contrast-agent 4.6.0 → 4.9.1

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -12,7 +12,6 @@ module Contrast
           # right' state soon.
           module Trim
             class << self
-
               # @param policy_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
               #   propagation event.
               # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
@@ -26,13 +25,7 @@ module Contrast
                 properties.copy_from(preshift.object, ret)
                 handle_tr(policy_node, preshift, ret, properties)
 
-                properties.build_event(
-                    policy_node,
-                    ret,
-                    preshift.object,
-                    ret,
-                    preshift.args,
-                    1)
+                properties.build_event(policy_node, ret, preshift.object, ret, preshift.args, 1)
                 ret
               end
 
@@ -43,12 +36,7 @@ module Contrast
                 source = preshift.object
                 args = preshift.args
                 properties.splat_from(source, ret)
-                properties.build_event(
-                    patcher,
-                    ret,
-                    source,
-                    ret,
-                    args)
+                properties.build_event(patcher, ret, source, ret, args)
                 ret
               end
 
@@ -72,7 +60,7 @@ module Contrast
                 end
 
                 # Otherwise, we need to target each insertion point. Based on the spec for #tr & #tr_s, the find is
-                # treated as a regex range, excepting the `\` character, which we'll need to escape. This converts to
+                # treated as a regexp range, excepting the `\` character, which we'll need to escape. This converts to
                 # that form, wrapping the input in `[]`.
                 find_string = preshift.args[0]
                 find_string += '\\' if find_string.end_with?('\\')

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -1,10 +1,12 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 require 'contrast/agent/patching/policy/patch_status'
 require 'contrast/agent/module_data'
 require 'contrast/agent/rewriter'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -18,8 +20,8 @@ module Contrast
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
         module RewriterPatch
-          include Contrast::Components::Interface
-          access_component :agent, :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
+
 
           class << self
             def rewrite_interpolations
@@ -41,7 +43,9 @@ module Contrast
               module_name = mod.cs__name
               return unless module_name
 
-              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START, Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START,
+                                         Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+
                 status.no_rewrite!
                 return
 
@@ -64,21 +68,20 @@ module Contrast
             # To get around this, we have those methods tell us the class
             # isn't ready
             def mid_defining? mod
-              mod.instance_variable_defined?(:@cs__defining_class) &&
-                  mod.instance_variable_get(:@cs__defining_class)
+              mod.instance_variable_defined?(:@cs__defining_class) && mod.instance_variable_get(:@cs__defining_class)
             end
 
             def agent_should_rewrite?
-              return false unless ASSESS.enabled?
-              return false unless AGENT.rewrite_interpolation?
-              return false unless AGENT.interpolation_enabled?
+              return false unless ::Contrast::ASSESS.enabled?
+              return false unless ::Contrast::AGENT.rewrite_interpolation?
+              return false unless ::Contrast::AGENT.interpolation_enabled?
 
               true
             end
 
             def should_rewrite? mod
               return false unless agent_should_rewrite?
-              return false if AGENT.skip_instrumentation? mod.cs__name
+              return false if ::Contrast::AGENT.skip_instrumentation? mod.cs__name
               return false if mod.cs__frozen?
               return false if mod.singleton_class?
               return false if mid_defining?(mod)

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -3,7 +3,7 @@
 
 require 'set'
 require 'contrast/agent/assess/policy/source_validation/source_validation'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 
@@ -15,8 +15,8 @@ module Contrast
         # actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows
         # used in Assess vulnerability detection.
         module SourceMethod
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
+
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -42,7 +42,7 @@ module Contrast
               target = determine_target(source_node, object, ret, args)
               restore_frozen_state = false
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
-                return unless ASSESS.track_frozen_sources?
+                return unless ::Contrast::ASSESS.track_frozen_sources?
                 return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
 
                 dup = safe_dup(ret)
@@ -56,7 +56,8 @@ module Contrast
                 # double check that we were able to finalize the replaced return
                 return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-              apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret, source_node.type, nil, *args)
+              apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
+                           source_node.type, nil, *args)
               restore_frozen_state ? ret : nil
             end
 
