contrast-agent 4.7.0 → 4.10.0

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/scope'
 require 'contrast/extension/module'
 require 'contrast/utils/class_util'
 
@@ -11,8 +11,8 @@ module Contrast
       module Policy
         # Used to handle tracking patches that need to apply special instrumentation when a module is loaded
         class AfterLoadPatch
-          include Contrast::Components::Interface
-          access_component :scope
+          include Contrast::Components::Scope::InstanceMethods
+
           attr_reader :applied, :module_name, :instrumentation_file_path, :method_to_instrument, :instrumenting_module
 
           def initialize module_name, instrumentation_file_path, method_to_instrument: nil, instrumenting_module: nil
@@ -59,7 +59,10 @@ module Contrast
           end
 
           def instrument!
+            return if instrumenting_module == :'Contrast::Framework::Rails::Rewrite' && RAILS_VER >= '2.6.0'
+
             require instrumentation_file_path
+
             if instrumenting_module
               mod = Module.cs__const_get(instrumenting_module)
               with_contrast_scope { mod.instrument } if mod

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -2,8 +2,9 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/after_load_patch'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/framework/manager'
+require 'contrast/extension/extension'
 
 module Contrast
   module Agent
@@ -12,8 +13,7 @@ module Contrast
         # Some modules diverge from our generic instrumentation and require custom instrumentation
         # after they've been loaded
         module AfterLoadPatcher
-          include Contrast::Components::Interface
-          access_component :agent, :logging
+          include Contrast::Components::Logger::InstanceMethods
 
           # After initialization run a catchup check to instrument any already loaded modules we care about
           def catchup_after_load_patches
@@ -30,18 +30,23 @@ module Contrast
           # extensions.
           def apply_direct_patches!
             @_apply_direct_patches ||= begin
-              Contrast::Extension::Assess::ArrayPropagator.instrument_array_track
-              Contrast::Extension::Assess::EvalTrigger.instrument_basic_object_track
-              Contrast::Extension::Assess::EvalTrigger.instrument_module_track
-              Contrast::Extension::Assess::FiberPropagator.instrument_fiber_track
-              Contrast::Extension::Assess::HashPropagator.instrument_hash_track
-              Contrast::Extension::Assess::KernelPropagator.instrument_kernel_track
-              Contrast::Extension::Assess::MarshalPropagator.instrument_marshal_load
-              Contrast::Extension::Assess::RegexpPropagator.instrument_regexp_track
-              Contrast::Extension::Assess::StringPropagator.instrument_string
-              Contrast::Extension::Assess::StringPropagator.instrument_string_interpolation
-
-              Contrast::Extension::Protect::Kernel.instrument
+              paths = %w[
+                array
+                basic_object
+                module
+                fiber_track
+                hash
+                kernel
+                marshal_module
+                regexp
+                string
+                string_interpolation26
+              ].cs__freeze
+              paths.each do |p|
+                path_part = "cs__assess_#{ p }"
+                Contrast::Extension::Assess::InstrumentHelper.instrument "#{ path_part }/#{ path_part }"
+              end
+              Contrast::Extension::Assess::InstrumentHelper.instrument 'cs__protect_kernel/cs__protect_kernel'
               true
             end
           end
@@ -49,7 +54,7 @@ module Contrast
           def apply_load_patches!
             after_load_patches.each do |after_load_patch|
               next unless after_load_patch.target_defined?
-              next if AGENT.skip_instrumentation?(after_load_patch.module_name)
+              next if ::Contrast::AGENT.skip_instrumentation?(after_load_patch.module_name)
 
               logger.trace('Catching up on already loaded afterload patch - applying instrumentation',
                            module: after_load_patch.module_name)

