contrast-agent 4.9.1 → 4.10.0

data/lib/contrast/agent/inventory/dependency_usage_analysis.rb

@@ -76,11 +76,12 @@ module Contrast
           return unless enabled?
           return unless activity
 
-          # Copy gemdigest_cache and clear it in sync.
+          # Disconnect gemdigest_cache and replace it with an empty one; synch so new libs cannot be added between the
+          # assignment and the replace
           gem_spec_digest_to_files = @lock.synchronize do
-            copy = @gemdigest_cache.dup
-            @gemdigest_cache.clear
-            copy
+            hold = @gemdigest_cache
+            @gemdigest_cache = Hash.new { |hash, key| hash[key] = Set.new }
+            hold
           end
 
           gem_spec_digest_to_files.each_pair do |digest, files|

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
-require 'contrast/utils/inventory_util'
+require 'contrast/agent/inventory/database_config'
 
 module Contrast
   module Agent
@@ -42,7 +42,7 @@ module Contrast
               context.activity.query_count += 1
               return unless context.activity.query_count == 1
 
-              Contrast::Utils::InventoryUtil.append_db_config(context.activity)
+              Contrast::Agent::Inventory::DatabaseConfig.append_db_config(context.activity)
             end
           end
         end

data/lib/contrast/agent/middleware.rb

@@ -60,6 +60,7 @@ module Contrast
         handle_first_request
         call_with_agent(env)
       end
+      ::Contrast::Components::Logger.add_trace_log_timing_for(::Contrast::Agent::Middleware, :call)
 
       private
 

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -59,7 +59,10 @@ module Contrast
           end
 
           def instrument!
+            return if instrumenting_module == :'Contrast::Framework::Rails::Rewrite' && RAILS_VER >= '2.6.0'
+
             require instrumentation_file_path
+
             if instrumenting_module
               mod = Module.cs__const_get(instrumenting_module)
               with_contrast_scope { mod.instrument } if mod

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -4,6 +4,7 @@
 require 'contrast/agent/patching/policy/after_load_patch'
 require 'contrast/components/logger'
 require 'contrast/framework/manager'
+require 'contrast/extension/extension'
 
 module Contrast
   module Agent
@@ -29,18 +30,23 @@ module Contrast
           # extensions.
           def apply_direct_patches!
             @_apply_direct_patches ||= begin
-              Contrast::Extension::Assess::ArrayPropagator.instrument_array_track
-              Contrast::Extension::Assess::EvalTrigger.instrument_basic_object_track
-              Contrast::Extension::Assess::EvalTrigger.instrument_module_track
-              Contrast::Extension::Assess::FiberPropagator.instrument_fiber_track
-              Contrast::Extension::Assess::HashPropagator.instrument_hash_track
-              Contrast::Extension::Assess::KernelPropagator.instrument_kernel_track
-              Contrast::Extension::Assess::MarshalPropagator.instrument_marshal_load
-              Contrast::Extension::Assess::RegexpPropagator.instrument_regexp_track
-              Contrast::Extension::Assess::StringPropagator.instrument_string
-              Contrast::Extension::Assess::StringPropagator.instrument_string_interpolation
-
-              Contrast::Extension::Protect::Kernel.instrument
+              paths = %w[
+                array
+                basic_object
+                module
+                fiber_track
+                hash
+                kernel
+                marshal_module
+                regexp
+                string
+                string_interpolation26
+              ].cs__freeze
+              paths.each do |p|
+                path_part = "cs__assess_#{ p }"
+                Contrast::Extension::Assess::InstrumentHelper.instrument "#{ path_part }/#{ path_part }"
+              end
+              Contrast::Extension::Assess::InstrumentHelper.instrument 'cs__protect_kernel/cs__protect_kernel'
               true
             end
           end

data/lib/contrast/agent/patching/policy/module_policy.rb

@@ -12,11 +12,9 @@ module Contrast
         # rather than new.
         class ModulePolicy
           class << self
-            # Given the name of a module, create a :ModulePolicy for it using
-            # the Policy of each supported feature
+            # Given the name of a module, create a :ModulePolicy for it using the Policy of each supported feature.
             #
-            # @param module_name [String] the name of the module to which the
-            #   policy applies
+            # @param module_name [String] the name of the module to which the policy applies.
             # @return [Contrast::Agent::Patching::Policy::ModulePolicy]
             def create_module_policy module_name
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.new

data/lib/contrast/agent/patching/policy/patch.rb

@@ -290,6 +290,11 @@ module Contrast
               # we've already patched this class, don't do it again
               return true if methods.include?(cs_method_name)
 
