contrast-agent 4.7.0 → 4.10.0

data/lib/contrast/extension/assess/string.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/propagation_node'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Extension
@@ -11,10 +12,9 @@ module Contrast
       # methods which are too complex to fit into one of the standard
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
-      class StringPropagator
-        include Contrast::Components::Interface
-
-        access_component :agent, :analysis, :logging, :scope
+      class StringPropagator # rubocop:disable Style/StaticClass
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
 
         NODE_HASH = {
             'class_name' => 'String',
@@ -31,7 +31,7 @@ module Contrast
 
         class << self
           def track_interpolation inputs, result
-            return unless AGENT.interpolation_enabled?
+            return unless ::Contrast::AGENT.interpolation_enabled?
             return if in_contrast_scope?
             return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
 
@@ -52,31 +52,6 @@ module Contrast
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
           end
-
-          def instrument_string
-            @_instrument_string ||= begin
-              require 'cs__assess_string/cs__assess_string'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading hash track patch', e)
-            false
-          end
-
-          def instrument_string_interpolation
-            if @_instrument_string_interpolation.nil?
-              @_instrument_string_interpolation = begin
-                if AGENT.patch_interpolation? && Funchook.available?
-                  require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
-                end
-                true
-              rescue StandardError, LoadError => e
-                logger.error('Error loading interpolation patch', e)
-                false
-              end
-            end
-            @_instrument_string_interpolation
-          end
         end
       end
     end

data/lib/contrast/extension/extension.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Extension
+    # Our top level Assess namespace in the Core Extension section of our
+    # code. These patches are those that are invoked directly from a patched
+    # Class.
+    #
+    module Assess
+      # This is the main instrument helper giving the method of requiring C patches
+      #
+      module InstrumentHelper
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+
+          # Unites the different require methods into one, using only
+          # the provided path for the C patches
+          # parameters
+          # @param path[String] Path to the required patch
+          #
+          def instrument path
+            var_name, extracted_name = gen_name(path)
+            return if instance_variable_get(var_name) == true
+
+            instance_variable_set(var_name, assign_value(path))
+          rescue StandardError, LoadError => e
+            logger.error("Error loading #{ extracted_name&.nil? ? '' : extracted_name } patch", e)
+            false
+          end
+
+          # Some of the requires have some extra conditions for them to require
+          # the C patches, so this method is helping us move the logic by making some
+          # conditions
+          def assign_value path
+            case path
+            when /fiber/
+              require path if Funchook.available?
+            when /interpolation26/
+              require path if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
+            else
+              require path
+            end
+            true
+          end
+
+          # Generate the needed instance variable name and return the extracted name
+          def gen_name path
+            extracted_name = path.split(%r{[\s_/]})&.uniq&.delete_if do |s|
+              s.empty? || s == 'cs' || s == 'assess' || s == 'track'
+            end
+            extracted_name = (extracted_name&.length || 0) > 1 ? extracted_name&.join('_') : extracted_name&.pop
+            ["@_instrument_#{ extracted_name }_track", extracted_name]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/extension/kernel.rb

@@ -41,15 +41,13 @@ module Kernel # :nodoc:
 
   def catch *args, &block
     # Save current scope level
-    scope_level =
-      Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
+    scope_level = ::Contrast::SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
 
     # Run original catch with block.
     retval = cs__catch(*args, &block)
 
     # Restore scope.
-    Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope,
-                                                                                                scope_level)
+    ::Contrast::SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
 
     retval
   end

data/lib/contrast/extension/protect/kernel.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
-
 module Contrast
   module Extension
     module Protect
@@ -10,9 +8,6 @@ module Contrast
       # allowing us to track activity as it crosses spawned processes.
       module Kernel
         class << self
-          include Contrast::Components::Interface
-          access_component :contrast_service
-
           def build_wrapper
             lambda {
               proc_start
@@ -27,16 +22,6 @@ module Contrast
 
             context.reset_activity
           end
-
-          def instrument
-            @_instrument ||= begin
-              require 'cs__protect_kernel/cs__protect_kernel'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading kernel protect patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/framework/grape/support.rb

