contrast-agent 4.8.0 → 4.11.0

data/lib/contrast/utils/tag_util.rb

@@ -7,8 +7,10 @@ module Contrast
     class TagUtil
       class << self
         # Determine if the given array of tags is covered by the other
-        # remaining_ranges: the tags left that haven't been covered by those given
-        # ranges: the tags that are covering the first
+        #
+        # @param remaining_ranges [Array<Contrast::Agent::Assess::Tag>] the tags left that haven't been covered by
+        #   those given
+        # @param ranges Array<Contrast::Agent::Assess::Tag> the tags that are covering the first
         def covered? remaining_ranges, ranges
           return true unless remaining_ranges&.any?
 
@@ -74,14 +76,14 @@ module Contrast
 
         # Given a collection of tags, merge any tags that are continuous
         #
-        # If tags is a hash, it should be in the format label => [tags]
-        # The array of tags will each be merged
+        # If tags is a hash, it should be in the format label => [tags]. The array of tags will each be merged
+        # If tags is an array in the format [tags], the array will be merged
         #
-        # If tags is an array in the format [tags], the array will be
-        # merged
+        # The original object is returned, although setters should not be necessary since tags is a collection in
+        # either case
         #
-        # The original object is returned, although setters should not be
-        # necessary since tags is a collection in either case
+        # @param tags [Hash{String => Array<Contrast::Agent::Assess::Tag>}, Array<Contrast::Agent::Assess::Tag>]
+        # @return [Hash{String => Array<Contrast::Agent::Assess::Tag>}, Array<Contrast::Agent::Assess::Tag>]
         def merge_tags tags
           if tags.is_a?(Hash)
             tags.each_value { |value| smallerize(value) }
@@ -90,6 +92,12 @@ module Contrast
           end
         end
 
+        # Merge the given set of tags such that any overlap combines. For any tag which extends beyond the size of the
+        # target_object, the end will be updated to the target_object's length.
+        #
+        # @param target_object [Object] the thing to which the tags apply
+        # @param tags [Hash{String => Array<Contrast::Agent::Assess::Tag>}, Array<Contrast::Agent::Assess::Tag>]
+        # @return [Hash{String => Array<Contrast::Agent::Assess::Tag>}, Array<Contrast::Agent::Assess::Tag>]
         def size_aware_merge target_object, tags
           max_size = target_object.to_s.length
           tags = merge_tags(tags)
@@ -100,14 +108,12 @@ module Contrast
 
         private
 
-        # Add one new element to the given array
+        # Add one new element to the given array. The addition is done such that the new entry is inserted so that the
+        # range they cover is in order. Any overlapping ranges are merged before returning.
         #
-        # The addition is done such that the new entry(ies)
-        # are inserted so that the range they cover is in order
-        # Any overlapping ranges are merged before returning
-        #
-        # arr: the array to which the element is added
-        # new_element: the element to be added to the array
+        # @param arr [Array<Contrast::Agent::Assess::Tag>]
+        # @param new_element []Contrast::Agent::Assess::Tag]
+        # @return [Array<Contrast::Agent::Assess::Tag>]
         def single_ordered_merge arr, new_element
           idx = 0
           arr.each do |existing|
@@ -122,10 +128,11 @@ module Contrast
           arr.insert(idx, new_element)
         end
 
-        # Given an arry of tags, merge any that overlap
-        # The tag that was higher up is removed from the
-        # list of tags.
-        # ranges like [0-3][3-6]-6-9] that should become [0-9]
+        # Given an arry of tags, merge any that overlap. The tag that was higher up is removed from the list of tags.
+        # ranges like [0-3][3-6]-6-9] become [0-9]
+        #
+        # @param tags [Array<Contrast::Agent::Assess::Tag>]
+        # @return [Array<Contrast::Agent::Assess::Tag>]
         def smallerize tags
           smallered = []
           curr = nil

data/lib/contrast.rb

@@ -4,10 +4,6 @@
 # Used to prevent deprecation warnings from flooding stdout
 ENV['PB_IGNORE_DEPRECATIONS'] = 'true'
 
-# Top-level namespace for Contrast Security agent
-module Contrast
-end
-
 # Some developers override various methods on Object, which can often involve
 # changing expected method parity/behavior which in turn prevents us from being
 # able to reliably use affected methods.
@@ -38,22 +34,36 @@ if RUBY_VERSION >= '3.0.0'
   end
 end
 
