contrast-agent 4.6.0 → 4.7.0

data/lib/contrast/api/decorators/trace_event_object.rb

@@ -52,9 +52,7 @@ module Contrast
             tmp = []
             tmp << obj_string[0, UNTRUNCATED_PORTION_LENGTH]
             tmp << ELLIPSIS
-            tmp << obj_string[
-                obj_string.length - UNTRUNCATED_PORTION_LENGTH,
-                UNTRUNCATED_PORTION_LENGTH]
+            tmp << obj_string[obj_string.length - UNTRUNCATED_PORTION_LENGTH, UNTRUNCATED_PORTION_LENGTH]
             tmp.join
           end
         end

data/lib/contrast/api/decorators/trace_taint_range_tags.rb

@@ -97,12 +97,7 @@ module Contrast
           DATABASE_WRITE
         ].cs__freeze
 
-        VALID_SOURCE_TAGS = %w[
-          NO_NEWLINES
-          UNTRUSTED
-          CROSS_SITE
-          LIMITED_CHARS
-        ].cs__freeze
+        VALID_SOURCE_TAGS = %w[NO_NEWLINES UNTRUSTED CROSS_SITE LIMITED_CHARS].cs__freeze
       end
     end
   end

data/lib/contrast/components/agent.rb

@@ -69,8 +69,10 @@ module Contrast
         def exception_control
           @_exception_control ||= {
               enable: true?(CONFIG.root.agent.ruby.exceptions.capture),
-              status: CONFIG.root.agent.ruby.exceptions.override_status || 403,
-              message: CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
+              status:
+                CONFIG.root.agent.ruby.exceptions.override_status || 403,
+              message:
+                CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
           }
         end
 
@@ -80,8 +82,9 @@ module Contrast
           loaded_module_name.start_with?(*CONFIG.root.agent.ruby.uninstrument_namespace)
         end
 
+        # Insert ourselves into the application, keeping our middleware at the outermost layer of the onion
         def insert_middleware app
-          app.middleware.insert_before 0, Contrast::Agent::Middleware # Keep our middleware at the outermost layer of the onion
+          app.middleware.insert_before 0, Contrast::Agent::Middleware
         end
 
         def enable_tracepoint
@@ -94,7 +97,9 @@ module Contrast
         # Ruby exposed the C method for interpolation in version 2.6.0, meaning
         # we can attempt to patch using Funchook for that version and later.
         def interpolation_patch_possible?
-          @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION if @_interpolation_patch_possible.nil?
+          if @_interpolation_patch_possible.nil?
+            @_interpolation_patch_possible = Gem::Version.new(RUBY_VERSION) >= INTERPOLATION_HOOKABLE_VERSION
+          end
           @_interpolation_patch_possible
         end
 

data/lib/contrast/components/app_context.rb

@@ -37,9 +37,9 @@ module Contrast
           end
         end
 
-        def name
-          @_name ||= begin
-            tmp = CONFIG.root.application.name
+        def app_name
+          @_app_name ||= begin
+            tmp = CONFIG.root.application.name # rubocop:disable Security/Module/Name
             tmp = Contrast::Agent.framework_manager.app_name unless Contrast::Utils::StringUtils.present?(tmp)
             tmp = File.basename(Dir.pwd) unless Contrast::Utils::StringUtils.present?(tmp)
             Contrast::Utils::StringUtils.truncate(tmp, DEFAULT_APP_NAME)
@@ -59,7 +59,7 @@ module Contrast
 
         def server_name
           @_server_name ||= begin
-            tmp = CONFIG.root.server.name
+            tmp = CONFIG.root.server.name # rubocop:disable Security/Module/Name
             tmp = Socket.gethostname unless Contrast::Utils::StringUtils.present?(tmp)
             tmp = Contrast::Utils::StringUtils.force_utf8(tmp)
             Contrast::Utils::StringUtils.truncate(tmp, DEFAULT_SERVER_NAME)
@@ -88,7 +88,7 @@ module Contrast
                       server_name: msg.server_name,
                       server_path: msg.server_path,
                       server_type: msg.server_type,
-                      application_name: name,
+                      application_name: app_name,
                       application_path: path,
                       application_language: Contrast::Utils::ObjectShare::RUBY)
 
@@ -108,7 +108,7 @@ module Contrast
         end
 
         def client_id
-          @_client_id ||= [name, pgid].join('-')
+          @_client_id ||= [app_name, pgid].join('-')
         end
 
         def instrument_middleware_stack?

