contrast-agent 4.9.1 → 4.10.0

data/lib/contrast/components/scope.rb

@@ -7,12 +7,9 @@ require 'contrast/agent/scope'
 
 # This is the Scope component.
 #
-# It tracks /Contrast/ scope.  That is, "are we currently doing assess
-# or protect stuff within a patched method?" -- this is how we avoid doing
-# Contrast stuff on Contrast code.
-#
-# Separately from this component, there is also require scope, which is an
-# optimization on how we implement patching to `require`.
+# It tracks /Contrast/ scope.  That is, "are we currently doing assess or protect stuff within a patched method?" --
+# this is how we avoid doing Contrast stuff on Contrast code or creating infinite loops -- or "are we in some other
+# execution context for which we need to special case?".
 module Contrast
   module Components
     module Scope # :nodoc:
@@ -25,10 +22,8 @@ module Contrast
           EXECUTION_CONTEXT[Fiber.current] = Contrast::Agent::Scope.new
         end
 
-        # This returns the scope governing the current execution context.
-        # Use this sparingly, preferring the instance & class methods to
-        # access and query scope, rather than interacting with the scope
-        # object directly.
+        # This returns the scope governing the current execution context. Use this sparingly, preferring the instance
+        # & class methods to access and query scope, rather than interacting with the scope object directly.
         def scope_for_current_ec
           MONITOR.synchronize do
             return EXECUTION_CONTEXT[Fiber.current] ||= Contrast::Agent::Scope.new
@@ -37,9 +32,7 @@ module Contrast
       end
 
       module InstanceMethods # :nodoc:
-        # For each instance method on a scope, define a forwarder
-        # to the scope on the current execution context's scope.
-
+        # For each instance method on a scope, define a forwarder to the scope on the current execution context's scope.
         def scope_for_current_ec
           MONITOR.synchronize do
             return EXECUTION_CONTEXT[Fiber.current] ||= Contrast::Agent::Scope.new
@@ -118,24 +111,12 @@ module Contrast
         ensure
           scope_for_current_ec.exit_split_scope!
         end
-
-        # TODO: RUBY-572
-        #
-        # Current behavior is to no-op if we're not "in a request context".
-        # Our C functions were previously checking to see if we had a scope, because
-        # scope was tacked on to a request context -- so "we have a scope, therefore,
-        # we have a request context."  We've decoupled scopes from request contexts,
-        # so now it checks "do we have a request context."
-        # RUBY-290 should remove all of that, including this method.
-        def in_request_context?
-          !!Contrast::Agent::REQUEST_TRACKER.current
-        end
       end
 
       def self.sweep_dead_ecs
-        # TODO: RUBY-571, #sweep_dead_ecs compensates for a lack of weak tables
-        # 'ec' for execution context.  in this case, it's a Fiber.
-        # Threads rely on Fibers, so two birds, one stone.
+        # TODO: RUBY-534, #sweep_dead_ecs compensates for a lack of weak tables. when we can use WeakRef, we should
+        #   investigate removing this call and instead use the WeakRef for the Execution Context's Keys or using our
+        #   Finalizers Hash for Fibers
         MONITOR.synchronize do
           EXECUTION_CONTEXT.delete_if do |ec, _scope|
             !ec.alive?

data/lib/contrast/config/base_configuration.rb

@@ -12,7 +12,7 @@ module Contrast
     class BaseConfiguration
       extend Forwardable
 
-      BOOLEANS = [true, false].cs__freeze
+      STRING_BOOLEANS = %w[false true].cs__freeze
 
       attr_reader :map
 
@@ -73,8 +73,18 @@ module Contrast
                           spec_value.new(user_provided_value)
                         elsif spec_value.is_a?(Contrast::Config::DefaultValue) && user_provided_value == EMPTY_VALUE
                           spec_value.value
-                        elsif BOOLEANS.include?(user_provided_value)
-                          user_provided_value.to_s
+                        elsif user_provided_value.cs__is_a?(String)
+                          value = user_provided_value.downcase
+                          # converts string values to 'true' => true or 'false' => false
+                          case value
+                          when STRING_BOOLEANS[1]
+                            true
+                          when STRING_BOOLEANS[0]
+                            false
+                          else
+                            # returns non boolean string values
+                            user_provided_value
+                          end
                         else
                           user_provided_value
                         end
@@ -95,9 +105,7 @@ module Contrast
 
       def define_setter str_key
         define_singleton_method "#{ str_key }=".to_sym do |new_value|
-          boolean_value = new_value == true
-          boolean_value ||= new_value == false
-          @map[str_key] = boolean_value ? new_value.to_s : new_value
+          @map[str_key] = new_value
         end
       end
     end

data/lib/contrast/configuration.rb

@@ -48,9 +48,7 @@ module Contrast
     # in an infinite loop on the to_sym method used later.
     def method_missing symbol, *args
       with_contrast_scope do
-        root.public_send(symbol, *args)
-      rescue NoMethodError => _e
-        super
+        root.public_send(symbol, *args) if root.cs__respond_to?(symbol)
       end
     end
 
