contrast-agent 4.8.0 → 4.11.0

data/lib/contrast/extension/assess/array.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/patching/policy/patch'
 require 'contrast/agent/patching/policy/patcher'
-require 'contrast/components/interface'
+require 'contrast/components/scope'
 
 module Contrast
   module Extension
@@ -11,10 +11,8 @@ module Contrast
       # This is our patch of the Array class required to handle propagation
       # Disclaimer: there may be a better way, but we're in a 'get it work' state.
       # Hopefully, we'll be in a 'get it right' state soon.
-      class ArrayPropagator
-        include Contrast::Components::Interface
-
-        access_component :scope
+      class ArrayPropagator # rubocop:disable Style/StaticClass
+        extend Contrast::Components::Scope::InstanceMethods
 
         ARRAY_JOIN_HASH = {
             'class_name' => 'Array',
@@ -61,16 +59,6 @@ module Contrast
               ret
             end
           end
-
-          def instrument_array_track
-            @_instrument_array_track ||= begin
-              require 'cs__assess_array/cs__assess_array'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading assess track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/eval_trigger.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Extension
@@ -11,8 +11,7 @@ module Contrast
       # apply the trigger in a custom patch over one of the generic triggers in
       # TriggerMethod.
       class EvalTrigger
-        include Contrast::Components::Interface
-        access_component :logging
+        include Contrast::Components::Logger::InstanceMethods
 
         class << self
           def instance_eval_trigger_check obj, source, ret
@@ -35,26 +34,6 @@ module Contrast
                                                                               ret, source)
           end
 
-          def instrument_basic_object_track
-            @_instrument_basic_object_track ||= begin
-              require 'cs__assess_basic_object/cs__assess_basic_object'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading basic object track patch', e)
-            false
-          end
-
-          def instrument_module_track
-            @_instrument_module_track ||= begin
-              require 'cs__assess_module/cs__assess_module'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading module track patch', e)
-            false
-          end
-
           private
 
           def trigger_node clazz, method

data/lib/contrast/extension/assess/fiber.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/propagation_node'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 # In order to instrument some difficult methods like String#gsub, as it
 # returns an enumerator, we need to instrument methods on Fiber.
@@ -16,9 +17,8 @@ module Contrast
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # Fiber Class or exposing our methods there.
       class FiberPropagator
-        include Contrast::Components::Interface
-
-        access_component :analysis, :logging, :scope
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
 
         # we use funchook to patch rb_fiber_new the initialize method is not exposed by Ruby core
         FIBER_NEW_NODE_HASH = {
@@ -53,7 +53,7 @@ module Contrast
 
         class << self
           def track_rb_fiber_yield fiber, _method, results
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
 
             # results will be nil if StopIteration was raised,
             # otherwise an Array of the yielded arguments
@@ -72,7 +72,7 @@ module Contrast
           end
 
           def track_rb_fiber_new fiber, _enum, _enum_method, underlying, _underlying_method
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
             return unless underlying.is_a?(String) && !underlying.empty?
 
             with_contrast_scope do
@@ -85,16 +85,6 @@ module Contrast
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Fiber.new', e)
           end
-
-          def instrument_fiber_track
-            @_instrument_fiber_variables ||= begin
-              require 'cs__assess_fiber_track/cs__assess_fiber_track' if Funchook.available?
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading fiber track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/hash.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Extension
@@ -10,8 +10,8 @@ module Contrast
       # methods which are too complex to fit into one of the standard
       # Contrast::Agent::Assess::Policy::Propagator molds.
       class HashPropagator
-        include Contrast::Components::Interface
-        access_component :logging
+        include Contrast::Components::Logger::InstanceMethods
+
         class << self
           def cs__duplicate_and_freeze object
             return object unless object.is_a?(String) && !object.cs__frozen?
@@ -25,16 +25,6 @@ module Contrast
             # result in a seg fault
             object
           end
-
-          def instrument_hash_track
-            @_instrument_hash_track ||= begin
-              require 'cs__assess_hash/cs__assess_hash'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading hash track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/kernel.rb

