finding.properties[SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(class_name)
               finding.properties[CONSTANT_NAME_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string)
-              finding.properties[CODE_SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
+              finding.properties[CODE_SOURCE_KEY] =
+                Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
 
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)

data/lib/contrast/agent/class_reopener.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 require 'ripper'
 require 'contrast/extension/module'
 require 'contrast/components/interface'
@@ -48,7 +50,7 @@ module Contrast
                   :public_instance_methods, :protected_instance_methods, :private_instance_methods, :locations
 
       def initialize module_data
-        @class_module_path = module_data.name
+        @class_module_path = module_data.mod_name
         clazz = module_data.mod
         @is_class = clazz.is_a?(Class)
         @public_instance_methods = []

data/lib/contrast/agent/disable_reaction.rb

@@ -13,9 +13,7 @@ module Contrast
       access_component :agent, :logging
 
       def self.run _reaction, level
-        logger.with_level(
-            level,
-            'Contrast received instructions to disable itself - Disabling now')
+        logger.with_level(level, 'Contrast received instructions to disable itself - Disabling now')
         AGENT.disable!
       end
     end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -47,7 +47,7 @@ module Contrast
         return if @wildcard_url
         return unless @exclusion.urls&.any?
 
-        @wildcard_url ||= @exclusion.urls.any? { |test| test == '/.*' }
+        @wildcard_url ||= @exclusion.urls.any?('/.*')
         return if @wildcard_url
 
         @urls = []
@@ -95,8 +95,8 @@ module Contrast
         @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
       end
 
-      def name
-        @exclusion.name
+      def exc_name
+        @exclusion.name # rubocop:disable Security/Module/Name -- part of the API.
       end
 
       def match_all?
@@ -109,10 +109,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? &&
-            (@exclusion.protection_rules.empty? ||
-                @exclusion.protection_rules.include?(rule)
-            )
+        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
       end
 
       # Determine if the given rule is excluded by this exclusion.
@@ -121,10 +118,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def assess_rule? rule
-        assess? &&
-            (@exclusion.assessment_rules.empty? ||
-                @exclusion.assessment_rules.include?(rule)
-            )
+        assess? && (@exclusion.assessment_rules.empty? || @exclusion.assessment_rules.include?(rule))
       end
 
       def match_code? stack_trace

data/lib/contrast/agent/inventory/dependencies.rb

@@ -33,6 +33,7 @@ module Contrast
         # then contrast depends on it. If its array of dependents is 1, then contrast is the
         # only dependency in that list. Since only contrast depends on it, we should ignore it.
         def find_contrast_gems
+          # rubocop:disable Security/Module/Name -- here name is part of Ruby Gems.
           ignore = Set.new([CONTRAST_AGENT])
           contrast_specs = Gem::DependencyList.from_specs.specs.find do |dependency|
             dependency.name == CONTRAST_AGENT
@@ -43,6 +44,7 @@ module Contrast
             ignore.add(dependency.name) if contrast_dep_set.include?(dependency.name) && dependents.length == 1
           end
           ignore
+          # rubocop:enable Security/Module/Name
         end
       end
     end

data/lib/contrast/agent/middleware.rb

@@ -37,9 +37,8 @@ module Contrast
         @app = app  # THIS MUST BE FIRST AND ALWAYS SET!
         setup_agent # THIS MUST BE SECOND AND ALWAYS CALLED!
         unless AGENT.enabled?
-          logger.error(
-              'The Agent was unable to initialize before the application middleware was initialized. ' \
-              'Disabling permanently.')
+          logger.error('The Agent was unable to initialize before the application middleware was initialized. '\
+                       'Disabling permanently.')
           AGENT.disable! # ensure the agent is disabled (probably redundant)
           return
         end
@@ -207,8 +206,7 @@ module Contrast
       # @param exception [Exception]
       # @return [Boolean]
       def security_exception? exception
-        exception.is_a?(Contrast::SecurityException) ||
-            exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+        exception.is_a?(Contrast::SecurityException) || exception.message&.include?(SECURITY_EXCEPTION_MARKER)
       end
 
       # As we deprecate support to prepare to remove dead code, we need to inform our users still relying on the now