contrast-agent 4.6.0 → 4.7.0

data/lib/contrast/extension/assess/marshal.rb

@@ -31,12 +31,8 @@ module Contrast
               # source might not be all the args passed in, but it is the one we care
               # about. we could pass in all the args in the last param here if it
               # becomes an issue in rendering on TS
-              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                  trigger_node('Marshal', :load),
-                  source,
-                  self,
-                  ret,
-                  *args)
+              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node('Marshal', :load), source,
+                                                                           self, ret, *args)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
               properties.copy_from(source, ret)

data/lib/contrast/extension/assess/regexp.rb

@@ -53,12 +53,7 @@ module Contrast
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
               properties.splat_from(string, target)
-              properties.build_event(
-                  REGEXP_EQUAL_SQUIGGLE_NODE,
-                  target,
-                  self,
-                  result,
-                  [string])
+              properties.build_event(REGEXP_EQUAL_SQUIGGLE_NODE, target, self, result, [string])
             end
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Regexp#=~', e)

data/lib/contrast/extension/assess/string.rb

@@ -66,7 +66,9 @@ module Contrast
           def instrument_string_interpolation
             if @_instrument_string_interpolation.nil?
               @_instrument_string_interpolation = begin
-                require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26' if AGENT.patch_interpolation? && Funchook.available?
+                if AGENT.patch_interpolation? && Funchook.available?
+                  require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
+                end
                 true
               rescue StandardError, LoadError => e
                 logger.error('Error loading interpolation patch', e)

data/lib/contrast/extension/kernel.rb

@@ -41,13 +41,15 @@ module Kernel # :nodoc:
 
   def catch *args, &block
     # Save current scope level
-    scope_level = Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
+    scope_level =
+      Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
 
     # Run original catch with block.
     retval = cs__catch(*args, &block)
 
     # Restore scope.
-    Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
+    Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope,
+                                                                                                scope_level)
 
     retval
   end

data/lib/contrast/framework/manager.rb

@@ -19,8 +19,7 @@ module Contrast
       # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
       # do not exist
       SUPPORTED_FRAMEWORKS = [
-        Contrast::Framework::Rails::Support,
-        Contrast::Framework::Sinatra::Support,
+        Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
         Contrast::Framework::Rack::Support
       ].cs__freeze
 

data/lib/contrast/framework/rack/patch/session_cookie.rb

@@ -61,16 +61,9 @@ module Contrast
             end
 
             def apply_secure_session options
-              return unless vulnerable_setting?(
-                  :secure,
-                  true,
-                  options,
-                  safe_default: false)
-
-              cs__report_finding(
-                  CS__SECURE_RULE_NAME,
-                  options,
-                  caller_locations(10, 9)[0])
+              return unless vulnerable_setting?(:secure, true, options, safe_default: false)
+
+              cs__report_finding(CS__SECURE_RULE_NAME, options, caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to secure session', e)
@@ -86,10 +79,7 @@ module Contrast
                                                 safe_default: false,
                                                 comparison_type: :greater_than)
 
-              cs__report_finding(
-                  CS__SESSION_TIMEOUT_NAME,
-                  options,
-                  caller_locations(10, 9)[0])
+              cs__report_finding(CS__SESSION_TIMEOUT_NAME, options, caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to set session timeout', e)
@@ -101,10 +91,7 @@ module Contrast
             def apply_httponly options
               return unless vulnerable_setting?(:httponly, true, options)
 
-              cs__report_finding(
-                  CS__HTTPONLY_NAME,
-                  options,
-                  caller_locations(10, 9)[0])
+              cs__report_finding(CS__HTTPONLY_NAME, options, caller_locations(10, 9)[0])
             rescue StandardError => e
               begin
                 logger.error('Unable to track call to httponly', e)

data/lib/contrast/framework/rack/patch/support.rb

@@ -12,10 +12,12 @@ module Contrast
         module Support
           # (See BaseSupport#after_load_patches)
           def after_load_patches
-            Set.new([Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                'Rack::Session::Cookie',
-                'contrast/framework/rack/patch/session_cookie',
-                instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')])
+            Set.new([
+                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                          'Rack::Session::Cookie',
+                          'contrast/framework/rack/patch/session_cookie',
+                          instrumenting_module: 'Contrast::Framework::Rack::Patch::SessionCookie')
+                    ])
           end
         end
       end

