contrast-agent 4.7.0 → 4.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8b3d1ce6b9794d3923d2054d9a20bd31989fd0c6b4df2883f81ad3e740c04de5
-  data.tar.gz: 894505c04e850858f83e2207c52cc944f738ce19183051d9530cfdaf09f72ab7
+  metadata.gz: ab65fd574ef84fbe339e4f4d4bf340623235a442ecc11d7ba28c6af3c6f04d4d
+  data.tar.gz: 0fa9cc44fe85713ee924101139e615d361de6d906c8f5ff4fdd345a930eee9d2
 SHA512:
-  metadata.gz: 4df81e8b3d03efcdc952e9fce5330b34c6af6a965701ec7bbe02cf3dbd5b8a3c98d8d0745da91d7b0a43be6b03ac763ffb6e9eafb9f2b857bd2a76d325d10ad2
-  data.tar.gz: 0015e74007146cf741e6b7f6274460a948a147df54109de959856f0ff883262260685f74eff8767e6ae845847eaf3d8a17dfbd54061d5b9f561952a8c6b90fef
+  metadata.gz: cb21ebcad0e772649d16a25d2f00cc057ee10df71638b7bd7cc6a4710a1ded28ce4dca749fa040ba2fb78e992727f4cc5d5f38e1187c363a8ea33a12333fc289
+  data.tar.gz: c3ad4c82a9e25ecb58c0ea906f1170cffdd6811952f9c1d71a6c75166358a37e0ebba40e55e9a7433156a51122b9ca1450bb5a4a2a87f9081a4a4268d9abfdb4

data/.gitignore

@@ -1,8 +1,8 @@
 /.bundle/
 /.yardoc
 /_yardoc/
-/Gemfile.lock
 /coverage/
+/Gemfile.lock
 /data/*
 /doc/
 /log/
@@ -18,6 +18,11 @@
 /ext/**/*.so
 /ext/**/*.bundle
 
+bin
+ruby-spec
+mspec
+service_executables
+
 # Funchook artifacts
 /ext/**/funchook.h
 /ext/**/libfunchook.dylib

data/.rspec

@@ -3,4 +3,3 @@
 --format documentation
 --format RspecJunitFormatter
 --out ./test-results/results.xml
---color

data/.rspec_parallel

@@ -0,0 +1,6 @@
+--require spec_helper
+--order rand
+--format progress
+--format RspecJunitFormatter
+--out ./test-results/results.xml
+--format ParallelTests::RSpec::FailuresLogger --out tmp/failing_specs.log

data/.simplecov

@@ -4,4 +4,5 @@
 SimpleCov.minimum_coverage line: 94.75
 SimpleCov.start do
   add_filter '/spec/'
+  enable_coverage :branch
 end

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -437,7 +437,6 @@ void Init_cs__contrast_patch(void) {
     rb_sym_contrast_apply_pre_patch = rb_intern("apply_pre_patch");
     rb_sym_cs_to_s = rb_intern("to_s");
     rb_sym_custom_patch = rb_intern("requires_custom_patch?");
-    rb_sym_in_request_context = rb_intern("in_request_context?");
     rb_sym_info_for = rb_intern("info_for");
     rb_sym_propagation_node = rb_intern("propagation_node");
     rb_sym_set_info_for = rb_intern("set_info_for");

data/ext/cs__contrast_patch/cs__contrast_patch.h

@@ -16,8 +16,6 @@ static VALUE rb_sym_contrast_apply_pre_patch;
 static VALUE rb_sym_custom_patch;
 static VALUE rb_sym_cs_to_s;
 
-static VALUE rb_sym_in_request_context;
-
 static VALUE rb_sym_enter_method_scope;
 static VALUE rb_sym_exit_method_scope;
 

data/lib/contrast/agent/assess/contrast_event.rb

@@ -8,7 +8,6 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/timer'
-require 'contrast/components/interface'
 require 'contrast/agent/assess/contrast_object'
 
 module Contrast
@@ -29,9 +28,6 @@ module Contrast
       # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the safe representation of the Arguments
       #   with which the method was invoked
       class ContrastEvent
-        include Contrast::Components::Interface
-        access_component :analysis
-
         attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args, :tags
 
