contrast-agent 4.8.0 → 4.11.0

data/lib/contrast/agent/request.rb

@@ -7,7 +7,8 @@ require 'timeout'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -16,8 +17,8 @@ module Contrast
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Request
-      include Contrast::Components::Interface
-      access_component :agent, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
 
       extend Forwardable
 
@@ -91,10 +92,12 @@ module Contrast
                 defined?(Rack::Multipart::UploadedFile) &&
                 body.is_a?(Rack::Multipart::UploadedFile)
 
-            logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
+            logger.trace('not parsing uploaded file body',
+                         file_name: body.original_filename,
+                         content_type: body.content_type)
             @_body = nil
           else
-            logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
+            logger.trace('parsing body from request', body_type: body.cs__class.cs__name)
             @_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
           end
 
@@ -182,8 +185,11 @@ module Contrast
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res
         when Enumerable
-          res = val.each_with_index.each_with_object({}) do |(v, i), hash|
-            hash.merge! normalize_params(v, prefix: "#{ prefix }[#{ i }]")
+          idx = 0
+          res = {}
+          while idx < val.length
+            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
+            idx += 1
           end
           res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
           res

data/lib/contrast/agent/request_context.rb

@@ -4,15 +4,14 @@
 require 'contrast/utils/timer'
 require 'contrast/agent/request'
 require 'contrast/agent/response'
-require 'contrast/utils/inventory_util'
-require 'contrast/components/interface'
-require 'contrast/delegators/input_analysis'
+require 'contrast/agent/inventory/database_config'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
-    # This class acts to encapsulate information about the currently executed
-    # request, making it available to the Agent for the duration of the request
-    # in a standardized and normalized format which the Agent understands.
+    # This class acts to encapsulate information about the currently executed request, making it available to the Agent
+    # for the duration of the request in a standardized and normalized format which the Agent understands.
     #
     # @attr_reader timer [Contrast::Utils::Timer] when the context was created
     # @attr_reader logging_hash [Hash] context used to log the request
@@ -26,8 +25,8 @@ module Contrast
     # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
     # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
     class RequestContext
-      include Contrast::Components::Interface
-      access_component :agent, :analysis, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
 
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
 
@@ -63,11 +62,11 @@ module Contrast
 
           @sample = true
 
-          if ASSESS.enabled?
+          if ::Contrast::ASSESS.enabled?
             @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
 
-          @sample_response &&= ASSESS.scan_response?
+          @sample_response &&= ::Contrast::ASSESS.scan_response?
 
           append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
         end
@@ -85,9 +84,11 @@ module Contrast
         @sample_response
       end
 
-      # Convert the discovered route for this request to appropriate forms and
-      # disseminate it to those locations where it is necessary for our route
-      # coverage and finding vulnerability discovery features to function.
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
+      #   framework
       def append_route_coverage route
         return unless route
 
@@ -108,8 +109,8 @@ module Contrast
       # Collect the results for the given rule with the given action
       #
       # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a
-      #   value of Contrast::Api::Dtm::AttackResult::ResponseType
+      # @param response_type [Symbol] the result of the response, matching a value of
+      #   Contrast::Api::Dtm::AttackResult::ResponseType
       # @return [Array<Contrast::Api::Dtm::AttackResult>]
       def results_for rule, response_type = nil
         if response_type.nil?
@@ -120,8 +121,8 @@ module Contrast
       end
 
       def service_extract_request
-        return false unless AGENT.enabled?
-        return false unless PROTECT.enabled?
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
         return false if @do_not_track
 
         service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
@@ -130,8 +131,10 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
-          logger.trace('Results', input_analysis: ia.inspect)
+          if logger.trace?
+            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
+            logger.trace('Results', input_analysis: ia.inspect)
+          end
           @speedracer_input_analysis = ia
           speedracer_input_analysis.request = request
         else
@@ -145,10 +148,9 @@ module Contrast
         false
       end
 
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations
-      # when the protect state indicates a security exception should be thrown. This method
-      # ensures that the attack reports are generated. Normally these should be generated on
-      # Speedracer for any attacks detected during prefilter.
+      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
+      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
+      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def handle_protect_state agent_settings
@@ -165,9 +167,8 @@ module Contrast
         raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
       end
 
