contrast-agent 4.6.0 → 4.7.0

data/lib/contrast/agent/module_data.rb

@@ -6,11 +6,11 @@ module Contrast
     # A simple wrapper around a Module and a call to its name, used to avoid
     # calling the Module#name method and generating extra Strings
     class ModuleData
-      attr_reader :mod, :name
+      attr_reader :mod, :mod_name
 
-      def initialize mod, name = nil
+      def initialize mod, mod_name = nil
         @mod = mod
-        @name = name || mod.cs__name
+        @mod_name = mod_name || mod.cs__name
       end
     end
   end

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -51,14 +51,15 @@ module Contrast
               next unless after_load_patch.target_defined?
               next if AGENT.skip_instrumentation?(after_load_patch.module_name)
 
-              logger.trace(
-                  'Catching up on already loaded afterload patch - applying instrumentation',
-                  module: after_load_patch.module_name)
+              logger.trace('Catching up on already loaded afterload patch - applying instrumentation',
+                           module: after_load_patch.module_name)
               after_load_patch.instrument!
             rescue NameError => e
-              logger.error('Method undefined in afterload patch', e, module: after_load_patch.module_name, method: after_load_patch.method_to_instrument)
+              logger.error('Method undefined in afterload patch', e, module: after_load_patch.module_name,
+                                                                     method: after_load_patch.method_to_instrument)
             rescue StandardError => e
-              logger.error('Afterload patch failed to apply', e, module: after_load_patch.module_name, method: after_load_patch.method_to_instrument)
+              logger.error('Afterload patch failed to apply', e, module: after_load_patch.module_name,
+                                                                 method: after_load_patch.method_to_instrument)
             end
             after_load_patches.delete_if(&:applied?)
           end

data/lib/contrast/agent/patching/policy/method_policy.rb

@@ -49,7 +49,10 @@ module Contrast
           private
 
           def nodes
-            @_nodes ||= [source_node, propagation_node, trigger_node, inventory_node, protect_node, deadzone_node].compact
+            @_nodes ||= [
+              source_node, propagation_node, trigger_node, inventory_node, protect_node,
+              deadzone_node
+            ].compact
           end
 
           def method_scopes
@@ -76,7 +79,8 @@ module Contrast
               protect_node =     find_method_node(module_policy.protect_nodes, method_name, instance_method)
               inventory_node =   find_method_node(module_policy.inventory_nodes, method_name, instance_method)
               deadzone_node =    find_method_node(module_policy.deadzone_nodes, method_name, instance_method)
-              method_visibility = find_visibility(source_node, propagation_node, trigger_node, protect_node, inventory_node, deadzone_node)
+              method_visibility = find_visibility(source_node, propagation_node, trigger_node, protect_node,
+                                                  inventory_node, deadzone_node)
               MethodPolicy.new(method_name: method_name,
                                method_visibility: method_visibility,
                                instance_method: instance_method,

data/lib/contrast/agent/patching/policy/module_policy.rb

@@ -20,12 +20,18 @@ module Contrast
             # @return [Contrast::Agent::Patching::Policy::ModulePolicy]
             def create_module_policy module_name
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.new
-              module_policy.source_nodes =      nodes_for_module(Contrast::Agent::Assess::Policy::Policy.instance.sources, module_name)
-              module_policy.propagator_nodes =  nodes_for_module(Contrast::Agent::Assess::Policy::Policy.instance.propagators, module_name)
-              module_policy.trigger_nodes =     nodes_for_module(Contrast::Agent::Assess::Policy::Policy.instance.triggers, module_name)
-              module_policy.protect_nodes =     nodes_for_module(Contrast::Agent::Protect::Policy::Policy.instance.triggers, module_name)
-              module_policy.inventory_nodes =   nodes_for_module(Contrast::Agent::Inventory::Policy::Policy.instance.triggers, module_name)
-              module_policy.deadzone_nodes =    nodes_for_module(Contrast::Agent::Deadzone::Policy::Policy.instance.deadzones, module_name)
+              module_policy.source_nodes =      nodes_for_module(
+                  Contrast::Agent::Assess::Policy::Policy.instance.sources, module_name)
+              module_policy.propagator_nodes =  nodes_for_module(
+                  Contrast::Agent::Assess::Policy::Policy.instance.propagators, module_name)
+              module_policy.trigger_nodes =     nodes_for_module(
+                  Contrast::Agent::Assess::Policy::Policy.instance.triggers, module_name)
+              module_policy.protect_nodes =     nodes_for_module(
+                  Contrast::Agent::Protect::Policy::Policy.instance.triggers, module_name)
+              module_policy.inventory_nodes =   nodes_for_module(
+                  Contrast::Agent::Inventory::Policy::Policy.instance.triggers, module_name)
+              module_policy.deadzone_nodes =    nodes_for_module(
+                  Contrast::Agent::Deadzone::Policy::Policy.instance.deadzones, module_name)
               module_policy
             end
 