+              # that method is within Contrast definition so it should be skipped
+              method = mod.instance_method(method_policy.method_name) if method_policy.instance_method
+              method = mod.singleton_method(method_policy.method_name) unless method_policy.instance_method
+              return true if method.owner <= Contrast
+
               begin
                 contrast_define_method(mod, method_policy, cs_method_name)
               rescue NameError => e

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -15,13 +15,9 @@ module Contrast
             # @param mod [Module] the Module for which the status is asked
             # @return [Contrast::Agent::Patching::Policy::PatchStatus]
             def get_status mod
-              if mod.cs__const_defined?(status_key, false)
-                mod.cs__const_get(status_key, false)
-              else
-                s = new
-                mod.cs__const_set(status_key, s)
-                s
-              end
+              return mod.cs__const_get(status_key) if mod.cs__const_defined?(status_key, false)
+
+              mod.cs__const_set(status_key, new)
             end
 
             # Allows our C patches to look up the :MethodPolicy for a given

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -54,7 +54,8 @@ module Contrast
             def patch
               catchup_after_load_patches
               catchup_loaded_methods
-              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0'
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -86,7 +87,7 @@ module Contrast
 
                 load_patches_for_module(mod_name)
 
-                return unless all_module_names.any?(mod_name)
+                return if all_module_names.none?(mod_name)
 
                 module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
                 patch_into_module(module_data)
@@ -176,12 +177,13 @@ module Contrast
             # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
             #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
             def patch_into_module module_data, redo_patch = false
-              status = status_type.get_status(module_data.mod)
+              status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
               # Begin patching our sources into the given module. Any patcher that has the name of the module will be
               # evaluated for patching. Find all the patchers that apply to this class, sorted by type.
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.mod_name)
+
               # If there's nothing to match, then set that status and exit
               if module_policy.empty?
                 status.no_patch!
@@ -191,8 +193,8 @@ module Contrast
               status.patching!
               num_applied_patches = patch_into_instance_methods(module_data, module_policy)
               num_applied_patches += patch_into_singleton_methods(module_data, module_policy)
-              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
 
+              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
                 status.patched!
               else
                 status.partial_patch!
@@ -258,8 +260,7 @@ module Contrast
               patch_into_methods(mod, methods, module_policy, false)
             end
 
-            # We've found the patchers that apply to this class (or module). Now we'll
-            # filter on the given method.
+            # We've found the patchers that apply to this class (or module). Now we'll filter on the given method.
             #
             # @param mod [Module] The module from which to retrieve instance methods.
             # @param methods [Array<Symbol>] The names of all the methods in in this module
@@ -276,8 +277,7 @@ module Contrast
                                                                                                     is_instance_method)
                 next if method_policy.empty?
 
-                patched = patch_method(mod, methods, method_policy)
-                count += 1 if patched
+                count += 1 if patch_method(mod, methods, method_policy)
               end
               count
             end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -14,7 +14,7 @@ module Contrast
         # infilter methods of the rule should be invoked.
         module AppliesNoSqliRule
           extend Contrast::Agent::Protect::Policy::RuleApplicator
-
+          DATABASE_NOSQL = 'MongoDB'
           class << self
             def invoke method, _exception, properties, _object, args
               return unless valid_input?(args)

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -9,6 +10,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect NoSQL Injection rule.
         class NoSqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::NoSqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
 
@@ -31,40 +38,6 @@ module Contrast
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
-
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return unless query_string.match?(regexp)
-
-            scanner = select_scanner
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
-
-              result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
           protected
 
           def find_attacker context, potential_attack_string, **kwargs
@@ -79,25 +52,6 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
-            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
-            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
-            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
-            sample
-          end
-
-          private
-
-          def select_scanner
-            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
-          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/sql_sample_builder.rb