-      # append anything we've learned to the request seen message
-      # this is the sum-total of all inventory information that has
-      # been accumulated since the last request
+      # append anything we've learned to the request seen message this is the sum-total of all inventory information
+      # that has been accumulated since the last request
       def extract_after rack_response
         @response = Contrast::Agent::Response.new(rack_response)
         activity.http_response = @response.dtm if @sample_response
@@ -185,14 +186,13 @@ module Contrast
 
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
-        @server_activity = Contrast::Api::Dtm::ServerActivity.new # it doesn't look like this is ever actually used?
+        @server_activity = Contrast::Api::Dtm::ServerActivity.new
         @observed_route = Contrast::Api::Dtm::ObservedRoute.new
       end
 
       private
 
-      # Generate attack results directly from any evaluations on the
-      # agent settings object.
+      # Generate attack results directly from any evaluations on the agent settings object.
       #
       # @param agent_settings [Contrast::Api::Settings::AgentSettings]
       def build_attack_results agent_settings
@@ -201,15 +201,17 @@ module Contrast
         attack_results_by_rule = {}
         agent_settings.input_analysis.results.each do |ia_result|
           rule_id = ia_result.rule_id
-          rule = PROTECT.rule(rule_id)
+          rule = ::Contrast::PROTECT.rule(rule_id)
           next unless rule
 
-          logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
+          if logger.debug?
+            logger.debug('Building attack result from Contrast Service input analysis result',
+                         result: ia_result.inspect)
+          end
 
           attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss)
-                            # that used to have an infilter / block
-                            # mode but now are just block at perimeter
+                            # special case for rules (like reflected xss) that used to have an infilter / block mode
+                            # but now are just block at perimeter
                             rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
                                                          ia_result.value)
                           else

data/lib/contrast/agent/request_handler.rb

@@ -1,20 +1,22 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+require 'contrast/components/scope'
+
 module Contrast
   module Agent
     # This class is instantiated when we receive a request and the agent is enabled to process
     # that request. It holds the ruleset that we perform filtering operations on (currently
     # prefilter and postfilter).
     class RequestHandler
-      include Contrast::Components::Interface
-      access_component :agent, :logging, :scope
+      include Contrast::Components::Logger::InstanceMethods
 
       attr_reader :ruleset, :context
 
       def initialize context
         @context = context
-        @ruleset = AGENT.ruleset
+        @ruleset = ::Contrast::AGENT.ruleset
       end
 
       def send_activity_messages

data/lib/contrast/agent/response.rb

@@ -7,7 +7,7 @@ require 'timeout'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -16,8 +16,7 @@ module Contrast
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
     class Response
-      include Contrast::Components::Interface
-      access_component :logging
+      include Contrast::Components::Logger::InstanceMethods
 
       extend Forwardable
 

data/lib/contrast/agent/rewriter.rb

@@ -7,7 +7,8 @@ return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 
 require 'contrast/agent/class_reopener'
 require 'contrast/agent/patching/policy/patch_status'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 require 'contrast/utils/ruby_ast_rewriter'
 
 module Contrast
@@ -19,8 +20,8 @@ module Contrast
     # @deprecated Changes to this class are discouraged as this approach is
     #   being phased out with support for those language versions.
     class Rewriter
-      include Contrast::Components::Interface
-      access_component :logging, :scope
+      extend Contrast::Components::Logger::InstanceMethods
+      extend Contrast::Components::Scope::InstanceMethods
 
       SELF_DEFINITION = 'def self.'
       DEFINITION = 'def '

data/lib/contrast/agent/rule_set.rb

@@ -1,13 +1,14 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     # This class is responsible for holding our ruleset and performing filtering operations on all
     # rules when asked by the middleware.
     class RuleSet < Set
-      include Contrast::Components::Interface
-      access_component :analysis, :logging
+      include Contrast::Components::Logger::InstanceMethods
 
       # The filtering that needs to happen before the application gets access to the request object.
       # The main action here is snapshotting the request as provided to the application from the
@@ -16,7 +17,7 @@ module Contrast
       def prefilter
         context = Contrast::Agent::REQUEST_TRACKER.current
         # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
-        return unless context&.analyze_request? || PROTECT.enabled?
+        return unless context&.analyze_request? || ::Contrast::PROTECT.enabled?
 