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -32,7 +32,11 @@ module Contrast
 
             private
 
-            def vulnerable_setting? setting_key, safe_settings_value, original_args, safe_default: true, comparison_type: nil
+            def vulnerable_setting?(setting_key,
+                                    safe_settings_value,
+                                    original_args,
+                                    safe_default: true,
+                                    comparison_type: nil)
               # In most cases, Rails is pretty nice and the default value is safe
               return !safe_default unless original_args && original_args.length > 1
 
@@ -49,7 +53,8 @@ module Contrast
 
             def apply_session_timeout *args
               return if ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
-              return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args, comparison_type: :greater_than, safe_default: false)
+              return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args,
+                                                comparison_type: :greater_than, safe_default: false)
 
               rails_session_settings = args[1]
               cs__report_finding(CS__SESSION_TIMEOUT_NAME, rails_session_settings, caller_locations(3, 2)[0])

data/lib/contrast/framework/rails/patch/support.rb

@@ -44,11 +44,13 @@ module Contrast
                           'ActionController::Railties::Helper::ClassMethods',
                           'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
                           method_to_instrument: :inherited,
-                          instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
+                          instrumenting_module:
+                            'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
                       Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
                           'ActiveRecord::AttributeMethods::Read::ClassMethods',
                           'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                          instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
+                          instrumenting_module:
+                            'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
                       Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
                           'ActiveRecord::Scoping::Named::ClassMethods',
                           'contrast/framework/rails/rewrite/active_record_named',

data/lib/contrast/framework/rails/rewrite/action_controller_railties_helper_inherited.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 module Contrast
   module Framework
     module Rails
@@ -19,7 +21,8 @@ module Contrast
                 alias_method :cs__patched_helper_inherited, :inherited
                 def inherited klass # rubocop:disable Lint/MissingSuper
                   klass&.instance_variable_set(:@cs__defining_class, true)
-                  cs__patched_helper_inherited(klass) # This calls the original inherited, which should handle super as needed.
+                  # This calls the original inherited, which should handle super as needed.
+                  cs__patched_helper_inherited(klass)
                 ensure
                   klass&.instance_variable_set(:@cs__defining_class, false)
                 end

data/lib/contrast/framework/rails/rewrite/active_record_attribute_methods_read.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 module Contrast
   module Framework
     module Rails

data/lib/contrast/framework/rails/rewrite/active_record_named.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 require 'contrast/components/interface'
 
 module Contrast

data/lib/contrast/framework/rails/rewrite/active_record_time_zone_inherited.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 module Contrast
   module Framework
     module Rails

data/lib/contrast/framework/rails/support.rb

@@ -27,8 +27,8 @@ module Contrast
 
           def application_name
             app_class = ::Rails.application.cs__class
-            # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed entirely
-            # and instead we need to use parent_module_name
+            # Rails version 6.0.0 deprecated Rails::Application#parent_name, in Rails 6.1.0 that method will be removed
+            # entirely and instead we need to use parent_module_name
             return app_class.parent_module_name if Gem::Version.new(::Rails.version) >= RAILS_MODULE_NAME_VERSION
 
             app_class.parent_name

data/lib/contrast/framework/sinatra/support.rb

@@ -114,7 +114,9 @@ module Contrast
             return controller, route_pattern if route_pattern
 
             # Check routes defined in superclass if present.
-            return _route_recurse(controller.superclass, method, route) if controller.superclass&.instance_variable_get(:@routes)
+            return unless controller.superclass&.instance_variable_get(:@routes)
+
+            _route_recurse(controller.superclass, method, route)
           end
 
           # Get route and do some cleanup matching that of Sinatra::Base#process_route.

data/lib/contrast/funchook/funchook.rb

@@ -12,11 +12,7 @@ module Funchook
   ACCEPTABLE_FILES = %w[libfunchook.dylib libfunchook.so].cs__freeze
 