@@ -0,0 +1,174 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/framework/base_support'
+require 'contrast/components/logger'
+
+module Contrast
+  module Framework
+    module Grape
+      # Used when Grape is present to define framework specific behaviour
+      class Support
+        extend Contrast::Framework::BaseSupport
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+          def detection_class
+            'Grape::API'
+          end
+
+          def version
+            ::Grape::VERSION
+          end
+
+          def application_name
+            app_class&.cs__name
+          end
+
+          def application_root
+            app_instance&.root
+          end
+
+          def server_type
+            'grape'
+          end
+
+          # Given an object, determine if it is a Grape controller.
+          # Which could include cases of ::Grape::API subclass or actual class
+          #
+          # @param app [Object] suspected Grape app.
+          # @return [Boolean]
+          def grape_controller? app
+            # Grape is loaded?
+            return false unless grape_defined?
+
+            # App is a subclass of or actually is ::Grape::API.
+            return false unless app.cs__respond_to?(:<=) && app <= ::Grape::API
+
+            true
+          end
+
+          # Find all classes that subclass ::Grape::API, Gather their routes
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>, Array]- founded routes as Dtms
+          def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless grape_defined?
+
+            # Each Grape controller has endpoints and each endpoints has routes
+            # and that's why we need to go through each one and create separate RouteCoverage object
+            routes = []
+            grape_controllers.each do |c|
+              c&.endpoints&.each do |endpoint|
+                endpoint&.routes&.map do |r|
+                  pattern = r.pattern.pattern
+                  temp = Contrast::Api::Dtm::RouteCoverage.from_grape_controller(c, r.request_method, pattern, r.path)
+                  routes << temp
+                end
+              end
+            end
+            routes
+          end
+
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Grape::API] optionally use this controller instead of global ::Grape::API.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Grape::API, full_route = nil
+            return unless grape_controller?(controller)
+
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            # Find final controller - actually we gotta match the route to the scanned application
+            # Initially Grape compiles all routes on startup, so we can use the url from the request
+            # and create the observed route
+            # Class < Grape::API, Grape::Router::Route
+            final_controller, route_pattern = _route_recurse(method, _cleaned_route(request), grape_controllers)
+            return unless final_controller
+
+            full_route ||= request.env[::Rack::PATH_INFO]
+
+            Contrast::Api::Dtm::RouteCoverage.from_grape_controller(final_controller, method, route_pattern, full_route)
+          end
+
+          # Search object space for grape controllers--any class that subclasses ::Grape::API.
+          #
+          # @return [Array<::Grape::API>] grape controllers
+          def grape_controllers
+            ObjectSpace.each_object(Class).select { |klass| klass < ::Grape::API }
+          end
+
+          # Grape Request inherits the same as the Sinatra, so we can easily call it as it's called in Sinatra
+          def retrieve_request env
+            ::Grape::Request.new(env)
+          end
+
+          private
+
+          # Determine if, at the time of our Framework Support determination, Grape has been defined.
+          #
+          # @return [Boolean]
+          def grape_defined?
+            @_grape_defined = !!(defined?(::Grape) && defined?(::Grape::API)) if @_grape_defined.nil?
+            @_grape_defined
+          end
+
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param route [String] the relative route passed from Rack.
+          # @param controllers [Array<::Grape::API>] All Grape controllers found
+          # @return [Array[::Grape::API]], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse method, route, controllers = grape_controllers
+            # return if there aren't any controllers
+            return unless controllers&.any?
+
+            # Here we can go through the all detected controllers
+            # and find the one that's routes include the current one
+            # Grape controller actually has endpoints and each endpoint
+            # has routes and that's why we need to do it that way
+            controller = controllers.pop
+            return _route_recurse method, route, controllers unless controller
+
+            contr_routes = controller.endpoints&.map(&:routes)&.flatten || []
+            route_pattern = contr_routes&.find do |r|
+              r.pattern.to_regexp.match(route) # ::Mustermann::Grape match
+            end
+            return controller, route_pattern unless route_pattern.nil?
+
+            _route_recurse method, route, controllers
+          end
+
+          # Get route and do some cleaning
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty?
+
+            route.end_with?('/') ? route[0..-2] : route
+          end
+
+          def app_class
+            return unless grape_defined?
+
+            app_instance.cs__class
+          end
+
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Grape::API with @app=nil
+          #
+          # @return [::Grape::API] the current controller as routed by Rack.
+          def app_instance
+            return unless grape_defined?
+
+            @_app_instance ||= begin
+              grape_layers = ObjectSpace.each_object(::Grape::API).to_a
+              grape_layers.find { |layer| layer.app.nil? }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/manager.rb

