contrast-agent 4.9.1 → 4.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27e411d1ab6398ca59e77859552c6956b0590dc94973512d0bd6e8e63ffa7f74
-  data.tar.gz: 79fee8e128ace994b8aa791d6e945edada8bd69ff099494272af60fba437937c
+  metadata.gz: ab65fd574ef84fbe339e4f4d4bf340623235a442ecc11d7ba28c6af3c6f04d4d
+  data.tar.gz: 0fa9cc44fe85713ee924101139e615d361de6d906c8f5ff4fdd345a930eee9d2
 SHA512:
-  metadata.gz: 6029048d3bc67b6c4f0e5408d37c2b9a8362bd5b8bf5d5e5858f93a26f499e4454896613dc71003e123cd1ca9473d558ec11cc9d7fbebe648b192d9040a44d8e
-  data.tar.gz: e1e697c39c4611f3fadccc82c189e700facd5f399214f96b6bc053bd702ccd05b10aa37a302231e39f82611b13ae40adbf45c2ca0e2ef7fb10eef790310a1836
+  metadata.gz: cb21ebcad0e772649d16a25d2f00cc057ee10df71638b7bd7cc6a4710a1ded28ce4dca749fa040ba2fb78e992727f4cc5d5f38e1187c363a8ea33a12333fc289
+  data.tar.gz: c3ad4c82a9e25ecb58c0ea906f1170cffdd6811952f9c1d71a6c75166358a37e0ebba40e55e9a7433156a51122b9ca1450bb5a4a2a87f9081a4a4268d9abfdb4

data/.rspec

@@ -3,4 +3,3 @@
 --format documentation
 --format RspecJunitFormatter
 --out ./test-results/results.xml
---color

data/.rspec_parallel

@@ -0,0 +1,6 @@
+--require spec_helper
+--order rand
+--format progress
+--format RspecJunitFormatter
+--out ./test-results/results.xml
+--format ParallelTests::RSpec::FailuresLogger --out tmp/failing_specs.log

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -437,7 +437,6 @@ void Init_cs__contrast_patch(void) {
     rb_sym_contrast_apply_pre_patch = rb_intern("apply_pre_patch");
     rb_sym_cs_to_s = rb_intern("to_s");
     rb_sym_custom_patch = rb_intern("requires_custom_patch?");
-    rb_sym_in_request_context = rb_intern("in_request_context?");
     rb_sym_info_for = rb_intern("info_for");
     rb_sym_propagation_node = rb_intern("propagation_node");
     rb_sym_set_info_for = rb_intern("set_info_for");

data/ext/cs__contrast_patch/cs__contrast_patch.h

@@ -16,8 +16,6 @@ static VALUE rb_sym_contrast_apply_pre_patch;
 static VALUE rb_sym_custom_patch;
 static VALUE rb_sym_cs_to_s;
 
-static VALUE rb_sym_in_request_context;
-
 static VALUE rb_sym_enter_method_scope;
 static VALUE rb_sym_exit_method_scope;
 

data/lib/contrast/agent/assess/contrast_event.rb

@@ -28,7 +28,6 @@ module Contrast
       # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the safe representation of the Arguments
       #   with which the method was invoked
       class ContrastEvent
-
         attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args, :tags
 
         # We need this to track the parent id's of events to build up a flow chart of the finding

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -10,7 +10,6 @@ module Contrast
         # An extension of Hash that doesn't impact GC of the object being stored by storing its ID as a Key to lookup
         # and registering a finalizer on the object to remove its entry from the Hash immediately after it's GC'd.
         class Hash < Hash
-
           FROZEN_FINALIZED_IDS = Set.new
 
           def []= key, obj

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -20,7 +20,6 @@ module Contrast
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Components::Scope::InstanceMethods
 
-
           class << self
             def policy
               Contrast::Agent::Assess::Policy::Policy.instance

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -12,8 +12,6 @@ module Contrast
         # of a file vs data flow, such as the detection of Hardcoded Passwords
         # or Keys.
         module PolicyScanner
-
-
           class << self
             # Use the given trace_point, built from an :end event, to determine
             # where the loaded code lives and scan that code for policy

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -10,7 +10,7 @@ module Contrast
       # caused, we'll need to store the state before the change occurred.
       class PreShift
         include Contrast::Components::Logger::InstanceMethods
-
+        extend Contrast::Components::Logger::InstanceMethods
 
         UNDUPLICABLE_MODULES = [
           Enumerator # dup'ing results in 'can't copy execution context'
@@ -84,12 +84,15 @@ module Contrast
 
           def append_arg_details preshift, args
             preshift.args = args.dup
-            preshift.args.each_with_index do |preshift_arg, index|
-              original_arg = args[index]
-              next if preshift_arg.__id__ == original_arg.__id__
+            idx = 0
+            while idx < preshift.args.size
+              original_arg = args[idx]
+              p_arg = preshift.args[idx]
+              idx += 1
+              next if p_arg.__id__ == original_arg.__id__
               next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
 