data/lib/contrast/components/config.rb

@@ -56,7 +56,8 @@ module Contrast
 
         private
 
-        SESSION_VARIABLES = "Invalid configuration. Setting both application.session_id and application.session_metadata is not allowed.\n"
+        SESSION_VARIABLES = 'Invalid configuration. '\
+                            "Setting both application.session_id and application.session_metadata is not allowed.\n"
         def validate log: false
           # The config has information about how to construct the logger.
           # If the config is invalid, and you want to know about it, then

data/lib/contrast/components/contrast_service.rb

@@ -25,14 +25,13 @@ module Contrast
         def use_bundled_service?
           # Validates the config to decide if it's suitable for starting
           # the bundled service
-          @_use_bundled_service ||= begin
-            # Requirement says "must be true" but that
-            # should be "must not be false" -- oops.
-            !false?(CONFIG.root.agent.start_bundled_service) &&
-                # Either a valid host or a valid socket
-                # Path validity is the service's problem
-                (LOCALHOST.match?(host) || !!socket_path)
-          end
+
+          # Requirement says "must be true" but that
+          # should be "must not be false" -- oops.
+          @_use_bundled_service ||= !false?(CONFIG.root.agent.start_bundled_service) &&
+              # Either a valid host or a valid socket
+              # Path validity is the service's problem
+              (LOCALHOST.match?(host) || !!socket_path)
         end
 
         def host

data/lib/contrast/components/interface.rb

@@ -134,7 +134,7 @@ module Contrast
           if (mods = component_map[sym]) # rubocop:disable Style/GuardClause
             # We may support multiple components via one access request.
             mods.each do |m|
-              name = Contrast::Components.component_const_name(m.name)
+              name = Contrast::Components.component_const_name(m.cs__name)
               cs__const_set(name, m::COMPONENT_INTERFACE) if m.cs__const_defined?(:COMPONENT_INTERFACE)
               include m::InstanceMethods               if m.cs__const_defined?(:InstanceMethods, false)
               extend  m::ClassMethods                  if m.cs__const_defined?(:ClassMethods, false)
@@ -181,7 +181,8 @@ require 'contrast/components/agent'
 Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:agent] = [Contrast::Components::Agent]
 
 require 'contrast/components/contrast_service'
-Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:contrast_service] = [Contrast::Components::ContrastService]
+Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:contrast_service] =
+  [Contrast::Components::ContrastService]
 
 require 'contrast/components/app_context'
 Contrast::Components::ComponentReceiverClassInterface::COMPONENT_MAP[:app_context] = [Contrast::Components::AppContext]

data/lib/contrast/components/sampling.rb

@@ -65,7 +65,10 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def request_frequency config_settings, settings
-          [config_settings&.request_frequency, settings&.request_frequency, DEFAULT_SAMPLING_REQUEST_FREQUENCY].map(&:to_i).find(&:positive?)
+          [
+            config_settings&.request_frequency, settings&.request_frequency,
+            DEFAULT_SAMPLING_REQUEST_FREQUENCY
+          ].map(&:to_i).find(&:positive?)
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -73,7 +76,10 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def response_frequency config_settings, settings
-          [config_settings&.response_frequency, settings&.response_frequency, DEFAULT_SAMPLING_RESPONSE_FREQUENCY].map(&:to_i).find(&:positive?)
+          [
+            config_settings&.response_frequency, settings&.response_frequency,
+            DEFAULT_SAMPLING_RESPONSE_FREQUENCY
+          ].map(&:to_i).find(&:positive?)
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by

data/lib/contrast/components/settings.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/api/settings.pb'
+
 module Contrast
   module Components
     # This component encapsulates the statefulness of settings.
@@ -8,8 +10,8 @@ module Contrast
     # directives (likely provided by TeamServer) about product operation.
     # 'Settings' is not a generic term for 'configurable stuff'.
     module Settings
-      APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).new(
-          Hash.new { Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION }, [])
+      APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
+          new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
       PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
       ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules).new(false, nil, []) do
         def sampling_settings= new_val

data/lib/contrast/config/assess_rules_configuration.rb

@@ -6,9 +6,7 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # disabled assess rule functionality of the Agent.
     class AssessRulesConfiguration < BaseConfiguration
-      KEYS = {
-          disabled_rules: EMPTY_VALUE
-      }.cs__freeze
+      KEYS = { disabled_rules: EMPTY_VALUE }.cs__freeze
 
       def initialize hsh
         super(hsh, KEYS)

data/lib/contrast/config/base_configuration.rb

@@ -17,10 +17,7 @@ module Contrast
       attr_reader :map
 
       alias_method :to_hash, :map
-      def_delegators :@map, :empty?, :key?,
-                     :delete,
-                     :fetch, :[], :[]=,
-                     :each, :each_pair, :each_key, :each_value
+      def_delegators :@map, :empty?, :key?, :delete, :fetch, :[], :[]=, :each, :each_pair, :each_key, :each_value
 