         # We need this to track the parent id's of events to build up a flow chart of the finding
@@ -164,7 +160,7 @@ module Contrast
         def capture_stacktrace!
           # If we're configured to not capture the stacktrace, usually for performance reasons, then don't and return an
           # empty array instead
-          unless ASSESS.capture_stacktrace?(policy_node)
+          unless ::Contrast::ASSESS.capture_stacktrace?(policy_node)
             @stack_trace = Contrast::Utils::ObjectShare::EMPTY_ARRAY
             return
           end

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -10,13 +10,10 @@ module Contrast
         # An extension of Hash that doesn't impact GC of the object being stored by storing its ID as a Key to lookup
         # and registering a finalizer on the object to remove its entry from the Hash immediately after it's GC'd.
         class Hash < Hash
-          include Contrast::Components::Interface
-          access_component :agent, :analysis
-
           FROZEN_FINALIZED_IDS = Set.new
 
           def []= key, obj
-            return unless AGENT.enabled? && ASSESS.enabled?
+            return unless ::Contrast::AGENT.enabled? && ::Contrast::ASSESS.enabled?
 
             # We can't finalize frozen things, so only act on those that went through .pre_freeze
             if key.cs__frozen?
@@ -79,7 +76,7 @@ module Contrast
           #
           # @param key [Object] the Object on which we need to pre-define finalizers
           def pre_freeze key
-            return unless AGENT.enabled? && ASSESS.enabled?
+            return unless ::Contrast::AGENT.enabled? && ::Contrast::ASSESS.enabled?
             return if key.cs__frozen?
             return if FROZEN_FINALIZED_IDS.include?(key.__id__)
 

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -5,7 +5,8 @@ require 'contrast/agent/assess/policy/policy'
 require 'contrast/agent/patching/policy/patcher'
 require 'contrast/agent/patching/policy/method_policy'
 require 'contrast/agent/patching/policy/module_policy'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -16,8 +17,8 @@ module Contrast
         # provides a map for which methods our renamed functions need to call
         # and how.
         module Patcher
-          include Contrast::Components::Interface
-          access_component :logging, :analysis, :agent, :scope
+          extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Components::Scope::InstanceMethods
 
           class << self
             def policy
@@ -34,7 +35,7 @@ module Contrast
             # called. This hook is provided so that patches to those methods can
             # pass us execution flow once a new method has been made available.
             def patch_assess_on_eval mod
-              return unless ASSESS.enabled?
+              return unless ::Contrast::ASSESS.enabled?
               return if in_contrast_scope?
 
               patcher.patch_specific_module(mod)

data/lib/contrast/agent/assess/policy/policy.rb

@@ -26,7 +26,7 @@ module Contrast
           # Indicates is this feature has been disabled by the configuration,
           # read at startup, and therefore can never be enabled.
           def disabled_globally?
-            ASSESS.forcibly_disabled?
+            ::Contrast::ASSESS.forcibly_disabled?
           end
 
           def node_type

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -13,9 +12,6 @@ module Contrast
         # of a file vs data flow, such as the detection of Hardcoded Passwords
         # or Keys.
         module PolicyScanner
-          include Contrast::Components::Interface
-          access_component :analysis
-
           class << self
             # Use the given trace_point, built from an :end event, to determine
             # where the loaded code lives and scan that code for policy
@@ -24,8 +20,8 @@ module Contrast
             # @param trace_point [TracePoint] the TracePoint generated by an
             #   :end event at the end of a Module definition.
             def scan trace_point
-              return unless ASSESS.enabled?
-              return unless ASSESS.require_scan?
+              return unless ::Contrast::ASSESS.enabled?
+              return unless ::Contrast::ASSESS.require_scan?
 
               provider_values = policy.providers.values
               return if provider_values.all?(&:disabled?)