         logger.trace_with_time('Running prefilter...') do
           map { |rule| rule.prefilter(context) }
@@ -33,7 +34,7 @@ module Contrast
       def postfilter
         context = Contrast::Agent::REQUEST_TRACKER.current
         # TODO: RUBY-801 We shouldn't be responsible for knowing what modes are enabled
-        return unless context&.analyze_response? || PROTECT.enabled?
+        return unless context&.analyze_response? || ::Contrast::PROTECT.enabled?
 
         logger.trace_with_time('Running postfilter...') do
           map { |rule| rule.postfilter(context) }

data/lib/contrast/agent/scope.rb

@@ -104,39 +104,51 @@ module Contrast
         exit_split_scope!
       end
 
-      # Dynamic versions of the above.
-      # These are equivalent, but they're slower and riskier.
-      # Prefer the static methods if you know what scope you need at the call site.
+      # Static methods to be used, the cases are defined by the usage from the above methods
+      # if more methods are added - please extend the case statements as they are no longed dynamic
       def in_scope? name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"in_#{ name }_scope?" }
-        send(call)
+        case name
+        when :contrast
+          in_contrast_scope?
+        when :deserialization
+          in_deserialization_scope?
+        when :split
+          in_split_scope?
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def enter_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"enter_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          enter_contrast_scope!
+        when :deserialization
+          enter_deserialization_scope!
+        when :split
+          enter_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       def exit_scope! name
-        cs__class.ensure_valid_scope! name
-        call = with_contrast_scope { :"exit_#{ name }_scope!" }
-        send(call)
+        case name
+        when :contrast
+          exit_contrast_scope!
+        when :deserialization
+          exit_deserialization_scope!
+        when :split
+          exit_split_scope!
+        else
+          raise NoMethodError, "Scope '#{ name.inspect }' is not registered as a scope."
+        end
       end
 
       class << self
         def valid_scope? scope_sym
           Contrast::Agent::Scope::SCOPE_LIST.include? scope_sym
         end
-
-        def ensure_valid_scope! scope_sym
-          unless valid_scope? scope_sym # rubocop:disable Style/GuardClause
-            with_contrast_scope do
-              raise NoMethodError, "Scope '#{ scope_sym.inspect }' is not registered as a scope."
-            end
-          end
-        end
       end
     end
   end

data/lib/contrast/agent/service_heartbeat.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/agent/worker_thread'
 
 module Contrast
@@ -9,8 +9,7 @@ module Contrast
     # The ServiceHeartbeat functions to keep the Contrast Service alive and
     # ensure that it maintains this Agent's ApplicationContext.
     class ServiceHeartbeat < WorkerThread
-      include Contrast::Components::Interface
-      access_component :logging
+      include Contrast::Components::Logger::InstanceMethods
 
       # Spec recommends 30 seconds, we're going with 15.
       REFRESH_INTERVAL_SEC = 15

data/lib/contrast/agent/static_analysis.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
-require 'contrast/agent/inventory'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 require 'contrast/api/decorators/application_update'
 
 module Contrast
@@ -10,8 +10,9 @@ module Contrast
     # this module handles one time static analysis tasks
     class StaticAnalysis
       include Singleton
-      include Contrast::Components::Interface
-      access_component :logging, :analysis, :scope
+      include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Components::Scope::InstanceMethods
+
       class << self
         # After the first request is complete, we do a one-time manual catchup to review and
         # report the already-loaded gems.
@@ -23,11 +24,11 @@ module Contrast
         end
 
         def send_inventory_message
-          return unless INVENTORY.enabled?
+          return unless ::Contrast::INVENTORY.enabled?
 
           app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
 
-          Contrast::Utils::InventoryUtil.append_db_config(app_update_msg)
+          Contrast::Agent::Inventory::DatabaseConfig.append_db_config(app_update_msg)
           Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
         end
 

data/lib/contrast/agent/thread.rb

@@ -1,15 +1,13 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
     # Threads used by Contrast. Any long running thread should be created and managed by our ThreadWatcher class.
     class Thread < ::Thread
-      include Contrast::Components::Interface
-
-      access_component :scope
+      include Contrast::Components::Scope::InstanceMethods
 
       # Make our internal code run in Contrast scope.
       def initialize *args

data/lib/contrast/agent/thread_watcher.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/agent/service_heartbeat'
 require 'contrast/api/communication/messaging_queue'
 