@@ -1,8 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
 require 'contrast/extension/assess/exec_trigger'
+require 'contrast/components/logger'
 
 module Contrast
   module Extension
@@ -13,11 +13,10 @@ module Contrast
       # Kernel Module or exposing our methods there.
       module KernelPropagator
         class << self
-          include Contrast::Components::Interface
+          extend Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Logger::InstanceMethods
           include Contrast::Extension::Assess::ExecTrigger
 
-          access_component :logging
-
           # We're 'tracking' sprintf now, meaning if anything is tracked on the way
           # in, the entire result will be tracked out. We're going to take this
           # approach for now b/c it's fast and easy. I don't super love it, and by
@@ -67,16 +66,6 @@ module Contrast
             logger.error('Unable to track dataflow through sprintf', e)
           end
 
-          def instrument_kernel_track
-            @_instrument_fiber_variables ||= begin
-              require 'cs__assess_kernel/cs__assess_kernel'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading kernel track patch', e)
-            false
-          end
-
           private
 
           def handle_sprintf_value value, result, parent_events

data/lib/contrast/extension/assess/marshal.rb

@@ -1,7 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Extension
@@ -11,11 +12,12 @@ module Contrast
       # Hopefully, we'll be in a 'get it right' state soon.
       # This module is used for our Marshal.load patches
       class MarshalPropagator
-        include Contrast::Components::Interface
-
-        access_component :logging, :scope
+        extend Contrast::Components::Scope::InstanceMethods
 
         class << self
+          extend Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Logger::InstanceMethods
+
           def cs__load_protect arg
             return if in_contrast_scope?
 
@@ -44,16 +46,6 @@ module Contrast
             end
           end
 
-          def instrument_marshal_load
-            @_instrument_marshal_load ||= begin
-              require 'cs__assess_marshal_module/cs__assess_marshal_module'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading marshal load patch', e)
-            false
-          end
-
           def trigger_node clazz, method
             triggers = Contrast::Agent::Assess::Policy::Policy.instance.triggers
             return unless triggers

data/lib/contrast/extension/assess/regexp.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/propagation_node'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Extension
@@ -12,9 +13,8 @@ module Contrast
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # Regexp Class or exposing our methods there.
       class RegexpPropagator
-        include Contrast::Components::Interface
-
-        access_component :analysis, :logging, :scope
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
 
         REGEXP_EQUAL_SQUIGGLE_HASH = {
             'id' => 'regexp_100',
@@ -34,7 +34,7 @@ module Contrast
 
         class << self
           def track_equal_squiggle info_hash
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
 
             # Because we have a special case for this propagation,
             # it falls out of regular scoping. As such, any patch to the `=~` method
@@ -58,16 +58,6 @@ module Contrast
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Regexp#=~', e)
           end
-
-          def instrument_regexp_track
-            @_instrument_regexp_track ||= begin
-              require 'cs__assess_regexp/cs__assess_regexp'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading regexp track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/string.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/propagation_node'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Extension
@@ -11,10 +12,9 @@ module Contrast
       # methods which are too complex to fit into one of the standard
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
-      class StringPropagator
-        include Contrast::Components::Interface
-
-        access_component :agent, :analysis, :logging, :scope
+      class StringPropagator # rubocop:disable Style/StaticClass
+        extend Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Scope::InstanceMethods
 
         NODE_HASH = {
             'class_name' => 'String',
@@ -31,7 +31,7 @@ module Contrast
 
         class << self
           def track_interpolation inputs, result
-            return unless AGENT.interpolation_enabled?
+            return unless ::Contrast::AGENT.interpolation_enabled?
             return if in_contrast_scope?
             return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
 