data/lib/contrast/agent/patching/policy/module_policy.rb

@@ -12,11 +12,9 @@ module Contrast
         # rather than new.
         class ModulePolicy
           class << self
-            # Given the name of a module, create a :ModulePolicy for it using
-            # the Policy of each supported feature
+            # Given the name of a module, create a :ModulePolicy for it using the Policy of each supported feature.
             #
-            # @param module_name [String] the name of the module to which the
-            #   policy applies
+            # @param module_name [String] the name of the module to which the policy applies.
             # @return [Contrast::Agent::Patching::Policy::ModulePolicy]
             def create_module_policy module_name
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.new

data/lib/contrast/agent/patching/policy/patch.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 require 'monitor'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 require 'contrast/agent'
 require 'contrast/logger/log'
@@ -35,9 +36,8 @@ module Contrast
             include Contrast::Agent::Assess::Policy::SourceMethod
             include Contrast::Agent::Assess::Policy::PropagationMethod
             include Contrast::Agent::Assess::Policy::TriggerMethod
-
-            include Contrast::Components::Interface
-            access_component :agent, :analysis, :logging, :scope
+            include Contrast::Components::Logger::InstanceMethods
+            include Contrast::Components::Scope::InstanceMethods
 
             POLICIES = [
               Contrast::Agent::Assess::Policy::Policy,
@@ -127,8 +127,8 @@ module Contrast
             # @param args [Array<Object>] The arguments passed to the method
             #   being invoked.
             def apply_protect method_policy, method, exception, object, args
-              return unless AGENT.enabled?
-              return unless PROTECT.enabled?
+              return unless ::Contrast::AGENT.enabled?
+              return unless ::Contrast::PROTECT.enabled?
 
               apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
             end
@@ -145,7 +145,7 @@ module Contrast
             # @param args [Array<Object>] The arguments passed to the method
             #   being invoked.
             def apply_inventory method_policy, method, exception, object, args
-              return unless INVENTORY.enabled?
+              return unless ::Contrast::INVENTORY.enabled?
 
               apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
             end
@@ -167,7 +167,7 @@ module Contrast
             def apply_assess method_policy, preshift, object, ret, args, block
               source_ret = nil
               propagated_ret = nil
-              return ret unless method_policy && ASSESS.enabled?
+              return ret unless method_policy && ::Contrast::ASSESS.enabled?
 
               current_context = Contrast::Agent::REQUEST_TRACKER.current
               return ret if current_context && !current_context.analyze_request?
@@ -290,6 +290,11 @@ module Contrast
               # we've already patched this class, don't do it again
               return true if methods.include?(cs_method_name)
 
+              # that method is within Contrast definition so it should be skipped
+              method = mod.instance_method(method_policy.method_name) if method_policy.instance_method
+              method = mod.singleton_method(method_policy.method_name) unless method_policy.instance_method
+              return true if method.owner <= Contrast
+
               begin
                 contrast_define_method(mod, method_policy, cs_method_name)
               rescue NameError => e

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -15,13 +15,9 @@ module Contrast
             # @param mod [Module] the Module for which the status is asked
             # @return [Contrast::Agent::Patching::Policy::PatchStatus]
             def get_status mod
-              if mod.cs__const_defined?(status_key, false)
-                mod.cs__const_get(status_key, false)
-              else
-                s = new
-                mod.cs__const_set(status_key, s)
-                s
-              end
+              return mod.cs__const_get(status_key) if mod.cs__const_defined?(status_key, false)
+
+              mod.cs__const_set(status_key, new)
             end
 
             # Allows our C patches to look up the :MethodPolicy for a given

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -7,7 +7,8 @@ require 'monitor'
 require 'contrast/agent/patching/policy/patch_status'
 require 'contrast/agent/patching/policy/method_policy'
 require 'contrast/agent/patching/policy/module_policy'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 require 'contrast/utils/class_util'
 