-# component interface for class creation
-# config gets built as a consequence of this require
-require 'contrast/components/interface'
+require 'contrast/components/agent'
+require 'contrast/components/app_context'
+require 'contrast/components/assess'
+require 'contrast/components/config'
+require 'contrast/components/contrast_service'
+require 'contrast/components/inventory'
+require 'contrast/components/logger'
+require 'contrast/components/protect'
+require 'contrast/components/sampling'
+require 'contrast/components/scope'
+require 'contrast/components/settings'
+
+module Contrast
+  SCOPE = Contrast::Components::Scope::Interface.new
+  CONFIG = Contrast::Components::Config::Interface.new
+  SETTINGS = Contrast::Components::Settings::Interface.new
+  ASSESS = Contrast::Components::Assess::Interface.new
+  PROTECT = Contrast::Components::Protect::Interface.new
+  INVENTORY = Contrast::Components::Inventory::Interface.new
+  LOGGER = Contrast::Components::Logger::Interface.new
+  AGENT = Contrast::Components::Agent::Interface.new
+  CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
+  APP_CONTEXT = Contrast::Components::AppContext::Interface.new
+end
 
 # This needs to be required very early, after component interfaces, and before instrumentation attempts
 require 'contrast/funchook/funchook'
 
-# shared configuration support
-require 'contrast/config'
-require 'contrast/configuration'
-
 require 'contrast/agent/version'
 
-# errors and exceptions
-require 'contrast/security_exception'
-
 # shared utils
 require 'contrast/utils/timer'
 require 'contrast/utils/preflight_util'

data/resources/assess/policy.json

@@ -34,6 +34,23 @@
       "type": "BODY",
       "tags":["NO_NEWLINES", "CROSS_SITE"]
     }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "body",
+      "source": "P0",
+      "target": "R",
+      "type": "BODY",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    },  {
+      "class_name":"ActionDispatch::Cookies::CookieJar",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "[]",
+      "target": "R",
+      "type": "COOKIE",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    },  {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
@@ -129,10 +146,45 @@
       "target":"R",
       "type":"PARAMETER",
       "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Env",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"[]",
+      "source": "P0",
+      "target":"R",
+      "type":"HEADER",
+      "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"headers",
+      "source": "P0",
+      "target":"R",
+      "type":"HEADER",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Validations::Base",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"validate!",
+      "source": "P0",
+      "target":"R",
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }
   ],
   "propagators":[
-    {
+     {
       "class_name":"String",
       "instance_method": true,
       "method_visibility": "public",
@@ -140,7 +192,7 @@
       "source":"O",
       "target":"R",
       "action":"KEEP"
-    },     {
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -722,6 +774,24 @@
       "patch_method": "select_tagger",
       "source": "O",
       "target": "R"
+    },{
+      "class_name":"CGI::Util",
+      "method_name":"unescape",
+      "instance_method": true,
+      "method_visibility": "public",
+      "source":"P0",
+      "target":"R",
+      "action":"SPLAT",
+      "tags":[],
+      "untags":[]
+    }, {
+      "class_name":"StringIO",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "read",
+      "source": "O",
+      "target": "R",
+      "action": "SPLAT"
     }, {
       "class_name":"CGI::Util",
       "method_name":"escapeHTML",
@@ -742,6 +812,16 @@
       "action":"SPLAT",
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
+    }, {
+      "class_name":"Rack::Utils",
+      "method_name":"escape_html",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source":"P0",
+      "target":"R",
+      "action":"SPLAT",
+      "tags":["HTML_ENCODED"],
+      "untags":["HTML_DECODED"]
     }, {
       "class_name":"CGI::Util",
       "method_name":"h",
@@ -1287,6 +1367,18 @@
           "instance_method": true,
           "method_visibility": "public",
           "source":"P0"
+        }, {
+          "class_name":"Rack::Response",
+          "method_name":"body=",
+          "instance_method": true,
+          "method_visibility": "public",
+          "source":"P0"
+        }, {
+          "class_name":"Rack::Response",
+          "method_name":"write",
+          "instance_method": true,
+          "method_visibility": "public",
+          "source":"P0"
         }, {
           "class_name":"Sinatra::Helpers",
           "method_name":"body",
@@ -1347,12 +1439,108 @@
           "method_visibility": "public",
           "method_name":"async_exec",
           "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation::Calculations",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"calculate",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::FinderMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"exists?",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::FinderMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"find_by",
+          "source":"P0"
         }, {
           "class_name":"ActiveRecord::Querying",
           "instance_method": false,
           "method_visibility": "public",
           "method_name":"select",
           "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"from",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"group",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"having",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"joins",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"lock",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"select",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"reselect",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"where",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"rewhere",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods::WhereChain",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"not",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"delete_by",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"destroy_by",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"update_all",
+          "source":"P0"
         }
       ]
     }, {
@@ -1685,6 +1873,13 @@
           "method_visibility": "public",
           "method_name": "redirect_to",
           "source": "P0"
+        },
+        {
+          "class_name": "Grape::DSL::InsideRoute",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "redirect",
+          "source": "P0"
         }
       ]
     }, {