@@ -52,31 +52,6 @@ module Contrast
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
           end
-
-          def instrument_string
-            @_instrument_string ||= begin
-              require 'cs__assess_string/cs__assess_string'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading hash track patch', e)
-            false
-          end
-
-          def instrument_string_interpolation
-            if @_instrument_string_interpolation.nil?
-              @_instrument_string_interpolation = begin
-                if AGENT.patch_interpolation? && Funchook.available?
-                  require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
-                end
-                true
-              rescue StandardError, LoadError => e
-                logger.error('Error loading interpolation patch', e)
-                false
-              end
-            end
-            @_instrument_string_interpolation
-          end
         end
       end
     end

data/lib/contrast/extension/extension.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Extension
+    # Our top level Assess namespace in the Core Extension section of our
+    # code. These patches are those that are invoked directly from a patched
+    # Class.
+    #
+    module Assess
+      # This is the main instrument helper giving the method of requiring C patches
+      #
+      module InstrumentHelper
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+
+          # Unites the different require methods into one, using only
+          # the provided path for the C patches
+          # parameters
+          # @param path[String] Path to the required patch
+          #
+          def instrument path
+            var_name, extracted_name = gen_name(path)
+            return if instance_variable_get(var_name) == true
+
+            instance_variable_set(var_name, assign_value(path))
+          rescue StandardError, LoadError => e
+            logger.error("Error loading #{ extracted_name&.nil? ? '' : extracted_name } patch", e)
+            false
+          end
+
+          # Some of the requires have some extra conditions for them to require
+          # the C patches, so this method is helping us move the logic by making some
+          # conditions
+          def assign_value path
+            case path
+            when /fiber/
+              require path if Funchook.available?
+            when /interpolation26/
+              require path if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
+            else
+              require path
+            end
+            true
+          end
+
+          # Generate the needed instance variable name and return the extracted name
+          def gen_name path
+            extracted_name = path.split(%r{[\s_/]})&.uniq&.delete_if do |s|
+              s.empty? || s == 'cs' || s == 'assess' || s == 'track'
+            end
+            extracted_name = (extracted_name&.length || 0) > 1 ? extracted_name&.join('_') : extracted_name&.pop
+            ["@_instrument_#{ extracted_name }_track", extracted_name]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/extension/kernel.rb

@@ -41,15 +41,13 @@ module Kernel # :nodoc:
 
   def catch *args, &block
     # Save current scope level
-    scope_level =
-      Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
+    scope_level = ::Contrast::SCOPE.scope_for_current_ec.instance_variable_get(:@contrast_scope)
 
     # Run original catch with block.
     retval = cs__catch(*args, &block)
 
     # Restore scope.
-    Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.instance_variable_set(:@contrast_scope,
-                                                                                                scope_level)
+    ::Contrast::SCOPE.scope_for_current_ec.instance_variable_set(:@contrast_scope, scope_level)
 
     retval
   end

data/lib/contrast/extension/protect/kernel.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
-
 module Contrast
   module Extension
     module Protect
@@ -10,9 +8,6 @@ module Contrast
       # allowing us to track activity as it crosses spawned processes.
       module Kernel
         class << self
-          include Contrast::Components::Interface
-          access_component :contrast_service
-
           def build_wrapper
             lambda {
               proc_start
@@ -27,16 +22,6 @@ module Contrast
 
             context.reset_activity
           end
-
-          def instrument
-            @_instrument ||= begin
-              require 'cs__protect_kernel/cs__protect_kernel'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading kernel protect patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/framework/grape/support.rb