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -9,8 +9,8 @@ module Contrast
       # In order to properly shift tags to account for the changes this method
       # caused, we'll need to store the state before the change occurred.
       class PreShift
-        include Contrast::Components::Interface
-        access_component :analysis, :logging
+        include Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Logger::InstanceMethods
 
         UNDUPLICABLE_MODULES = [
           Enumerator # dup'ing results in 'can't copy execution context'
@@ -37,7 +37,7 @@ module Contrast
           #   being called or nil if one is not required.
           def build_preshift propagation_node, object, args
             return unless propagation_node
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
 
             initializing = propagation_node.method_name == :initialize
             return if unsafe_io_object?(object, initializing)
@@ -84,12 +84,15 @@ module Contrast
 
           def append_arg_details preshift, args
             preshift.args = args.dup
-            preshift.args.each_with_index do |preshift_arg, index|
-              original_arg = args[index]
-              next if preshift_arg.__id__ == original_arg.__id__
+            idx = 0
+            while idx < preshift.args.size
+              original_arg = args[idx]
+              p_arg = preshift.args[idx]
+              idx += 1
+              next if p_arg.__id__ == original_arg.__id__
               next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
 
-              Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
+              Contrast::Agent::Assess::Tracker.copy(original_arg, p_arg)
             end
             preshift.arg_lengths = preshift.args.map do |preshift_arg|
               Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -4,7 +4,7 @@
 require 'set'
 
 require 'contrast/agent/assess/policy/propagator'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 
@@ -12,13 +12,10 @@ module Contrast
   module Agent
     module Assess
       module Policy
-        # This class is responsible for the continuation of traces. A
-        # Propagator is any method that transforms an untrusted value. In
-        # general, these methods work on the String class or a holder of
-        # Strings
+        # This class is responsible for the continuation of traces. A Propagator is any method that transforms an
+        # untrusted value. In general, these methods work on the String class or a holder of Strings.
         module PropagationMethod
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
 
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
@@ -48,19 +45,16 @@ module Contrast
               end
             end
 
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that governs the patches to this method
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that governs the
+            #   patches to this method
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @param block [Block] the Block passed to the original method
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made; will replace the return of the original function if
-            #   not nil
+            # @return [Object, nil] the tracked Return or nil if no changes were made; will replace the return of the
+            #   original function if not nil
             def apply_propagation method_policy, preshift, object, ret, args, block
               return unless method_policy.propagation_node
               return unless preshift
@@ -86,26 +80,21 @@ module Contrast
                 SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
             }.cs__freeze
 
-            # I lied above. We had to figure out what the target of the
-            # propagation was. Now that we know, we'll actually do things to
-            # it. Note that the return of this method will replace the original
-            # return of the patched function unless it is nil, so be sure
-            # you're returning what you intend.
+            # I lied above. We had to figure out what the target of the propagation was. Now that we know, we'll
+            # actually do things to it. Note that the return of this method will replace the original return of the
+            # patched function unless it is nil, so be sure you're returning what you intend.
             #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
-            #   the node that governs this propagation event.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
             # @param target [Object] the Target to which to propagate.
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @param block [Block] the Block passed to the original method
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made; will replace the return of the original function if
-            #   not nil
+            # @return [Object, nil] the tracked Return or nil if no changes were made; will replace the return of the
+            #   original function if not nil
             def apply_propagator propagation_node, preshift, target, object, ret, args, block
               return unless propagation_possible?(propagation_node, target)
 
@@ -127,13 +116,16 @@ module Contrast
               nil
             end
 
-            # Custom actions tend to be the more complex of our propagations.
-            # Often, the method has to make decisions about the target based on
-            # the context with which the method was called. As such, defer
-            # determining if the target is valid to that method.
+            # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+            # about the target based on the context with which the method was called. As such, defer determining if the
+            # target is valid to that method.
+            #
+            # In all other cases, a target is valid for propagation if it is not nil
             #
-            # In all other cases, a target is valid for propagation if it is not
-            # nil
+            # @param target [Object] the thing to which to propagate
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @return [Boolean]
             def valid_target? target, propagation_node
               return true if propagation_node.action == CUSTOM_ACTION
 
@@ -141,8 +133,11 @@ module Contrast
             end
 
             ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
-            # If the action required needs a length and the target does not have
-            # one, the length is not valid
+            # If the action required needs a length and the target does not have one, the length is not valid
+            #
+            # @param target [Object] the thing to which to propagate
+            # @param action [String] the name of the action taken during this propagation
+            # @return [Boolean]
             def valid_length? target, action
               return true if ZERO_LENGTH_ACTIONS.include?(action)
 