@@ -1,26 +1,27 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+require 'contrast/extension/module'
 require 'contrast/framework/platform_version'
 require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
+require 'contrast/framework/grape/support'
 require 'contrast/framework/sinatra/support'
-require 'contrast/components/interface'
 require 'contrast/utils/class_util'
 
 module Contrast
   module Framework
     # Allows access to framework specific information
     class Manager
-      include Contrast::Components::Interface
-      access_component :analysis, :logging
+      include Contrast::Components::Logger::InstanceMethods
 
       # Order here does matter as the first framework listed will be the first one we pull information from
       # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
       # do not exist
       SUPPORTED_FRAMEWORKS = [
         Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
-        Contrast::Framework::Rack::Support
+        Contrast::Framework::Grape::Support, Contrast::Framework::Rack::Support
       ].cs__freeze
 
       def initialize
@@ -78,15 +79,24 @@ module Contrast
         found || ::Rack::Directory.new('').root
       end
 
-      # If we have 0 or n > 1 frameworks, we need to use the default rack request
+      # Build a request from the provided env, based on the framework(s) we're currently supporting.
       #
       # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
       # of this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
+        # If we're mounted on Rails, use Rails.
+        if @_frameworks.include?(Contrast::Framework::Rails::Support)
+          return Contrast::Framework::Rails::Support.retrieve_request(env)
+        end
+
+        # If we know the framework, use it.
         return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
 
+        # Fall back on a regular Rack::Request
         ::Rack::Request.new(env)
+      rescue StandardError => e
+        logger.warn('Unable to retrieve_request', e)
       end
 
       # @param env [Hash] the various variables stored by this and other Middlewares to know the state
@@ -110,6 +120,34 @@ module Contrast
         @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
       end
 
+      # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect
+      # if the loaded_module is the marker class for any of our supported frameworks. If it is, and we don't already
+      # have support enabled, we'll enable it now. We'll also need to catch up on any other startup actions that we've
+      # missed. Most likely, this is only necessary for those applications which have applications mounted on them.
+      #
+      # @param mod [Module] the module or class that was just loaded
+      def register_late_framework mod
+        return unless mod
+
+        module_name = mod.cs__name
+        # Otherwise, check if the provided module_name requires us to register a new support
+        SUPPORTED_FRAMEWORKS.each do |framework|
+          next if @_frameworks.include?(framework)
+          next unless module_name == framework.detection_class
+
+          @_frameworks << framework
+          # Report the registered routes of that framework now that we know we need to find them
+          app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
+          Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
+          logger.info('Framework detected after initialization. Enabling support.',
+                      framework: framework.detection_class,
+                      frameworks: @_frameworks)
+          break
+        end
+      rescue StandardError => e
+        logger.warn('Unable to register a late framework', e, module: mod.cs__name)
+      end
+
       private
 
       def enable_framework_support? klass
@@ -125,10 +163,7 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        data = @_frameworks.flat_map do |framework|
-          framework.send(method_name)
-        end
-        data.compact
+        @_frameworks.flat_map { |framework| framework.send(method_name) }.compact
       end
 
       # This returns a single object from the first framework to successfully respond