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/protect/rule/base_service'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module SqlSampleBuilder
+          # Generate a sample for the SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to the Service to tell the story of the attack
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          module SqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              sqli_sample = build_base_sample(context, input_analysis_result)
+              sqli_sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
+              sqli_sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              sqli_sample.sqli.start_idx = kwargs[:start_idx]
+              sqli_sample.sqli.end_idx = kwargs[:end_idx]
+              sqli_sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              sqli_sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              sqli_sample
+            end
+          end
+
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to the Service to tell the story of the attack
+          # @return [Contrast::Api::Dtm::RaspRuleSample] the sample from this attack
+          module NoSqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              no_sqli_sample = build_base_sample(context, input_analysis_result)
+              no_sqli_sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
+              no_sqli_sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              no_sqli_sample.no_sqli.start_idx = kwargs[:start_idx].to_i
+              no_sqli_sample.no_sqli.end_idx = kwargs[:end_idx].to_i
+              no_sqli_sample.no_sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              no_sqli_sample.no_sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              no_sqli_sample
+            end
+          end
+
+          # This Module is how we apply the attack fo NoSQL and SQL Injection rule.
+          # It includes methods for building attack with match and database scanners
+          module AttackBuilder
+            # Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
+            #
+            # @param context [Contrast::Agent::RequestContext] the context for the current request
+            # @param input_analysis_result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule,
+            #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+            # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
+            #   in the case of multiple inputs being found to violate the protection criteria
+            # @query_string [string] he value of the input which may be an attack
+            # @kwargs [Hash] key - value pairs of context individual rules need to build out details to send
+            #   to the Service to tell the story of the attack
+            # @return [Contrast::Api::Dtm::AttackResult] the result from this attack
+            def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
+              if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                    mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+                return result
+              end
+
+              attack_string = input_analysis_result.value
+              regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
+
+              return unless query_string.match?(regexp)
+
+              database = kwargs[:database]
+              scanner = select_scanner(database)
+              ss = StringScanner.new(query_string)
+              length = attack_string.length
+              while ss.scan_until(regexp)
+                # the pos of StringScanner is at the end of the regexp (input string),
+                # we need the beginning
+                idx = ss.pos - attack_string.length
+                last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
+                next unless last_boundary && boundary
+
+                result ||= build_attack_result(context)
+
+                record_match(idx, length, boundary, last_boundary, kwargs)
+                append_match(context, input_analysis_result, result, query_string, **kwargs)
+              end
+
+              result
+            end
+
+            def select_scanner database
+              @scanners ||= {
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
+                  Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
+                  Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
+                  Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesNoSqliRule::DATABASE_NOSQL =>
+                  Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
+              }.cs__freeze
+
+              @default_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
+              @scanners[database.to_s] || @default_scanner
+            end
+
+            def record_match idx, length, boundary, last_boundary, kwargs
+              kwargs[:start_idx] = idx
+              kwargs[:end_idx] = idx + length
+              kwargs[:boundary_overrun_idx] = boundary
+              kwargs[:input_boundary_idx] = last_boundary
+            end
+
+            def append_match context, input_analysis_result, result, query_string, **kwargs
+              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+              update_successful_attack_response(context, input_analysis_result, result, query_string)
+              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/policy/applies_sqli_rule'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -10,6 +11,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect SQL Injection rule.
         class Sqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the SQLI injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::SqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
@@ -31,76 +38,6 @@ module Contrast
 
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
-
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-
-            return unless query_string.match?(regexp)
-
-            database = kwargs[:database]
-            scanner = select_scanner(database)
-
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              result ||= build_attack_result(context)
-              record_match(idx, length, boundary, last_boundary, kwargs)
-              append_match(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
-          protected
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.sqli = Contrast::Api::Dtm::SqlInjectionDetails.new
-            sample.sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.sqli.start_idx = sample.sqli.query.index(input).to_i
-            sample.sqli.end_idx = sample.sqli.start_idx + input.length
-            sample.sqli.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
-            sample.sqli.input_boundary_idx = kwargs[:input_boundary_idx].to_i
-            sample
-          end
-
-          private
-
-          def record_match idx, length, boundary, last_boundary, kwargs
-            kwargs[:start_idx] = idx
-            kwargs[:end_idx] = idx + length
-            kwargs[:boundary_overrun_idx] = boundary
-            kwargs[:input_boundary_idx] = last_boundary
-          end
-
-          def append_match context, input_analysis_result, result, query_string, **kwargs
-            input_analysis_result.attack_count = input_analysis_result.attack_count + 1
-            update_successful_attack_response(context, input_analysis_result, result, query_string)
-            append_sample(context, input_analysis_result, result, query_string, **kwargs)
-          end
-
-          def select_scanner database
-            @sql_scanners ||= {
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
-                    Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
-                    Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
-                Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
-                    Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new
-            }.cs__freeze
-
-            @default_sql_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
-            @sql_scanners[database.to_s] || @default_sql_scanner
-          end
         end
       end
     end