contrast-agent 4.6.0 → 4.9.1

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -13,8 +12,7 @@ module Contrast
         # of a file vs data flow, such as the detection of Hardcoded Passwords
         # or Keys.
         module PolicyScanner
-          include Contrast::Components::Interface
-          access_component :analysis
+
 
           class << self
             # Use the given trace_point, built from an :end event, to determine
@@ -24,8 +22,8 @@ module Contrast
             # @param trace_point [TracePoint] the TracePoint generated by an
             #   :end event at the end of a Module definition.
             def scan trace_point
-              return unless ASSESS.enabled?
-              return unless ASSESS.require_scan?
+              return unless ::Contrast::ASSESS.enabled?
+              return unless ::Contrast::ASSESS.require_scan?
 
               provider_values = policy.providers.values
               return if provider_values.all?(&:disabled?)

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -9,8 +9,8 @@ module Contrast
       # In order to properly shift tags to account for the changes this method
       # caused, we'll need to store the state before the change occurred.
       class PreShift
-        include Contrast::Components::Interface
-        access_component :analysis, :logging
+        include Contrast::Components::Logger::InstanceMethods
+
 
         UNDUPLICABLE_MODULES = [
           Enumerator # dup'ing results in 'can't copy execution context'
@@ -37,7 +37,7 @@ module Contrast
           #   being called or nil if one is not required.
           def build_preshift propagation_node, object, args
             return unless propagation_node
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
 
             initializing = propagation_node.method_name == :initialize
             return if unsafe_io_object?(object, initializing)
@@ -91,7 +91,9 @@ module Contrast
 
               Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map do |preshift_arg|
+              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -4,7 +4,7 @@
 require 'set'
 
 require 'contrast/agent/assess/policy/propagator'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 
@@ -17,8 +17,8 @@ module Contrast
         # general, these methods work on the String class or a holder of
         # Strings
         module PropagationMethod
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
+
 
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
@@ -140,13 +140,7 @@ module Contrast
               !!target
             end
 
-            ZERO_LENGTH_ACTIONS = [
-              DB_WRITE_ACTION,
-              CUSTOM_ACTION,
-              KEEP_ACTION,
-              REPLACE_ACTION,
-              SPLAT_ACTION
-            ].cs__freeze
+            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
             # If the action required needs a length and the target does not have
             # one, the length is not valid
             def valid_length? target, action
@@ -245,7 +239,7 @@ module Contrast
 
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
-                next if target == value # Some Enumerable#each are overridden to return self the first time which leads to infinite propagation
+                next if target == value
 
                 apply_propagator(propagation_node, preshift, value, object, ret, args, block)
               end
@@ -283,9 +277,7 @@ module Contrast
 
               properties.add_properties(propagation_node.properties)
               properties.build_event(propagation_node, target, object, ret, args)
-              logger.trace('Propagation detected',
-                           node_id: propagation_node.id,
-                           target_id: target.__id__)
+              logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
               restore_frozen_state ? ret : nil
             end
 
@@ -296,10 +288,9 @@ module Contrast
             # @return [Contrast::Agent::Assess::Policy::Propagator, nil]
             def find_propagation_class propagation_node
               unless (propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil))
-                logger.warn(
-                    'Unknown propagation action received. Unable to propagate.',
-                    node_id: propagation_node.id,
-                    action: propagation_node.action)
+                logger.warn('Unknown propagation action received. Unable to propagate.',
+                            node_id: propagation_node.id,
+                            action: propagation_node.action)
               end
               propagation_class
             end
@@ -311,7 +302,7 @@ module Contrast
             #   propagation event.
             # @return [Boolean]
             def can_handle_frozen? propagation_node
-              ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              ::Contrast::ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -62,11 +62,19 @@ module Contrast
             raise(ArgumentError, "Propagator #{ id } did not have a proper action. Unable to create.") unless action
 
             if @action == 'CUSTOM'
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.") unless patch_class
-              raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.") unless patch_method.is_a?(Symbol)
+              unless patch_class
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.")
+              end
+              unless patch_method.is_a?(Symbol)
+                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.")
+              end
             else
-              raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.") unless targets&.any?
-              raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.") unless sources&.any?
+              unless targets&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.")
+              end
+              unless sources&.any?
+                raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.")
+              end
             end
             validate_untags
           end
@@ -76,9 +84,12 @@ module Contrast
 
             untags.each do |tag|
               unless Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag)
-                raise(ArgumentError, "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+                raise(ArgumentError,
+                      "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
+              end
+              if tags&.include?(tag)
+                raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.")
               end
-              raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.") if tags&.include?(tag)
             end
           end
 