@@ -13,8 +13,7 @@ module Contrast
     # @attr_reader heartbeat [Contrast::Agent::ServiceHeartbeat]
     # @attr_reader messaging_queue [Contrast::Api::Communication::MessagingQueue]
     class ThreadWatcher
-      include Contrast::Components::Interface
-      access_component :agent, :logging
+      include Contrast::Components::Logger::InstanceMethods
 
       attr_reader :heapdump_util, :heartbeat, :messaging_queue
 
@@ -26,7 +25,7 @@ module Contrast
       end
 
       def startup!
-        return unless AGENT.enabled?
+        return unless ::Contrast::AGENT.enabled?
 
         unless heartbeat.running?
           logger.debug('Attempting to start heartbeat thread')

data/lib/contrast/agent/tracepoint_hook.rb

@@ -1,15 +1,15 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
     # This module is used to apply instrumentation to classes as they are required
     module TracePointHook
-      include Contrast::Components::Interface
-
-      access_component :logging, :scope
+      extend Contrast::Components::Logger::InstanceMethods
+      extend Contrast::Components::Scope::InstanceMethods
 
       class << self
         def enable!
@@ -27,18 +27,31 @@ module Contrast
 
         private
 
+        # Use the TracePoint from the :end event, meaning the completion of a definition of a Class or Module (or
+        # really the completion of that piece of a definition, as determined by an `end` statement since there could be
+        # definitions across multiple files) to carry out actions required on definition. This typically involves
+        # patching and usage analysis
+        #
+        # @param tracepoint_event [TracePoint] the TracePoint from the :end
         def process tracepoint_event
           with_contrast_scope do
-            logger.trace('Received TracePoint end event', module: tracepoint_event.self.to_s)
-
+            # the Module or Class that was loaded during this event
             loaded_module = tracepoint_event.self
+            # the file being loaded that contained this definition
             path = tracepoint_event.path
             return if path&.include?('contrast')
 
+            logger.trace('Received TracePoint end event', module: loaded_module, path: path)
+
+            Contrast::Agent.framework_manager.register_late_framework(loaded_module)
             Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.associate_file(path) if path
             Contrast::Agent::Patching::Policy::Patcher.patch_specific_module(loaded_module)
-            Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module) if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+            if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolation(loaded_module)
+            end
             Contrast::Agent::Assess::Policy::PolicyScanner.scan(tracepoint_event)
+          rescue StandardError => e
+            logger.error('Unable to complete TracePoint analysis', e, module: loaded_module, path: path)
           end
         end
       end

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.8.0'
+    VERSION = '4.11.0'
   end
 end

data/lib/contrast/api/communication/messaging_queue.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/agent/worker_thread'
 
 module Contrast
@@ -9,29 +9,31 @@ module Contrast
     module Communication
       # Top level gateway to messaging with speedracer
       class MessagingQueue < Contrast::Agent::WorkerThread
-        include Contrast::Components::Interface
-        access_component :agent, :analysis, :logging, :settings
+        include Contrast::Components::Logger::InstanceMethods
 
-        attr_reader :queue, :speedracer
+        attr_reader :speedracer
 
         def initialize
-          @queue = Queue.new
           @speedracer = Contrast::Api::Communication::Speedracer.new
           super
         end
 
         # Use this to bypass the messaging queue and leave response processing to the caller
         def send_event_immediately event
-          if AGENT.disabled?
+          if ::Contrast::AGENT.disabled?
             logger.warn('Attempted to send event immediately with Agent disabled', caller: caller, event: event)
             return
           end
           speedracer.return_response(event)
         end
 
+        def queue
+          @_queue ||= Queue.new
+        end
+
         # Use this to add a message to the queue and process the response internally
         def send_event_eventually event
-          if AGENT.disabled?
+          if ::Contrast::AGENT.disabled?
             logger.warn('Attempted to queue event with Agent disabled', caller: caller, event: event)
             return
           end
@@ -43,7 +45,6 @@ module Contrast
           speedracer.ensure_startup!
           return if running?
 
-          @queue ||= Queue.new
           @_thread = Contrast::Agent::Thread.new do
             loop do
               event = queue.pop
@@ -59,13 +60,17 @@ module Contrast
           logger.debug('Started background sending thread.')
         end
 
+        def delete_queue!
+          @_queue&.clear
+          @_queue&.close
+          @_queue = nil
+        end
+
         def stop!
           return unless running?
 
           super
-          @queue&.clear
-          @queue&.close
-          @queue = nil
+          delete_queue!
         end
       end
     end