@@ -153,9 +148,15 @@ module Contrast
               end
             end
 
-            # Before we do any work, we should check if we even need to.
-            # If the source of this patcher is not tracked, there's no need to do
-            # anything. A copy of nothing is still nothing.
+            # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+            # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the thing to which to propagate
+            # @return [Boolean]
             def can_propagate? propagation_node, preshift, target
               return false unless appropriate_target?(propagation_node, target)
               return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
@@ -165,22 +166,21 @@ module Contrast
                 case source
                 when Contrast::Utils::ObjectShare::OBJECT_KEY
                   return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
-                else # has to be P, there's no ret source type (yet? ever?)
+                else
+                  # has to be P, there's no ret source type (yet? ever?)
                   return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
                 end
               end
               false
             end
 
-            # We cannot propagate to frozen things that have not been updated
-            # to work with our property tracking, unless they're duplicable and
-            # the return.
-            # We probably shouldn't propagate to frozen things at all, as
-            # they're supposed to be immutable, but third parties do jenky
-            # things, so allow it as long as it is safe to do.
+            # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+            # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+            # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+            # do.
             #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
-            #   the node that governs this propagation event.
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
             # @param target [Object] the Target to which to propagate.
             # @return [Boolean] if the target can be propagated to
             def appropriate_target? propagation_node, target
@@ -191,6 +191,9 @@ module Contrast
             end
 
             # If this patcher has tags, apply them to the entire target
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
             def apply_tags propagation_node, target
               return unless propagation_node.tags
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
@@ -202,6 +205,10 @@ module Contrast
             end
 
             # If this patcher has tags, remove them from the entire target
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
             def apply_untags propagation_node, target
               return unless propagation_node.untags
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
@@ -214,6 +221,10 @@ module Contrast
             private
 
             # This is checked right before actual propagation
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
+            # @return [Boolean]
             def propagation_possible? propagation_node, target
               return false unless propagation_node && valid_target?(target, propagation_node)
               return false unless valid_length?(target, propagation_node.action)
@@ -224,12 +235,24 @@ module Contrast
             # Safely duplicate the target, or return nil
             #
             # @param target [Object] the thing to check for duplication
+            # @return [Object, nil]
             def safe_dup target
               target.dup
             rescue StandardError => _e
               nil
             end
 
+            # Iterate over each key and value in a hash to allow for propagation to each.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param block [Block] the Block passed to the original method
             def handle_hash_propagation propagation_node, preshift, target, object, ret, args, block
               target.each_pair do |key, value|
                 apply_propagator(propagation_node, preshift, key, object, ret, args, block)
@@ -237,6 +260,17 @@ module Contrast
               end
             end
 
+            # Iterate over each value in an enumerable to allow for propagation to each.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param block [Block] the Block passed to the original method
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
                 next if target == value
@@ -245,6 +279,17 @@ module Contrast
               end
             end
 
+            # Move the properties from the source(s) to the target of the propagation.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param _block [Block] the Block passed to the original method
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
@@ -266,12 +311,9 @@ module Contrast
               propagation_class.propagate(propagation_node, preshift, target)
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied
               apply_tags(propagation_node, target)
-              # Even though we skipped propagating tags from the source if they
-              # were included in untags, the target may have already had some on
-              # it. Let's go ahead and remove them.
-              # In this order, untags takes precedent over tags; but we control
-              # both and there should never be a propagator that has a tag in
-              # its untag.
+              # Even though we skipped propagating tags from the source if they were included in untags, the target may
+              # have already had some on it. Let's go ahead and remove them. In this order, untags takes precedent over
+              # tags; but we control both and there should never be a propagator that has a tag in its untag.
               apply_untags(propagation_node, target)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
@@ -302,7 +344,8 @@ module Contrast
             #   propagation event.
             # @return [Boolean]
             def can_handle_frozen? propagation_node
-              ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              ::Contrast::ASSESS.track_frozen_sources? &&
+                  propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
             end
           end
         end