@@ -86,8 +97,8 @@ module Contrast
             if @_needs_object.nil?
               @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
                   action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
-                  sources.any? { |source| source == Contrast::Utils::ObjectShare::OBJECT_KEY } ||
-                  targets.any? { |target| target == Contrast::Utils::ObjectShare::OBJECT_KEY }
+                  sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
+                  targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
             @_needs_object
           end

data/lib/contrast/agent/assess/policy/propagator.rb

@@ -21,6 +21,7 @@ module Contrast
           require 'contrast/agent/assess/policy/propagator/match_data'
           require 'contrast/agent/assess/policy/propagator/next'
           require 'contrast/agent/assess/policy/propagator/prepend'
+          require 'contrast/agent/assess/policy/propagator/rack_protection'
           require 'contrast/agent/assess/policy/propagator/remove'
           require 'contrast/agent/assess/policy/propagator/replace'
           require 'contrast/agent/assess/policy/propagator/reverse'

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -31,7 +31,8 @@ module Contrast
                 return unless sources[1]
 
                 original_end_index = original_start_index + source1.length - 1
-                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index, original_end_index)
+                handle_incoming_tags(target, propagation_node, sources[1], preshift, original_start_index,
+                                     original_end_index)
               end
 
               private

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
-
 module Contrast
   module Agent
     module Assess
@@ -13,8 +11,7 @@ module Contrast
           # results in new source nodes to track which columns in the database
           # have been tainted.
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
-            include Contrast::Components::Interface
-            access_component :analysis
+
 
             class << self
               def propagate propagation_node, preshift, target
@@ -22,7 +19,7 @@ module Contrast
                 class_name = class_type.cs__name
                 tainted_columns = {}
 
-                known_tainted = ASSESS.tainted_columns[class_name]
+                known_tainted = ::Contrast::ASSESS.tainted_columns[class_name]
                 propagation_node.sources.each do |source|
                   handle_write(propagation_node, source, preshift, target, known_tainted, tainted_columns)
                 end
@@ -31,7 +28,7 @@ module Contrast
                 if known_tainted
                   known_tainted.concat(tainted_columns.keys)
                 else
-                  ASSESS.tainted_columns[class_name] = tainted_columns.keys
+                  ::Contrast::ASSESS.tainted_columns[class_name] = tainted_columns.keys
                 end
 
                 Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns

data/lib/contrast/agent/assess/policy/propagator/insert.rb

@@ -33,7 +33,9 @@ module Contrast
                 # point on which all tags need to be adjusted
                 # If the insertion point is the end of the string, preshift length is returned
                 # https://stackoverflow.com/questions/31714522/find-the-first-differing-character-between-two-strings-in-ruby
-                insert_point = (0...preshift_target.length).find { |i| preshift_target[i] != target[i] } || preshift_target.length
+                insert_point = (0...preshift_target.length).find do |i|
+                  preshift_target[i] != target[i]
+                end || preshift_target.length
                 # Depending what's inserted, we might be wrong. For instance, inserting 'foo'
                 # into 'asdfasdf' could result in 'asdfoofasdf'. we'd be off by one b/c of the 'f'
                 insert_point = target.rindex(source, insert_point)

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -76,7 +76,8 @@ module Contrast
                 applicable_tags.each do |tag_name, tag_ranges|
                   return_properties.set_tags(tag_name, tag_ranges)
                 end
-                return_properties.build_event(propagation_node, return_value, preshift.object, return_value, preshift.args)
+                return_properties.build_event(propagation_node, return_value, preshift.object, return_value,
+                                              preshift.args)
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/rack_protection.rb