       EMPTY_VALUE = :EMPTY_VALUE
 
@@ -35,7 +32,9 @@ module Contrast
           current_level = current_level.send(segment) if current_level.cs__respond_to?(segment)
         end
         last_entry = dot_path_array[-1]
-        current_level.send("#{ last_entry }=", value) if current_level.nil? == false && current_level.cs__respond_to?(last_entry)
+        if current_level.nil? == false && current_level.cs__respond_to?(last_entry)
+          current_level.send("#{ last_entry }=", value)
+        end
         nil
       end
 

data/lib/contrast/config/exception_configuration.rb

@@ -7,11 +7,7 @@ module Contrast
     # exception handling in Ruby, allowing for the override of Response Code
     # and Message when Security Exceptions are raised.
     class ExceptionConfiguration < BaseConfiguration
-      KEYS = {
-          capture: EMPTY_VALUE,
-          override_status: EMPTY_VALUE,
-          override_message: EMPTY_VALUE
-      }.cs__freeze
+      KEYS = { capture: EMPTY_VALUE, override_status: EMPTY_VALUE, override_message: EMPTY_VALUE }.cs__freeze
 
       def initialize hsh
         super(hsh, KEYS)

data/lib/contrast/config/heap_dump_configuration.rb

@@ -7,12 +7,18 @@ module Contrast
     # Heap Dump collection functionality of the Agent.
     class HeapDumpConfiguration < BaseConfiguration
       KEYS = {
-          enable: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE), # should dumps be taken
-          path: Contrast::Config::DefaultValue.new('contrast_heap_dumps'),                 # dir to which dumps should be saved
-          delay_ms: Contrast::Config::DefaultValue.new(10_000),                            # time, in ms, after initialization to delay before taking dump
-          window_ms: Contrast::Config::DefaultValue.new(10_000),                           # ms between each dump
-          count: Contrast::Config::DefaultValue.new(5),                                    # number of dumps to take
-          clean: Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE)   # remove temporary objects
+          enable:                                                                   # should dumps be taken
+            Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE),
+          path:                                                                     # dir to which dumps should be
+            Contrast::Config::DefaultValue.new('contrast_heap_dumps'), #   saved
+          delay_ms:                                                                 # time, in ms, after initialization
+            Contrast::Config::DefaultValue.new(10_000), #   to delay before taking dump
+          window_ms:                                                                # ms between each dump
+            Contrast::Config::DefaultValue.new(10_000), #
+          count:                                                                    # number of dumps to take
+            Contrast::Config::DefaultValue.new(5), #
+          clean:                                                                    # remove temporary objects or not
+            Contrast::Config::DefaultValue.new(Contrast::Utils::ObjectShare::FALSE)  #
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config/logger_configuration.rb

@@ -6,11 +6,7 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # logging in the Agent.
     class LoggerConfiguration < BaseConfiguration
-      KEYS = {
-          path: EMPTY_VALUE,
-          level: EMPTY_VALUE,
-          progname: EMPTY_VALUE
-      }.cs__freeze
+      KEYS = { path: EMPTY_VALUE, level: EMPTY_VALUE, progname: EMPTY_VALUE }.cs__freeze
 
       def initialize hsh
         super(hsh, KEYS)

data/lib/contrast/configuration.rb

@@ -25,16 +25,8 @@ module Contrast
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
-    CONVERSION = {
-        'agent.service.enable' => 'agent.start_bundled_service'
-    }.cs__freeze
-    CONFIG_BASE_PATHS = [
-      '',
-      'config/',
-      '/etc/contrast/ruby/',
-      '/etc/contrast/',
-      '/etc/'
-    ].cs__freeze
+    CONVERSION = { 'agent.service.enable' => 'agent.start_bundled_service' }.cs__freeze
+    CONFIG_BASE_PATHS = ['', 'config/', '/etc/contrast/ruby/', '/etc/contrast/', '/etc/'].cs__freeze
 
     def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
       @default_name = default_name
@@ -189,10 +181,7 @@ module Contrast
     # When we fail to parse a configuration because it is misformatted, log an
     # appropriate message based on the Agent Onboarding specification
     def log_yaml_parse_error path, exception
-      hash = {
-          path: path,
-          pwd: Dir.pwd
-      }
+      hash = { path: path, pwd: Dir.pwd }
       if exception.is_a?(Psych::SyntaxError)
         hash[:context] = exception.context
         hash[:column] = exception.column