@@ -88,7 +89,9 @@ module Contrast
                 # While we don't taint arrays themselves, we may taint the things they hold. Let's pass their keys and
                 # values back to ourselves and try again
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
-                target.each { |value| apply_source(context, source_node, value, object, ret, source_type, source_name, *args) }
+                target.each do |value|
+                  apply_source(context, source_node, value, object, ret, source_type, source_name, *args)
+                end
               end
             rescue StandardError => e
               logger.warn('Unable to apply source', e, node_id: source_node.id)
@@ -128,7 +131,7 @@ module Contrast
             # @param hash [Hash] the hash to which the key belongs.
             # @return [Boolean] whether replace the key in the hash or not.
             def replace_hash_key? key, hash
-              ASSESS.track_frozen_sources? &&
+              ::Contrast::ASSESS.track_frozen_sources? &&
                   !hash.cs__frozen? &&
                   key.is_a?(String) &&
                   !Contrast::Agent::Assess::Tracker.trackable?(key)
@@ -169,10 +172,7 @@ module Contrast
                 length = Contrast::Utils::StringUtils.ret_length(target)
                 properties.add_tag(tag, 0...length)
                 properties.add_properties(source_node.properties)
-                logger.trace('Source detected',
-                             node_id: source_node.id,
-                             target_id: target.__id__,
-                             tag: tag)
+                logger.trace('Source detected', node_id: source_node.id, target_id: target.__id__, tag: tag)
               end
               # make a representation of this method that TeamServer can render
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
@@ -215,7 +215,7 @@ module Contrast
             # @return [boolean] if the invocation of this method should be analyzed
             def analyze? method_policy, object, ret, args
               return false unless method_policy&.source_node
-              return false unless ASSESS.enabled?
+              return false unless ::Contrast::ASSESS.enabled?
               return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
 
               !safe_invocation?(method_policy.source_node, object, ret, args)

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb

@@ -11,9 +11,7 @@ module Contrast
         # certain tags in a given context. This provides a single place from
         # which those validations can be called.
         module SourceValidation
-          VALIDATORS = [
-            Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator
-          ].cs__freeze
+          VALIDATORS = [Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator].cs__freeze
 
           # Determines if the conditions in which this source was called are
           # valid and should result in the application of a tag

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -44,7 +44,11 @@ module Contrast
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                               ret,
+                                                                               erb_template_prerender,
+                                                                               ret,
+                                                                               interpolated_inputs)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
 
 module Contrast
   module Agent
@@ -16,8 +15,6 @@ module Contrast
           # these objects to see if we were tracking on any of them and report
           # a finding if so.
           class Xpath
-            include Contrast::Components::Interface
-
             class << self
               def xpath_expression_trigger trigger_node, _source, object, ret, *args
                 return ret unless args

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/assess/events/event_factory'
 require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 
@@ -17,8 +17,7 @@ module Contrast
         # order to determine if the call was done safely. In those cases where
         # it was not, a Finding report is issued to the Service
         module TriggerMethod
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
 
           # The level of TeamServer compliance our traces meet when in the
           # abnormal condition of being dataflow rules without routes
@@ -42,18 +41,10 @@ module Contrast
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
                   source = determine_source(marker, object, ret, args)
-                  apply_trigger(trigger_node,
-                                source,
-                                object,
-                                ret,
-                                *args)
+                  apply_trigger(trigger_node, source, object, ret, *args)
                 end
               else
-                apply_trigger(trigger_node,
-                              nil,
-                              object,
-                              ret,
-                              *args)
+                apply_trigger(trigger_node, nil, object, ret, *args)
               end
             end
 
@@ -87,10 +78,8 @@ module Contrast
               append_route(finding, request)
               append_hash(finding, source, request)
               finding.version = determine_compliance_version(finding)
-              logger.trace('Finding created',
-                           node_id: trigger_node.id,
-                           source_id: source.__id__,
-                           rule: trigger_node.rule_id)
+              logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
+                                              rule: trigger_node.rule_id)
               report_finding(finding, request)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
@@ -285,7 +274,8 @@ module Contrast
 
             def append_events finding, trigger_node, source, object, ret, args
               append_from_source(finding, source)
-              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
+                                                                                    args).to_dtm_event
             end
 
             def append_from_source finding, source

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -68,7 +68,7 @@ module Contrast
           end
 
           def rule_disabled?
-            ASSESS.rule_disabled?(rule_id)
+            ::Contrast::ASSESS.rule_disabled?(rule_id)
           end
 
           # Indicate if this is a dataflow based trigger, meaning it has a proper
@@ -104,7 +104,8 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties, required_tags)
+            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
+                                                     required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -35,9 +35,10 @@ module Contrast
               # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/redos.md
               def regexp_vulnerable? regexp
                 # A pattern is considered vulnerable if it has 2 or more levels of nested multi-matching.
-                # A level is defined as any set of opening and closing control characters immediately followed by a multi match control character.
-                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS,
-                # or MULTI_MATCH_CHARS that is not immediately preceded by an escaping \ character.
+                # A level is defined as any set of opening and closing control characters immediately followed by a
+                #   multi match control character.
+                # A control character is defined as one of the OPENING_CHARS, CLOSING_CHARS, or MULTI_MATCH_CHARS that
+                #   is not immediately preceded by an escaping \ character.
                 # OPENING_CHARS are ( and [ CLOSING_CHARS are ) and ] MULTI_MATCH_CHARS are +, *, and ?
 