-              Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
+              Contrast::Agent::Assess::Tracker.copy(original_arg, p_arg)
             end
             preshift.arg_lengths = preshift.args.map do |preshift_arg|
               Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -12,14 +12,11 @@ module Contrast
   module Agent
     module Assess
       module Policy
-        # This class is responsible for the continuation of traces. A
-        # Propagator is any method that transforms an untrusted value. In
-        # general, these methods work on the String class or a holder of
-        # Strings
+        # This class is responsible for the continuation of traces. A Propagator is any method that transforms an
+        # untrusted value. In general, these methods work on the String class or a holder of Strings.
         module PropagationMethod
           extend Contrast::Components::Logger::InstanceMethods
 
-
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
           INSERT_ACTION = 'INSERT'
@@ -48,19 +45,16 @@ module Contrast
               end
             end
 
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that governs the patches to this method
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that governs the
+            #   patches to this method
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @param block [Block] the Block passed to the original method
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made; will replace the return of the original function if
-            #   not nil
+            # @return [Object, nil] the tracked Return or nil if no changes were made; will replace the return of the
+            #   original function if not nil
             def apply_propagation method_policy, preshift, object, ret, args, block
               return unless method_policy.propagation_node
               return unless preshift
@@ -86,26 +80,21 @@ module Contrast
                 SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
             }.cs__freeze
 
-            # I lied above. We had to figure out what the target of the
-            # propagation was. Now that we know, we'll actually do things to
-            # it. Note that the return of this method will replace the original
-            # return of the patched function unless it is nil, so be sure
-            # you're returning what you intend.
+            # I lied above. We had to figure out what the target of the propagation was. Now that we know, we'll
+            # actually do things to it. Note that the return of this method will replace the original return of the
+            # patched function unless it is nil, so be sure you're returning what you intend.
             #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
-            #   the node that governs this propagation event.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
             # @param target [Object] the Target to which to propagate.
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @param block [Block] the Block passed to the original method
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made; will replace the return of the original function if
-            #   not nil
+            # @return [Object, nil] the tracked Return or nil if no changes were made; will replace the return of the
+            #   original function if not nil
             def apply_propagator propagation_node, preshift, target, object, ret, args, block
               return unless propagation_possible?(propagation_node, target)
 
@@ -127,13 +116,16 @@ module Contrast
               nil
             end
 
-            # Custom actions tend to be the more complex of our propagations.
-            # Often, the method has to make decisions about the target based on
-            # the context with which the method was called. As such, defer
-            # determining if the target is valid to that method.
+            # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+            # about the target based on the context with which the method was called. As such, defer determining if the
+            # target is valid to that method.
+            #
+            # In all other cases, a target is valid for propagation if it is not nil
             #
-            # In all other cases, a target is valid for propagation if it is not
-            # nil
+            # @param target [Object] the thing to which to propagate
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @return [Boolean]
             def valid_target? target, propagation_node
               return true if propagation_node.action == CUSTOM_ACTION
 
@@ -141,8 +133,11 @@ module Contrast
             end
 
             ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
-            # If the action required needs a length and the target does not have
-            # one, the length is not valid
+            # If the action required needs a length and the target does not have one, the length is not valid
+            #
+            # @param target [Object] the thing to which to propagate
+            # @param action [String] the name of the action taken during this propagation
+            # @return [Boolean]
             def valid_length? target, action
               return true if ZERO_LENGTH_ACTIONS.include?(action)
 
@@ -153,9 +148,15 @@ module Contrast
               end
             end
 
-            # Before we do any work, we should check if we even need to.
-            # If the source of this patcher is not tracked, there's no need to do
-            # anything. A copy of nothing is still nothing.
+            # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+            # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the thing to which to propagate
+            # @return [Boolean]
             def can_propagate? propagation_node, preshift, target
               return false unless appropriate_target?(propagation_node, target)
               return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
@@ -165,22 +166,21 @@ module Contrast
                 case source
                 when Contrast::Utils::ObjectShare::OBJECT_KEY
                   return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
-                else # has to be P, there's no ret source type (yet? ever?)
+                else
+                  # has to be P, there's no ret source type (yet? ever?)
                   return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
                 end
               end
               false
             end
 
-            # We cannot propagate to frozen things that have not been updated
-            # to work with our property tracking, unless they're duplicable and
-            # the return.
-            # We probably shouldn't propagate to frozen things at all, as
-            # they're supposed to be immutable, but third parties do jenky
-            # things, so allow it as long as it is safe to do.
+            # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+            # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+            # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+            # do.
             #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
-            #   the node that governs this propagation event.
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
             # @param target [Object] the Target to which to propagate.
             # @return [Boolean] if the target can be propagated to
             def appropriate_target? propagation_node, target
@@ -191,6 +191,9 @@ module Contrast
             end
 
             # If this patcher has tags, apply them to the entire target
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
             def apply_tags propagation_node, target
               return unless propagation_node.tags
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
@@ -202,6 +205,10 @@ module Contrast
             end
 