   # Top level agent directories that should have the funchook libraries
-  SEARCH_DIRS = [
-    File.join('ext'),
-    File.join('shared_libraries'),
-    File.join('funchook', 'src')
-  ].cs__freeze
+  SEARCH_DIRS = [File.join('ext'), File.join('shared_libraries'), File.join('funchook', 'src')].cs__freeze
 
   AGENT_ROOT = File.join(__dir__, '..', '..', '..')
 

data/lib/contrast/logger/application.rb

@@ -16,10 +16,8 @@ module Contrast
       def application_environment
         return unless info?
 
-        info('Process environment information',
-             p_id: Process.pid,
-             pp_id: Process.ppid,
-             agent_version: Contrast::Agent::VERSION)
+        info('Process environment information', p_id: Process.pid, pp_id: Process.ppid,
+                                                agent_version: Contrast::Agent::VERSION)
         ENV.each do |env_key, env_value|
           env_key = env_key.to_s
           next unless ENV_KEYS.include?(env_key) ||
@@ -35,7 +33,9 @@ module Contrast
 
         loggable = CONFIG.loggable
         info('Current configuration', configuration: loggable)
-        env_keys = ENV.keys.select { |env_key| env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }
+        env_keys = ENV.keys.select do |env_key|
+          env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
+        end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }
         env_translations = env_items.each_with_object({}) do |conversion, hash|
           hash[conversion.key] = conversion.dot_path_array.join('.')
@@ -52,7 +52,10 @@ module Contrast
       end
 
       FRAMEWORKS = %w[rails sinatra grape].cs__freeze
-      WEB_SERVERS = %w[agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn webrick yarn].cs__freeze
+      WEB_SERVERS = %w[
+        agoo falcon hoof iodine mongrel mongrel2 passenger puma rack skinny thin trinidad unicorn
+        webrick yarn
+      ].cs__freeze
       LIBRARIES = %w[excon json mongo moped mysql nokogiri oga ox pg psych sqlite3 typhoeus yaml].cs__freeze
       def log_specific_libraries
         FRAMEWORKS.each(&cs__method(:log_gem_data))
@@ -67,6 +70,7 @@ module Contrast
 
         Gem.loaded_specs.each_pair do |_name, gem_spec|
           debug('Gem loaded',
+                # rubocop:disable Security/Module/Name -- gems builtin.
                 gem_name: gem_spec.name,
                 gem_version: gem_spec.version.to_s)
         end
@@ -76,9 +80,8 @@ module Contrast
         gem_spec = Gem.loaded_specs[gem_name]
         return unless gem_spec
 
-        info('Gem loaded',
-             gem_name: gem_spec.name,
-             gem_version: gem_spec.version.to_s)
+        info('Gem loaded', gem_name: gem_spec.name, gem_version: gem_spec.version.to_s)
+        # rubocop:enable Security/Module/Name
       end
     end
   end

data/lib/contrast/logger/format.rb

@@ -43,9 +43,7 @@ module Contrast
       def thread_hash
         hash = LOG_TRACKER.get(:logging_hash)
         unless hash
-          hash = {
-              thread_id: Thread.current.object_id
-          }
+          hash = { thread_id: Thread.current.object_id }
           LOG_TRACKER.set(:logging_hash, hash)
         end
         hash
@@ -53,8 +51,7 @@ module Contrast
 
       NO_REQUEST_HASH = { request_id: -1 }.cs__freeze
       def request_hash
-        @request_tracker_defined ||= defined?(Contrast::Agent) &&
-            defined?(Contrast::Agent::REQUEST_TRACKER)
+        @request_tracker_defined ||= defined?(Contrast::Agent) && defined?(Contrast::Agent::REQUEST_TRACKER)
         return NO_REQUEST_HASH unless @request_tracker_defined
 