 # assess
@@ -43,9 +44,8 @@ module Contrast
         # and how.
         module Patcher
           extend Contrast::Agent::Patching::Policy::AfterLoadPatcher
-
-          include Contrast::Components::Interface
-          access_component :agent, :analysis, :logging, :scope
+          extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Components::Scope::InstanceMethods
 
           class << self
             # Hook to install the Contrast changes needed to allow for the
@@ -54,7 +54,8 @@ module Contrast
             def patch
               catchup_after_load_patches
               catchup_loaded_methods
-              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0'
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -82,11 +83,11 @@ module Contrast
               with_contrast_scope do
                 mod_name = mod.cs__name
                 return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
-                return if AGENT.skip_instrumentation?(mod_name)
+                return if ::Contrast::AGENT.skip_instrumentation?(mod_name)
 
                 load_patches_for_module(mod_name)
 
-                return unless all_module_names.any?(mod_name)
+                return if all_module_names.none?(mod_name)
 
                 module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
                 patch_into_module(module_data)
@@ -156,7 +157,7 @@ module Contrast
               logger.trace_with_time('Running patching') do
                 patched = []
                 all_module_names.each do |patchable_name|
-                  next if AGENT.skip_instrumentation?(patchable_name)
+                  next if ::Contrast::AGENT.skip_instrumentation?(patchable_name)
 
                   patchable_mod = patchable(patchable_name)
                   next unless patchable_mod
@@ -176,12 +177,13 @@ module Contrast
             # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
             #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
             def patch_into_module module_data, redo_patch = false
-              status = status_type.get_status(module_data.mod)
+              status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
               # Begin patching our sources into the given module. Any patcher that has the name of the module will be
               # evaluated for patching. Find all the patchers that apply to this class, sorted by type.
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.mod_name)
+
               # If there's nothing to match, then set that status and exit
               if module_policy.empty?
                 status.no_patch!
@@ -191,8 +193,8 @@ module Contrast
               status.patching!
               num_applied_patches = patch_into_instance_methods(module_data, module_policy)
               num_applied_patches += patch_into_singleton_methods(module_data, module_policy)
-              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
 
+              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
                 status.patched!
               else
                 status.partial_patch!
@@ -258,8 +260,7 @@ module Contrast
               patch_into_methods(mod, methods, module_policy, false)
             end
 
-            # We've found the patchers that apply to this class (or module). Now we'll
-            # filter on the given method.
+            # We've found the patchers that apply to this class (or module). Now we'll filter on the given method.
             #
             # @param mod [Module] The module from which to retrieve instance methods.
             # @param methods [Array<Symbol>] The names of all the methods in in this module
@@ -276,8 +277,7 @@ module Contrast
                                                                                                     is_instance_method)
                 next if method_policy.empty?
 
-                patched = patch_method(mod, methods, method_policy)
-                count += 1 if patched
+                count += 1 if patch_method(mod, methods, method_policy)
               end
               count
             end

data/lib/contrast/agent/patching/policy/policy.rb

@@ -5,7 +5,7 @@ require 'json'
 require 'singleton'
 
 require 'contrast'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/agent/patching/policy/module_policy'
 require 'contrast/agent/patching/policy/method_policy'
 
@@ -19,7 +19,7 @@ module Contrast
         # @abstract
         class Policy
           include Singleton
-          include Contrast::Components::Interface
+          include Contrast::Components::Logger::InstanceMethods
 
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
@@ -36,8 +36,6 @@ module Contrast
             raise(NoMethodError, 'specify the concrete node type for this poilcy')
           end
 
-          access_component :analysis, :logging
-
           attr_reader :sources, :propagators, :triggers, :providers
 
           SOURCES_KEY =          'sources'

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -12,8 +12,7 @@ module Contrast
         #
         # @abstract
         class PolicyNode
-          include Contrast::Components::Interface
-          access_component :analysis, :scope
+          include Contrast::Components::Scope::InstanceMethods
 
           attr_accessor :class_name, :instance_method, :method_name, :method_visibility
           attr_reader :properties, :method_scope