@@ -42,7 +48,8 @@ module Contrast
             end
           end
 
-          attr_accessor :source_nodes, :propagator_nodes, :trigger_nodes, :inventory_nodes, :protect_nodes, :deadzone_nodes
+          attr_accessor :source_nodes, :propagator_nodes, :trigger_nodes, :inventory_nodes, :protect_nodes,
+                        :deadzone_nodes
 
           def empty?
             return false if source_nodes.any?

data/lib/contrast/agent/patching/policy/patch.rb

@@ -130,11 +130,7 @@ module Contrast
               return unless AGENT.enabled?
               return unless PROTECT.enabled?
 
-              apply_trigger_only(method_policy&.protect_node,
-                                 method,
-                                 exception,
-                                 object,
-                                 args)
+              apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
             end
 
             # Apply the Inventory patch which applies to the given method.
@@ -151,11 +147,7 @@ module Contrast
             def apply_inventory method_policy, method, exception, object, args
               return unless INVENTORY.enabled?
 
-              apply_trigger_only(method_policy&.inventory_node,
-                                 method,
-                                 exception,
-                                 object,
-                                 args)
+              apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
             end
 
             # Apply the Assess patches which apply to the given method.
@@ -181,12 +173,15 @@ module Contrast
               return ret if current_context && !current_context.analyze_request?
 
               trigger_node = method_policy.trigger_node
-              Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args) if trigger_node
+              if trigger_node
+                Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
+              end
               if method_policy.source_node
                 # If we were given a frozen return, and it was the target of a
                 # source, and we have frozen sources enabled, we'll need to
                 # replace the return. Note, this is not the default case.
-                source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret, args)
+                source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret,
+                                                                                           args)
               end
               if method_policy.propagation_node
                 propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
@@ -277,9 +272,9 @@ module Contrast
             # <method_start>_unbound_<method_name>
             def build_unbound_method_name patcher_method
               (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-                  'unbound' +
-                  Contrast::Utils::ObjectShare::UNDERSCORE +
-                  patcher_method.to_s).to_sym
+                'unbound' +
+                Contrast::Utils::ObjectShare::UNDERSCORE +
+                patcher_method.to_s).to_sym
             end
 
             # @param mod [Module] the module in which the patch should be
@@ -339,7 +334,7 @@ module Contrast
             # @return [Symbol] new alias for the underlying method (presumably, so the patched method can call it)
             def register_c_patch target_module_name, unbound_method, impl = :alias_instance
               # These could be set as AfterLoadPatches.
-              method_name = unbound_method.name.to_sym
+              method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
               underlying_method_name = build_unbound_method_name(method_name).to_sym
 
               target_module = Module.cs__const_get(target_module_name)

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -68,7 +68,10 @@ module Contrast
             def set_info_for mod, method, method_policy, is_instance_method, cs_method
               mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
               holder = mod.instance_variable_get(method_info_key)
-              holder[method_name_key(method, is_instance_method)] = [method_policy, cs_method] unless holder.key?(method)
+              # if we already have this information, then we don't need to set it as we'll update the info on access
+              return if holder.key?(method)
+
+              holder[method_name_key(method, is_instance_method)] = [method_policy, cs_method]
             end
 
             private
@@ -153,9 +156,7 @@ module Contrast
           end
 
           def patched?
-            @patch_status == :PATCHED ||
-                @patch_status == :NONE ||
-                @patch_status == :FAILED
+            @patch_status == :PATCHED || @patch_status == :NONE || @patch_status == :FAILED
           end
 
           def rewriting!
@@ -179,9 +180,7 @@ module Contrast
           end
 
           def rewritten?
-            @rewrite_status == :REWRITTEN ||
-                @rewrite_status == :NO_REWRITE ||
-                @rewrite_status == :FAILED_REWRITE
+            @rewrite_status == :REWRITTEN || @rewrite_status == :NO_REWRITE || @rewrite_status == :FAILED_REWRITE
           end
         end
       end