@@ -101,8 +99,7 @@ module Contrast
       {}
     end
 
-    # We're updating properties loaded from the configuration
-    # files to match the new agreed upon standard configuration
+    # We're updating properties loaded from the configuration files to match the new agreed upon standard configuration
     # names, so that one file works for all agents
     def update_prop_keys config
       CONVERSION.each_pair do |old_method, new_method|
@@ -120,16 +117,7 @@ module Contrast
         # We changed the seconds values into ms values. Multiply them accordingly
         old_value = old_value.to_i * 1000 if new_method.end_with?(MILLISECOND_MARKER)
         new_value = config
-        end_idx = new_keys.length - 1
-        new_keys.each_with_index do |new_key, index|
-          if index == end_idx
-            new_value[new_key] = old_value if new_value[new_key].nil?
-          else
-            new_value = {} if new_value.nil?
-            new_value[new_key] = {} if new_value[new_key].nil?
-            new_value = new_value[new_key]
-          end
-        end
+        replace_props(new_keys, new_value, old_value)
       end
 
       config
@@ -237,5 +225,21 @@ module Contrast
         convert
       end
     end
+
+    def replace_props new_keys, new_value, old_value
+      idx = 0
+      end_idx = new_keys.length - 1
+      while idx < new_keys.length
+        new_key = new_keys[idx]
+        if idx == end_idx
+          new_value[new_key] = old_value if new_value[new_key].nil?
+        else
+          new_value = {} if new_value.nil?
+          new_value[new_key] = {} if new_value[new_key].nil?
+          new_value = new_value[new_key]
+        end
+        idx += 1
+      end
+    end
   end
 end

data/lib/contrast/extension/assess/array.rb

@@ -11,7 +11,7 @@ module Contrast
       # This is our patch of the Array class required to handle propagation
       # Disclaimer: there may be a better way, but we're in a 'get it work' state.
       # Hopefully, we'll be in a 'get it right' state soon.
-      class ArrayPropagator
+      class ArrayPropagator # rubocop:disable Style/StaticClass
         extend Contrast::Components::Scope::InstanceMethods
 
         ARRAY_JOIN_HASH = {
@@ -59,16 +59,6 @@ module Contrast
               ret
             end
           end
-
-          def instrument_array_track
-            @_instrument_array_track ||= begin
-              require 'cs__assess_array/cs__assess_array'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading assess track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/eval_trigger.rb

@@ -34,26 +34,6 @@ module Contrast
                                                                               ret, source)
           end
 
-          def instrument_basic_object_track
-            @_instrument_basic_object_track ||= begin
-              require 'cs__assess_basic_object/cs__assess_basic_object'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading basic object track patch', e)
-            false
-          end
-
-          def instrument_module_track
-            @_instrument_module_track ||= begin
-              require 'cs__assess_module/cs__assess_module'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading module track patch', e)
-            false
-          end
-
           private
 
           def trigger_node clazz, method

data/lib/contrast/extension/assess/fiber.rb

@@ -20,7 +20,6 @@ module Contrast
         extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
-
         # we use funchook to patch rb_fiber_new the initialize method is not exposed by Ruby core
         FIBER_NEW_NODE_HASH = {
             'class_name' => 'Fiber',
@@ -86,16 +85,6 @@ module Contrast
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Fiber.new', e)
           end
-
-          def instrument_fiber_track
-            @_instrument_fiber_variables ||= begin
-              require 'cs__assess_fiber_track/cs__assess_fiber_track' if Funchook.available?
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading fiber track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/hash.rb

@@ -25,16 +25,6 @@ module Contrast
             # result in a seg fault
             object
           end
-
-          def instrument_hash_track
-            @_instrument_hash_track ||= begin
-              require 'cs__assess_hash/cs__assess_hash'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading hash track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/kernel.rb

@@ -14,6 +14,7 @@ module Contrast
       module KernelPropagator
         class << self
           extend Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Logger::InstanceMethods
           include Contrast::Extension::Assess::ExecTrigger
 