data/resources/deadzone/policy.json

@@ -1,6 +1,16 @@
 {
   "deadzones":[
     {
+      "class_name":"Rspec::Core::BacktraceFormatter",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"matches?"
+    },{
+      "class_name":"Rspec::Core::Example",
+      "instance_method":true,
+      "method_visibility": "private",
+      "method_name":"finish"
+    },{
       "class_name":"Rack::Request::Helpers",
       "instance_method":true,
       "method_visibility": "public",

data/ruby-agent.gemspec

@@ -24,6 +24,7 @@ def self.add_dev_dependencies spec
   add_debuggers(spec)
   add_linters(spec) # if RUBY_VERSION >= '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
   add_specs(spec)
+  add_custom_dependencies(spec)
 end
 
 # Dependencies used to build the agent during development.
@@ -33,14 +34,21 @@ def self.add_builders spec
   spec.add_development_dependency 'rake-compiler', '~> 0'
 end
 
+# Dependencies that are required during testing in actual application
+def self.add_custom_dependencies spec
+  spec.add_development_dependency 'zlib'
+end
+
 # Dependencies used for local debugging during development.
 def self.add_debuggers spec
   spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'pry-byebug', '>= 3.9'
   spec.add_development_dependency 'ruby-debug-ide'
 end
 
 # Dependencies used for framework testing.
 def self.add_frameworks spec
+  spec.add_development_dependency 'grape', '~> 1.5', '>= 1.5.2'
   spec.add_development_dependency 'rack-protection', '>= 2'
   spec.add_development_dependency 'rails', '6.0.3.5'
   spec.add_development_dependency 'sinatra', '>= 2'
@@ -51,6 +59,7 @@ def self.add_linters spec
   spec.add_development_dependency 'debride', '1.8.2'
   spec.add_development_dependency 'fasterer', '0.9.0'
   spec.add_development_dependency 'flay', '2.12.1'
+  # spec.add_development_dependency 'steep', '0.44.1' # TODO: RUBY-714 uncomment w/ EOL of 2.5
   add_rubocop(spec)
 end
 
@@ -65,15 +74,16 @@ def self.add_specs spec
   spec.add_development_dependency 'factory_bot'
   spec.add_development_dependency 'fake_ftp'
   spec.add_development_dependency 'openssl'
+  spec.add_development_dependency 'parallel_tests'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-benchmark'
   spec.add_development_dependency 'rspec_junit_formatter', '0.3.0'
   spec.add_development_dependency 'rspec-rails', '5.0'
   spec.add_development_dependency 'tzinfo-data' # Alpine rspec-rails requirement.
+  spec.add_development_dependency 'warning'
 end
 
 def self.add_coverage spec
-  spec.add_development_dependency 'codecov', '0.5.2'
   spec.add_development_dependency 'simplecov', '0.21.2'
 end
 
@@ -90,8 +100,8 @@ end
 def self.add_tested_gems spec
   spec.add_development_dependency 'async'
   spec.add_development_dependency 'execjs'
-  spec.add_development_dependency 'sqlite3'
   spec.add_development_dependency 'rhino'
+  spec.add_development_dependency 'sqlite3'
   spec.add_development_dependency 'tilt'
   spec.add_development_dependency 'xpath'
 end
@@ -114,7 +124,7 @@ def self.add_files spec
     # Directories used for testing:
     f.match(%r{^(spec|test)/}) ||
         # Directories used in pipelines
-        f.match(%r{^(\.github|bin|internal_resources|vendor)/}) ||
+        f.match(%r{^(\.github|bin|internal_resources|sig|vendor)/}) ||
         # Configuration and other files that don't belong to one directory
         f.match(/(Dockerfile)/)  ||
         f.match(/(.*\.csv)/)     ||

data/service_executables/VERSION

@@ -1 +1 @@
-2.20.2
+2.21.2