@@ -0,0 +1,73 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Rack::Protection offers several protections against vulnerabilities. Of these, some apply to dataflow and
+          # need to be accounted for in order to properly tag data. Others apply to configurations and may be used to
+          # suppress configuration vulnerabilities in the future.
+          class RackProtection < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # Our custom instrumentation for the Rack::Protection::EscapedParams#escape_string method
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+              #   propagation event.
+              # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+              #   the invocation of the patched method.
+              # @param ret [nil, String] the target to which to propagate.
+              # @return [nil, String] ret
+              def escaped_params propagation_node, preshift, ret, _block
+                Contrast::Agent::Assess::Policy::Propagator::Splat.propagate(propagation_node, preshift, ret)
+                apply_escaper_tags(preshift.object, ret)
+                ret
+              end
+
+              private
+
+              # Rack::Protection::EscapedParams can be configured such that it only applies certain escape. We need
+              # to account for the configuration of the individual escapes when applying tags.
+              #
+              # @param escaper [Rack::Protection::EscapedParams] the instance of Rack::Protection::EscapedParams
+              #   applying the escape_string
+              # @param ret [String] the result of the escape
+              def apply_escaper_tags escaper, ret
+                # I don't know how this could not be an instance of Rack::Protection::EscapedParams, but I don't want
+                # to chance it.
+                return unless escaper.cs__is_a?(Rack::Protection::EscapedParams)
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties(ret))
+
+                tags = []
+                untags = []
+                if escaper.instance_variable_get(:@html)
+                  tags << 'HTML_ENCODED'
+                  untags << 'HTML_DECODED'
+                end
+
+                if escaper.instance_variable_get(:@javascript)
+                  tags << 'JAVASCRIPT_ENCODED'
+                  untags << 'JAVASCRIPT_DECODED'
+                end
+
+                if escaper.instance_variable_get(:@url)
+                  tags << 'URL_ENCODED'
+                  untags << 'URL_DECODED'
+                end
+
+                length = Contrast::Utils::StringUtils.ret_length(ret)
+                tags.each do |tag|
+                  properties.add_tag(tag, 0...length)
+                end
+
+                untags.each do |tag|
+                  properties.delete_tags(tag)
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator/select.rb

@@ -21,22 +21,12 @@ module Contrast
                 # Additionally, an empty string is returned when the starting index for
                 # a character range is at the end of the string. Let's just skip that
                 # and only track a string that has length
-                unless ret &&
-                      !ret.empty? &&
-                      Contrast::Agent::Assess::Tracker.tracked?(source)
-
-                  return
-                end
+                return unless ret && !ret.empty? && Contrast::Agent::Assess::Tracker.tracked?(source)
 
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args)
+                properties.build_event(patcher, ret, source, ret, args)
 
                 range = determine_select_range(source, args)
                 return unless range

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -2,7 +2,9 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/preshift'
-require 'contrast/components/interface'
+require 'contrast/components/agent'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 require 'contrast/utils/thread_tracker'
 
 module Contrast
@@ -13,9 +15,9 @@ module Contrast
           # This class is specifically for String#split & String#grapheme_clusters propagation
           # it propagates tag ranges from a string to elements within an untracked array
           class Split < Contrast::Agent::Assess::Policy::Propagator::Base
-            include Contrast::Components::Interface
-
-            access_component :agent, :logging, :scope
+            extend Contrast::Components::Scope::InstanceMethods
+            extend Contrast::Components::Logger::InstanceMethods
+            #cs__const_set('AGENT', Contrast::AGENT)
 
             SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
 
@@ -29,11 +31,10 @@ module Contrast
               #   patched method.
               # @param target [Array, String] the target to which to propagate.
               # @return [nil] so as not to risk changing the result of the propagation.
-
               def propagate propagation_node, preshift, target
-                logger.trace('Propagation detected',
-                             node_id: propagation_node.id,
-                             target_id: target.__id__)
+                return unless target.is_a?(Array) # apply_post_patch is called, but split with block returns a string.
+
+                logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
 
                 source = find_source(propagation_node.sources[0], preshift)
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
@@ -110,7 +111,7 @@ module Contrast
               # Load patch.
               def instrument_string_split
                 @_instrument_string_split ||= begin
-                  require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield? && Funchook.available?
+                  require 'cs__assess_yield_track/cs__assess_yield_track' if ::Contrast::AGENT.patch_yield? && Funchook.available?
                   true
                 rescue StandardError => e
                   logger.error('Error loading split rb_yield patch', e)
@@ -162,10 +163,8 @@ module Contrast
               #
               # @return [Contrast::Agent::Assess::Policy::PropagationNode] String#split node
               def split_node
-                @_split_node ||= begin
-                  Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
-                    node.class_name == 'String' && node.method_name == :split && node.instance_method?
-                  end
+                @_split_node ||= Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
+                  node.class_name == 'String' && node.method_name == :split && node.instance_method?
                 end
               end
             end

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/duck_utils'
 
 module Contrast
@@ -15,8 +15,7 @@ module Contrast
           # in a 'get it work' state. hopefully, we'll be in
           # a 'get it right' state soon.
           class Substitution
-            include Contrast::Components::Interface
-            access_component :logging
+            include Contrast::Components::Logger::InstanceMethods
 
             CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
             CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze
@@ -186,13 +185,7 @@ module Contrast
 
                 properties = Contrast::Agent::Assess::Tracker.properties(ret)
                 args = preshift.args
-                properties.build_event(
-                    patcher,
-                    ret,
-                    preshift.object,
-                    ret,
-                    args,
-                    2)
+                properties.build_event(patcher, ret, preshift.object, ret, args, 2)
                 properties.event.instance_variable_set(:@_parent_events, parent_events)
               end
             end