@@ -0,0 +1,174 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/framework/base_support'
+require 'contrast/components/logger'
+
+module Contrast
+  module Framework
+    module Grape
+      # Used when Grape is present to define framework specific behaviour
+      class Support
+        extend Contrast::Framework::BaseSupport
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+          def detection_class
+            'Grape::API'
+          end
+
+          def version
+            ::Grape::VERSION
+          end
+
+          def application_name
+            app_class&.cs__name
+          end
+
+          def application_root
+            app_instance&.root
+          end
+
+          def server_type
+            'grape'
+          end
+
+          # Given an object, determine if it is a Grape controller.
+          # Which could include cases of ::Grape::API subclass or actual class
+          #
+          # @param app [Object] suspected Grape app.
+          # @return [Boolean]
+          def grape_controller? app
+            # Grape is loaded?
+            return false unless grape_defined?
+
+            # App is a subclass of or actually is ::Grape::API.
+            return false unless app.cs__respond_to?(:<=) && app <= ::Grape::API
+
+            true
+          end
+
+          # Find all classes that subclass ::Grape::API, Gather their routes
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>, Array]- founded routes as Dtms
+          def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless grape_defined?
+
+            # Each Grape controller has endpoints and each endpoints has routes
+            # and that's why we need to go through each one and create separate RouteCoverage object
+            routes = []
+            grape_controllers.each do |c|
+              c&.endpoints&.each do |endpoint|
+                endpoint&.routes&.map do |r|
+                  pattern = r.pattern.pattern
+                  temp = Contrast::Api::Dtm::RouteCoverage.from_grape_controller(c, r.request_method, pattern, r.path)
+                  routes << temp
+                end
+              end
+            end
+            routes
+          end
+
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Grape::API] optionally use this controller instead of global ::Grape::API.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Grape::API, full_route = nil
+            return unless grape_controller?(controller)
+
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            # Find final controller - actually we gotta match the route to the scanned application
+            # Initially Grape compiles all routes on startup, so we can use the url from the request
+            # and create the observed route
+            # Class < Grape::API, Grape::Router::Route
+            final_controller, route_pattern = _route_recurse(method, _cleaned_route(request), grape_controllers)
+            return unless final_controller
+
+            full_route ||= request.env[::Rack::PATH_INFO]
+
+            Contrast::Api::Dtm::RouteCoverage.from_grape_controller(final_controller, method, route_pattern, full_route)
+          end
+
+          # Search object space for grape controllers--any class that subclasses ::Grape::API.
+          #
+          # @return [Array<::Grape::API>] grape controllers
+          def grape_controllers
+            ObjectSpace.each_object(Class).select { |klass| klass < ::Grape::API }
+          end
+
+          # Grape Request inherits the same as the Sinatra, so we can easily call it as it's called in Sinatra
+          def retrieve_request env
+            ::Grape::Request.new(env)
+          end
+
+          private
+
+          # Determine if, at the time of our Framework Support determination, Grape has been defined.
+          #
+          # @return [Boolean]
+          def grape_defined?
+            @_grape_defined = !!(defined?(::Grape) && defined?(::Grape::API)) if @_grape_defined.nil?
+            @_grape_defined
+          end
+
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param route [String] the relative route passed from Rack.
+          # @param controllers [Array<::Grape::API>] All Grape controllers found
+          # @return [Array[::Grape::API]], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse method, route, controllers = grape_controllers
+            # return if there aren't any controllers
+            return unless controllers&.any?
+
+            # Here we can go through the all detected controllers
+            # and find the one that's routes include the current one
+            # Grape controller actually has endpoints and each endpoint
+            # has routes and that's why we need to do it that way
+            controller = controllers.pop
+            return _route_recurse method, route, controllers unless controller
+
+            contr_routes = controller.endpoints&.map(&:routes)&.flatten || []
+            route_pattern = contr_routes&.find do |r|
+              r.pattern.to_regexp.match(route) # ::Mustermann::Grape match
+            end
+            return controller, route_pattern unless route_pattern.nil?
+
+            _route_recurse method, route, controllers
+          end
+
+          # Get route and do some cleaning
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty?
+
+            route.end_with?('/') ? route[0..-2] : route
+          end
+
+          def app_class
+            return unless grape_defined?
+
+            app_instance.cs__class
+          end
+
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Grape::API with @app=nil
+          #
+          # @return [::Grape::API] the current controller as routed by Rack.
+          def app_instance
+            return unless grape_defined?
+
+            @_app_instance ||= begin
+              grape_layers = ObjectSpace.each_object(::Grape::API).to_a
+              grape_layers.find { |layer| layer.app.nil? }
+            end
+          end
+        end
+      end
+    end
+  end
+end