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -13,7 +13,8 @@ require 'contrast/utils/class_util'
 # assess
 require 'contrast/agent/assess/policy/policy'
 require 'contrast/agent/assess/policy/policy_scanner'
-require 'contrast/agent/assess/policy/rewriter_patch'
+# TODO: RUBY-714 remove guard w/ EOL of 2.5
+require 'contrast/agent/assess/policy/rewriter_patch' if RUBY_VERSION < '2.6.0'
 require 'contrast/agent/assess/policy/source_method'
 require 'contrast/agent/assess/policy/trigger_method'
 
@@ -53,7 +54,7 @@ module Contrast
             def patch
               catchup_after_load_patches
               catchup_loaded_methods
-              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -85,7 +86,7 @@ module Contrast
 
                 load_patches_for_module(mod_name)
 
-                return unless all_module_names.any? { |name| name == mod_name }
+                return unless all_module_names.any?(mod_name)
 
                 module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
                 patch_into_module(module_data)
@@ -143,7 +144,8 @@ module Contrast
             # @return [Array<String>] the names of all the Modules for which
             #   there patches in our policies
             def all_module_names
-              @_all_module_names ||= POLICIES.each_with_object(Set.new) { |policy, set| set.merge(policy.instance.module_names) }
+              @_all_module_names ||=
+                POLICIES.each_with_object(Set.new) { |policy, set| set.merge(policy.instance.module_names) }
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -179,7 +181,7 @@ module Contrast
 
               # Begin patching our sources into the given module. Any patcher that has the name of the module will be
               # evaluated for patching. Find all the patchers that apply to this class, sorted by type.
-              module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.name)
+              module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.mod_name)
               # If there's nothing to match, then set that status and exit
               if module_policy.empty?
                 status.no_patch!
@@ -189,8 +191,7 @@ module Contrast
               status.patching!
               num_applied_patches = patch_into_instance_methods(module_data, module_policy)
               num_applied_patches += patch_into_singleton_methods(module_data, module_policy)
-              if adjust_for_prepend(module_data) ||
-                    module_policy.num_expected_patches == num_applied_patches
+              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
 
                 status.patched!
               else
@@ -198,12 +199,12 @@ module Contrast
               end
             rescue StandardError => e
               status&.failed_patch!
-              logger.warn('Patching failed', e, module: module_data.name)
+              logger.warn('Patching failed', e, module: module_data.mod_name)
             ensure
               logger.trace('Patching complete',
-                           module: module_data.name,
-                           result: Contrast::Agent::Patching::Policy::PatchStatus.get_status(
-                               module_data.mod).patch_status)
+                           module: module_data.mod_name,
+                           result:
+                             Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod).patch_status)
             end
 
             # Get all of the instance methods on the given module, excluding
@@ -270,7 +271,9 @@ module Contrast
             def patch_into_methods mod, methods, module_policy, is_instance_method
               count = 0
               methods.each do |method|
-                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.build_method_policy(method, module_policy, is_instance_method)
+                method_policy = Contrast::Agent::Patching::Policy::MethodPolicy.build_method_policy(method,
+                                                                                                    module_policy,
+                                                                                                    is_instance_method)
                 next if method_policy.empty?
 
                 patched = patch_method(mod, methods, method_policy)

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -44,10 +44,20 @@ module Contrast
           # later on. Really, if they don't have these things, they couldn't have
           # done their jobs anyway.
           def validate
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.") unless class_name
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper method name. Unable to create.") unless method_name
-            raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_name value. Unable to create.") unless method_name.is_a?(Symbol)
-            raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_visibility value. Unable to create.") unless method_visibility.is_a?(Symbol)
+            unless class_name
+              raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
+            end
+            unless method_name
+              raise(ArgumentError, "#{ node_class } #{ id } did not have a proper method name. Unable to create.")
+            end
+            unless method_name.is_a?(Symbol)
+              raise(ArgumentError, "#{ node_class } #{ id } has a non symbol @method_name value. Unable to create.")
+            end
+
+            unless method_visibility.is_a?(Symbol)
+              raise(ArgumentError,
+                    "#{ node_class } #{ id } has a non symbol @method_visibility value. Unable to create.")
+            end
             unless method_scope.nil? || Contrast::Agent::Scope.valid_scope?(method_scope)
               raise(ArgumentError, "#{ node_class } #{ id } requires an undefined scope. Unable to create.")
             end