         Contrast::Agent::REQUEST_TRACKER&.current&.logging_hash || NO_REQUEST_HASH

data/lib/contrast/logger/log.rb

@@ -27,8 +27,7 @@ module Contrast
       STDOUT_STR       = 'STDOUT'
       STDERR_STR       = 'STDERR'
 
-      attr_reader :previous_path,
-                  :previous_level
+      attr_reader :previous_path, :previous_level
 
       def initialize
         update
@@ -124,7 +123,9 @@ module Contrast
         elsif write_permission?(DEFAULT_NAME)
           # Log once when the path is invalid. We'll change to this path, so no
           # need to log again.
-          puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead." if previous_path != DEFAULT_NAME
+          if previous_path != DEFAULT_NAME
+            puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
+          end
           DEFAULT_NAME
         else
           # Log once when the path is invalid. We'll change to this path, so no

data/lib/contrast/logger/request.rb

@@ -22,8 +22,7 @@ module Contrast
       def request_end
         context = Contrast::Agent::REQUEST_TRACKER.current
         elapsed_time = context ? (Contrast::Utils::Timer.now_ms - context.timer.start_ms) : -1
-        debug('Ending request analysis',
-              elapsed_time_ms: elapsed_time)
+        debug('Ending request analysis', elapsed_time_ms: elapsed_time)
       end
     end
   end

data/lib/contrast/security_exception.rb

@@ -8,7 +8,7 @@ module Contrast
   # to be handled by our customer's applications.
   class SecurityException < StandardError
     def initialize rule, message = nil
-      super(message || "Rule #{ rule.name } threw a security exception")
+      super(message || "Rule #{ rule.rule_name } threw a security exception")
     end
   end
 end

data/lib/contrast/tasks/service.rb

@@ -74,7 +74,11 @@ module Contrast
               sleep(0.05) while Contrast::Utils::OS.running?
             end
             watcher.join(1)
-            puts Contrast::Utils::OS.running? ? 'Contrast Service did not stop.' : 'Contrast Service stopped successfully.'
+            if Contrast::Utils::OS.running?
+              puts 'Contrast Service did not stop.'
+            else
+              puts 'Contrast Service stopped successfully.'
+            end
           else
             puts 'Contrast Service is not already running. No need to stop.'
           end

data/lib/contrast/utils/assess/tracking_util.rb

@@ -53,8 +53,7 @@ module Contrast
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
               obj.each_pair do |k, v|
-                return true if _tracked?(k, idx)
-                return true if _tracked?(v, idx)
+                return true if _tracked?(k, idx) || _tracked?(v, idx)
               end
               false
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)

data/lib/contrast/utils/class_util.rb

@@ -9,14 +9,6 @@ module Contrast
     # Utility methods for exploring the complete space of Objects
     class ClassUtil
       class << self
-        # Given a module, return all of its descendants
-        #
-        # @param mod [Module] the module whose descendants you want to find.
-        # @return [Array<Module>] those Modules that inherit from the given.
-        def descendants mod
-          ObjectSpace.each_object(mod).to_a
-        end
-
         # some classes have had things prepended to them, like Marshal in Rails
         # 5 and higher. Their ActiveSupport::MarshalWithAutoloading will break
         # our alias patching approach, as will any other prepend on something

data/lib/contrast/utils/hash_digest.rb

@@ -15,10 +15,7 @@ module Contrast
       include Digest::Instance
 
       CONTENT_LENGTH_HEADER = 'Content-Length'
-      CRYPTO_RULES = %w[
-        crypto-bad-ciphers
-        crypto-bad-mac
-      ].cs__freeze
+      CRYPTO_RULES = %w[crypto-bad-ciphers crypto-bad-mac].cs__freeze
       CONFIG_PATH_KEY = 'path'
       CONFIG_SESSION_ID_KEY = 'sessionId'
       CLASS_SOURCE_KEY = 'source'
@@ -111,7 +108,7 @@ module Contrast
         events.each do |event|
           event.event_sources.each do |source|
             update(source.type)
-            update(source.name)
+            update(source.name) # rubocop:disable Security/Module/Name -- API attribute.
           end
         end
       end