           # We're 'tracking' sprintf now, meaning if anything is tracked on the way
@@ -65,16 +66,6 @@ module Contrast
             logger.error('Unable to track dataflow through sprintf', e)
           end
 
-          def instrument_kernel_track
-            @_instrument_fiber_variables ||= begin
-              require 'cs__assess_kernel/cs__assess_kernel'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading kernel track patch', e)
-            false
-          end
-
           private
 
           def handle_sprintf_value value, result, parent_events

data/lib/contrast/extension/assess/marshal.rb

@@ -12,10 +12,12 @@ module Contrast
       # Hopefully, we'll be in a 'get it right' state soon.
       # This module is used for our Marshal.load patches
       class MarshalPropagator
-        extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
         class << self
+          extend Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Logger::InstanceMethods
+
           def cs__load_protect arg
             return if in_contrast_scope?
 
@@ -44,16 +46,6 @@ module Contrast
             end
           end
 
-          def instrument_marshal_load
-            @_instrument_marshal_load ||= begin
-              require 'cs__assess_marshal_module/cs__assess_marshal_module'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading marshal load patch', e)
-            false
-          end
-
           def trigger_node clazz, method
             triggers = Contrast::Agent::Assess::Policy::Policy.instance.triggers
             return unless triggers

data/lib/contrast/extension/assess/regexp.rb

@@ -16,7 +16,6 @@ module Contrast
         extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
-
         REGEXP_EQUAL_SQUIGGLE_HASH = {
             'id' => 'regexp_100',
             'class_name' => 'Regexp',
@@ -59,16 +58,6 @@ module Contrast
           rescue Exception => e # rubocop:disable Lint/RescueException
             logger.error('Unable to propagate during Regexp#=~', e)
           end
-
-          def instrument_regexp_track
-            @_instrument_regexp_track ||= begin
-              require 'cs__assess_regexp/cs__assess_regexp'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading regexp track patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/extension/assess/string.rb

@@ -12,7 +12,7 @@ module Contrast
       # methods which are too complex to fit into one of the standard
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
-      class StringPropagator
+      class StringPropagator # rubocop:disable Style/StaticClass
         extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
@@ -52,31 +52,6 @@ module Contrast
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
           end
-
-          def instrument_string
-            @_instrument_string ||= begin
-              require 'cs__assess_string/cs__assess_string'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading hash track patch', e)
-            false
-          end
-
-          def instrument_string_interpolation
-            if @_instrument_string_interpolation.nil?
-              @_instrument_string_interpolation = begin
-                if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
-                  require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
-                end
-                true
-              rescue StandardError, LoadError => e
-                logger.error('Error loading interpolation patch', e)
-                false
-              end
-            end
-            @_instrument_string_interpolation
-          end
         end
       end
     end

data/lib/contrast/extension/extension.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Extension
+    # Our top level Assess namespace in the Core Extension section of our
+    # code. These patches are those that are invoked directly from a patched
+    # Class.
+    #
+    module Assess
+      # This is the main instrument helper giving the method of requiring C patches
+      #
+      module InstrumentHelper
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+
+          # Unites the different require methods into one, using only
+          # the provided path for the C patches
+          # parameters
+          # @param path[String] Path to the required patch
+          #
+          def instrument path
+            var_name, extracted_name = gen_name(path)
+            return if instance_variable_get(var_name) == true
+
+            instance_variable_set(var_name, assign_value(path))
+          rescue StandardError, LoadError => e
+            logger.error("Error loading #{ extracted_name&.nil? ? '' : extracted_name } patch", e)
+            false
+          end
+
+          # Some of the requires have some extra conditions for them to require
+          # the C patches, so this method is helping us move the logic by making some
+          # conditions
+          def assign_value path
+            case path
+            when /fiber/
+              require path if Funchook.available?
+            when /interpolation26/
+              require path if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
+            else
+              require path
+            end
+            true
+          end
+
+          # Generate the needed instance variable name and return the extracted name
+          def gen_name path
+            extracted_name = path.split(%r{[\s_/]})&.uniq&.delete_if do |s|
+              s.empty? || s == 'cs' || s == 'assess' || s == 'track'
+            end
+            extracted_name = (extracted_name&.length || 0) > 1 ? extracted_name&.join('_') : extracted_name&.pop
+            ["@_instrument_#{ extracted_name }_track", extracted_name]
+          end
+        end
+      end
+    end
+  end
+end