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -21,7 +21,8 @@ module Contrast
           JSON_OPTIONAL_PROPS = 'optional_properties'
           JSON_ON_EXCEPTION = 'on_exception'
 
-          attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties, :rule_id
+          attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
+                      :rule_id
 
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
@@ -42,9 +43,10 @@ module Contrast
 
           def validate
             super
-            unless applicator.public_methods(false).any? { |method| method == applicator_method }
+            unless applicator.public_methods(false).any?(applicator_method)
               raise(ArgumentError,
-                    "#{ id } did not have a proper applicator method: #{ applicator } does not respond to #{ applicator_method }. Unable to create.")
+                    "#{ id } did not have a proper applicator method: "\
+                    "#{ applicator } does not respond to #{ applicator_method }. Unable to create.")
             end
             validate_properties
             validate_rule
@@ -52,20 +54,31 @@ module Contrast
 
           def validate_properties
             if (required_properties & optional_properties).any?
-              raise(ArgumentError, "#{ rule_id } had overlapping elements between required and optional properties. Unable to create.")
+              raise(ArgumentError,
+                    "#{ rule_id } had overlapping elements between required and optional properties. Unable to create.")
             end
             if (properties.keys - (required_properties | optional_properties)).any?
               raise(ArgumentError, "#{ id } had an unexpected property. Unable to create.")
             end
-            raise(ArgumentError, "#{ id } did not have a required property. Unable to create.") if (required_properties - properties.keys).any?
+
+            return unless (required_properties - properties.keys).any?
+
+            raise(ArgumentError, "#{ id } did not have a required property. Unable to create.")
           end
 
           def validate_rule
             raise(ArgumentError, 'Unknown rule did not have a proper name. Unable to create.') unless rule_id
             raise(ArgumentError, "#{ id } did not have a proper applicator. Unable to create.") unless applicator
-            raise(ArgumentError, "#{ id } did not have a proper applicator method. Unable to create.") unless applicator_method
-            raise(ArgumentError, "#{ id } did not have a proper set of required properties. Unable to create.") unless required_properties
-            raise(ArgumentError, "#{ id } did not have a proper set of optional properties. Unable to create.") unless optional_properties
+
+            unless applicator_method
+              raise(ArgumentError, "#{ id } did not have a proper applicator method. Unable to create.")
+            end
+            unless required_properties
+              raise(ArgumentError, "#{ id } did not have a proper set of required properties. Unable to create.")
+            end
+            return if optional_properties
+
+            raise(ArgumentError, "#{ id } did not have a proper set of optional properties. Unable to create.")
           end
 
           private

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -37,7 +37,7 @@ module Contrast
 
             protected
 
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::CmdInjection::NAME
             end
 

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -71,7 +71,7 @@ module Contrast
 
             protected
 
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Deserialization::NAME
             end
 

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -34,7 +34,7 @@ module Contrast
 
             protected
 
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::NoSqli::NAME
             end
 

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -42,15 +42,14 @@ module Contrast
 
             protected
 
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::PathTraversal::NAME
             end
 
             private
 
             def possible_write? input
-              input.cs__respond_to?(:to_s) &&
-                  input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
+              input.cs__respond_to?(:to_s) && input.to_s.include?(Contrast::Utils::ObjectShare::WRITE_FLAG)
             end
 
             READ = 'read'

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -34,7 +34,7 @@ module Contrast
 
             protected
 
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Sqli::NAME
             end
 

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -49,16 +49,15 @@ module Contrast
 
             protected
 
-            def name
+            def rule_name
               Contrast::Agent::Protect::Rule::Xxe::NAME
             end
 
             private
 
-            DATA_KEY = '@data'.to_sym
+            DATA_KEY = :@data
             def valid_data_input? object
-              object.instance_variable_defined?(DATA_KEY) &&
-                  object.instance_variable_get(DATA_KEY)
+              object.instance_variable_defined?(DATA_KEY) && object.instance_variable_get(DATA_KEY)
             end
 
             NOKOGIRI_MARKER = 'Nokogiri::'
@@ -115,11 +114,8 @@ module Contrast
               raise e
             rescue StandardError => e
               parser ||= Contrast::Utils::ObjectShare::UNKNOWN
-              logger.error(
-                  'Error applying xxe',
-                  e,
-                  module: potential_parser.cs__class.cs__name,
-                  method: method, parser: parser)
+              logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,
+                                                    parser: parser)
             end
           end
         end