data/lib/contrast/extension/assess/array.rb

@@ -56,12 +56,7 @@ module Contrast
               return ret unless Contrast::Agent::Assess::Tracker.tracked?(ret)
 
               properties.cleanup_tags
-              properties.build_event(
-                  ARRAY_JOIN_NODE,
-                  ret,
-                  ary,
-                  ret,
-                  [separator])
+              properties.build_event(ARRAY_JOIN_NODE, ret, ary, ret, [separator])
               properties.event.instance_variable_set(:@_parent_events, parent_events)
               ret
             end

data/lib/contrast/extension/assess/erb.rb

@@ -25,13 +25,7 @@ module ERBPropagator
         parent_event = Contrast::Agent::Assess::Tracker.properties(bound_variable_value)&.event
         parent_events << parent_event if parent_event
       end
-      properties.build_event(
-          patcher,
-          ret,
-          preshift.object,
-          ret,
-          preshift.args,
-          1)
+      properties.build_event(patcher, ret, preshift.object, ret, preshift.args, 1)
       properties.event.instance_variable_set(:@_parent_events, parent_events)
 
       ret

data/lib/contrast/extension/assess/eval_trigger.rb

@@ -31,12 +31,8 @@ module Contrast
             # source might not be all the args passed in, but it is the one we care
             # about. we could pass in all the args in the last param here if it
             # becomes an issue in rendering on TS
-            Contrast::Agent::Assess::Policy::TriggerMethod.apply_eval_trigger(
-                trigger_node(clazz, method),
-                source,
-                obj,
-                ret,
-                source)
+            Contrast::Agent::Assess::Policy::TriggerMethod.apply_eval_trigger(trigger_node(clazz, method), source, obj,
+                                                                              ret, source)
           end
 
           def instrument_basic_object_track

data/lib/contrast/extension/assess/exec_trigger.rb

@@ -18,20 +18,14 @@ module Contrast
           # source might not be all the args passed in, but it is the one we care
           # about. we could pass in all the args in the last param here if it
           # becomes an issue in rendering on TS
-          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-              trigger_node,
-              source,
-              Kernel,
-              nil,
-              source)
+          Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, source, Kernel, nil, source)
         end
 
         private
 
         def trigger_node
-          @_trigger_node ||= begin
-            Contrast::Agent::Assess::Policy::Policy.instance.find_node('cmd-injection', 'Kernel', :exec, false)
-          end
+          @_trigger_node ||= Contrast::Agent::Assess::Policy::Policy.instance.find_node('cmd-injection', 'Kernel',
+                                                                                        :exec, false)
         end
       end
     end

data/lib/contrast/extension/assess/fiber.rb

@@ -64,12 +64,7 @@ module Contrast
                 next unless (result_properties = Contrast::Agent::Assess::Tracker.properties!(result))
 
                 result_properties.splat_from(fiber, result)
-                result_properties.build_event(
-                    FIBER_YIELD_NODE,
-                    result,
-                    fiber,
-                    result,
-                    [])
+                result_properties.build_event(FIBER_YIELD_NODE, result, fiber, result, [])
               end
             end
           rescue Exception => e # rubocop:disable Lint/RescueException
@@ -85,12 +80,7 @@ module Contrast
               return unless properties
 
               properties.splat_from(underlying, fiber)
-              properties.build_event(
-                  FIBER_NEW_NODE,
-                  fiber,
-                  underlying,
-                  fiber,
-                  [])
+              properties.build_event(FIBER_NEW_NODE, fiber, underlying, fiber, [])
             end
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Fiber.new', e)

data/lib/contrast/extension/assess/kernel.rb

@@ -47,13 +47,7 @@ module Contrast
             parent_events = []
             track_sprintf(ret, format_string, args, parent_events)
 
-            properties.build_event(
-                patcher,
-                ret,
-                preshift.object,
-                ret,
-                preshift.args,
-                1)
+            properties.build_event(patcher, ret, preshift.object, ret, preshift.args, 1)
 
             properties.event.instance_variable_set(:@_parent_events, parent_events)
             ret
@@ -70,8 +64,7 @@ module Contrast
               handle_sprintf_array(args, result, parent_events)
             end
           rescue StandardError => e
-            logger.error(
-                'Unable to track dataflow through sprintf', e)
+            logger.error('Unable to track dataflow through sprintf', e)
           end
 
           def instrument_kernel_track