             # If this patcher has tags, remove them from the entire target
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
             def apply_untags propagation_node, target
               return unless propagation_node.untags
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
@@ -214,6 +221,10 @@ module Contrast
             private
 
             # This is checked right before actual propagation
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
+            # @return [Boolean]
             def propagation_possible? propagation_node, target
               return false unless propagation_node && valid_target?(target, propagation_node)
               return false unless valid_length?(target, propagation_node.action)
@@ -224,12 +235,24 @@ module Contrast
             # Safely duplicate the target, or return nil
             #
             # @param target [Object] the thing to check for duplication
+            # @return [Object, nil]
             def safe_dup target
               target.dup
             rescue StandardError => _e
               nil
             end
 
+            # Iterate over each key and value in a hash to allow for propagation to each.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param block [Block] the Block passed to the original method
             def handle_hash_propagation propagation_node, preshift, target, object, ret, args, block
               target.each_pair do |key, value|
                 apply_propagator(propagation_node, preshift, key, object, ret, args, block)
@@ -237,6 +260,17 @@ module Contrast
               end
             end
 
+            # Iterate over each value in an enumerable to allow for propagation to each.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param block [Block] the Block passed to the original method
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
                 next if target == value
@@ -245,6 +279,17 @@ module Contrast
               end
             end
 
+            # Move the properties from the source(s) to the target of the propagation.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param _block [Block] the Block passed to the original method
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
@@ -266,12 +311,9 @@ module Contrast
               propagation_class.propagate(propagation_node, preshift, target)
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied
               apply_tags(propagation_node, target)
-              # Even though we skipped propagating tags from the source if they
-              # were included in untags, the target may have already had some on
-              # it. Let's go ahead and remove them.
-              # In this order, untags takes precedent over tags; but we control
-              # both and there should never be a propagator that has a tag in
-              # its untag.
+              # Even though we skipped propagating tags from the source if they were included in untags, the target may
+              # have already had some on it. Let's go ahead and remove them. In this order, untags takes precedent over
+              # tags; but we control both and there should never be a propagator that has a tag in its untag.
               apply_untags(propagation_node, target)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
@@ -302,7 +344,8 @@ module Contrast
             #   propagation event.
             # @return [Boolean]
             def can_handle_frozen? propagation_node
-              ::Contrast::ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              ::Contrast::ASSESS.track_frozen_sources? &&
+                  propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -11,8 +11,6 @@ module Contrast
           # results in new source nodes to track which columns in the database
           # have been tainted.
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
-
-
             class << self
               def propagate propagation_node, preshift, target
                 class_type = preshift.object.cs__class

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -14,16 +14,15 @@ module Contrast
               def square_bracket_tagger propagation_node, preshift, ret, _block
                 case ret
                 when Array
-                  ret.each_with_index do |return_value, index|
+                  idx = 0
+                  while idx < ret.size
+                    return_value = ret[idx]
+                    index = idx
+                    idx += 1
                     next unless return_value
 
-                    target_matchdata_index = if preshift.args[0].is_a?(Range)
-                                               arg_range = preshift.args[0]
-                                               arg_range.to_a.empty? ? index + 1 : arg_range.to_a[index]
-                                             else
-                                               preshift.args[index]
-                                             end
-                    square_bracket_single(target_matchdata_index, preshift, return_value, propagation_node)
+                    square_bracket_single(target_matchdata_index(preshift, index), preshift, return_value,
+                                          propagation_node)
                   end
                 when String
                   target_matchdata_index = preshift.args[0]
@@ -34,7 +33,11 @@ module Contrast
               end
 
               def captures_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, index|
+                idx = 0
+                while idx < ret.size
+                  return_value = ret[idx]
+                  index = idx
+                  idx += 1
                   next unless return_value
 
                   targetted_index = index + 1
@@ -44,7 +47,11 @@ module Contrast
               end
 
               def to_a_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, index|
+                idx = 0
+                while idx < ret.size
+                  return_value = ret[idx]
+                  index = idx
+                  idx += 1
                   next unless return_value
 
                   square_bracket_single(index, preshift, return_value, propagation_node)
@@ -53,7 +60,11 @@ module Contrast
               end
 
               def values_at_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, return_index|
+                idx = 0
+                while idx < ret.size
+                  return_value = ret[idx]
+                  return_index = idx
+                  idx += 1
                   next unless return_value
 
                   original_group_arg_index = preshift.args[return_index]
@@ -64,6 +75,15 @@ module Contrast
 
               private
 
+              def target_matchdata_index preshift, index
+                if preshift.args[0].is_a?(Range)
+                  arg_range = preshift.args[0]
+                  arg_range.to_a.empty? ? index + 1 : arg_range.to_a[index]
+                else
+                  preshift.args[index]
+                end
+              end
+
               def square_bracket_single argument_index, preshift, return_value, propagation_node
                 original_start_index = preshift.object.begin(argument_index)
                 original_end_index = preshift.object.end(argument_index)