                 # Nota bene about Regexp#to_s:  it doesn't necessarily give you the original Regexp back

data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb

@@ -10,8 +10,7 @@ module Contrast
           # before serializing that finding as a DTM to report to the service.
           module SSRFValidator
             RULE_NAME = 'ssrf'
-            URL_PATTERN =
-              %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze
+            URL_PATTERN = %r{(?<protocol>http|https|ftp|sftp|telnet|gopher|rtsp|rtsps|ssh|svn)://(?<host>[^/?]+)(?<path>/?[^?]*)(?<query_string>\?.*)?}i.cs__freeze # rubocop:disable Layout/LineLength
             # The Net::HTTP class validates host format on instantiation. Since
             # our triggers for that class are on the instance, they already
             # have this validation done for them. We do not need to apply the

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -11,14 +11,7 @@ module Contrast
           # the service.
           module XSSValidator
             RULE_NAME = 'reflected-xss'
-            SAFE_CONTENT_TYPES = %w[
-              /csv
-              /javascript
-              /json
-              /pdf
-              /x-javascript
-              /x-json
-            ].cs__freeze
+            SAFE_CONTENT_TYPES = %w[/csv /javascript /json /pdf /x-javascript /x-json].cs__freeze
 
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe

data/lib/contrast/agent/assess/property/evented.rb

@@ -14,7 +14,7 @@ module Contrast
         # @attr_reader event [Contrast::Agent::Assess::ContrastEvent] the
         #   latest event to track
         module Evented
-          attr_accessor :event
+          attr_reader :event
 
           # Create a new event and add it to the event set.
           #
@@ -31,7 +31,8 @@ module Contrast
           #   the key used to accessed if from a map or nil if a type like
           #   BODY
           def build_event policy_node, tagged, object, ret, args, source_type = nil, source_name = nil
-            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args, source_type, source_name)
+            @event = Contrast::Agent::Assess::Events::EventFactory.build(policy_node, tagged, object, ret, args,
+                                                                         source_type, source_name)
             report_sources(tagged, event)
           end
 
@@ -46,10 +47,12 @@ module Contrast
             return unless tagged && !tagged.to_s.empty?
             return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
             return unless event.source_type
+            return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
+
+            if current_request.observed_route.sources.any? do |source|
+                 source.type == event.forced_source_type && source.name == event.forced_source_name
+               end
 
-            current_request = Contrast::Agent::REQUEST_TRACKER.current
-            return unless current_request
-            if current_request.observed_route.sources.any? { |source| source.type == event.forced_source_type && source.name == event.forced_source_name }
               return
             end
 

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -55,9 +55,12 @@ module Contrast
               value_node.children.each do |child|
                 next unless child
 
-                return false unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
-                    child.type == :LIT &&
-                    child.children[0]&.cs__is_a?(Integer)
+                unless child.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                      child.type == :LIT &&
+                      child.children[0]&.cs__is_a?(Integer)
+
+                  return false
+                end
               end
 
               true
@@ -84,8 +87,11 @@ module Contrast
               return false unless children.length >= 2
 
               potential_string_node = children[0]
-              return false unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
-                  potential_string_node.type == :STR
+              unless potential_string_node.cs__is_a?(RubyVM::AbstractSyntaxTree::Node) &&
+                    potential_string_node.type == :STR
+
+                return false
+              end
 
               children[1] == :bytes
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -29,7 +29,10 @@ module Contrast
             # These are markers whose presence indicates that a field is more
             # likely to be a descriptor or requirement than an actual password.
             # We should ignore fields that contain them.
-            NON_PASSWORD_PARTIAL_NAMES = %w[DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE URI].cs__freeze
+            NON_PASSWORD_PARTIAL_NAMES = %w[
+              DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE
+              URI
+            ].cs__freeze
 
             # If the constant looks like a password and it doesn't look like a
             # password descriptor, it passes for this rule

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/trigger_method'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/extension/module'
 
 module Contrast
@@ -18,18 +18,15 @@ module Contrast
           #    given value set
           # 3) redacted_marker : the value to plug in for the obfuscated value
           module HardcodedValueRule
-            include Contrast::Components::Interface
-            access_component :analysis, :app_context, :logging
+            include Contrast::Components::Logger::InstanceMethods
+
 
             def disabled?
-              !ASSESS.enabled? || ASSESS.rule_disabled?(rule_id)
+              !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
             end
 
             # TODO: RUBY-1014 - remove `#analyze`
-            COMMON_CONSTANTS = %i[
-              CONTRAST_ASSESS_POLICY_STATUS
-              VERSION
-            ].cs__freeze
+            COMMON_CONSTANTS = %i[CONTRAST_ASSESS_POLICY_STATUS VERSION].cs__freeze
             def analyze clazz
               return if disabled?
 
@@ -171,7 +168,8 @@ module Contrast
 
               finding.properties[SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(class_name)
               finding.properties[CONSTANT_NAME_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string)
-              finding.properties[CODE_SOURCE_KEY] = Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
+              finding.properties[CODE_SOURCE_KEY] =
+                Contrast::Utils::StringUtils.protobuf_safe_string(constant_string + redacted_marker)
 
               hash = Contrast::Utils::HashDigest.generate_class_scanning_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.protobuf_safe_string(hash)