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -14,7 +14,7 @@ module Contrast
         # infilter methods of the rule should be invoked.
         module AppliesNoSqliRule
           extend Contrast::Agent::Protect::Policy::RuleApplicator
-
+          DATABASE_NOSQL = 'MongoDB'
           class << self
             def invoke method, _exception, properties, _object, args
               return unless valid_input?(args)

data/lib/contrast/agent/protect/policy/policy.rb

@@ -24,7 +24,7 @@ module Contrast
           end
 
           def disabled_globally?
-            PROTECT.forcibly_disabled?
+            ::Contrast::PROTECT.forcibly_disabled?
           end
 
           def node_type

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,9 +11,7 @@ module Contrast
         # form of the Applicator, which will override specific implementations
         # in order to properly invoke its Rule.
         module RuleApplicator
-          include Contrast::Components::Interface
-
-          access_component :analysis, :logging
+          include Contrast::Components::Logger::InstanceMethods
 
           # Calls the actual invocation for this applicator, if required. Will
           # attempt to transform the data as required prior to invocation and
@@ -82,7 +80,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            PROTECT.rule rule_name
+            ::Contrast::PROTECT.rule rule_name
           end
 
           # Should we skip analysis for this rule for this method invocation?

data/lib/contrast/agent/protect/rule/base.rb

@@ -1,7 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -12,9 +13,8 @@ module Contrast
         #
         # @abstract Subclass and override {#prefilter}, {#infilter}, {#find_attacker}, {#postfilter} to implement
         class Base
-          include Contrast::Components::Interface
-
-          access_component :agent, :analysis, :logging, :scope, :settings
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Scope::InstanceMethods
 
           UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
             user_input.input_type = :UNKNOWN
@@ -37,7 +37,7 @@ module Contrast
           attr_reader :mode
 
           def initialize
-            PROTECT.rules[rule_name] = self
+            ::Contrast::PROTECT.rules[rule_name] = self
             @mode = mode_from_settings
           end
 
@@ -48,11 +48,11 @@ module Contrast
 
           def enabled?
             # 1. it is not enabled because protect is not enabled
-            return false unless AGENT.enabled?
-            return false unless PROTECT.enabled?
+            return false unless ::Contrast::AGENT.enabled?
+            return false unless ::Contrast::PROTECT.enabled?
 
             # 2. it is not enabled because it is in the list of disabled protect rules
-            return false if PROTECT.rule_config&.disabled_rules&.include?(rule_name)
+            return false if ::Contrast::PROTECT.rule_config&.disabled_rules&.include?(rule_name)
 
             # 3. it is enabled so long as its mode is not NO_ACTION
             @mode != Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION
@@ -176,7 +176,7 @@ module Contrast
           protected
 
           def mode_from_settings
-            PROTECT.rule_mode(rule_name).tap do |mode|
+            ::Contrast::PROTECT.rule_mode(rule_name).tap do |mode|
               logger.trace('Retrieving rule mode', rule: rule_name, mode: mode)
             end
           end
@@ -191,7 +191,7 @@ module Contrast
           # @return [Boolean] if an exclusion was applicable to this request
           #   for this rule
           def protect_excluded_by_code?
-            exclusions = SETTINGS.code_exclusions
+            exclusions = ::Contrast::SETTINGS.code_exclusions
             return false unless exclusions
 
             for_rule = exclusions.select { |ex| ex.protection_rule?(rule_name) }

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -4,7 +4,7 @@
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -12,8 +12,7 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
-          include Contrast::Components::Interface
-          access_component :app_context, :logging
+          include Contrast::Components::Logger::InstanceMethods
 
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
@@ -28,7 +27,7 @@ module Contrast
             ia_results = gather_ia_results(context)
             return if ia_results.empty?
 
-            if APP_CONTEXT.in_new_process?
+            if ::Contrast::APP_CONTEXT.in_new_process?
               logger.trace('Running cmd-injection infilter within new process - creating new context')
               context = Contrast::Agent::RequestContext.new(context.request.rack_request)
               Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
@@ -124,7 +123,7 @@ module Contrast
           # @return [Boolean] if the agent should report all command
           #   executions.
           def report_any_command_execution?
-            PROTECT.report_any_command_execution?
+            ::Contrast::PROTECT.report_any_command_execution?
           end
         end
       end