contrast-agent 4.9.1 → 4.10.0

data/lib/contrast/extension/protect/kernel.rb

@@ -22,16 +22,6 @@ module Contrast
 
             context.reset_activity
           end
-
-          def instrument
-            @_instrument ||= begin
-              require 'cs__protect_kernel/cs__protect_kernel'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading kernel protect patch', e)
-            false
-          end
         end
       end
     end

data/lib/contrast/framework/grape/support.rb

@@ -0,0 +1,174 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/framework/base_support'
+require 'contrast/components/logger'
+
+module Contrast
+  module Framework
+    module Grape
+      # Used when Grape is present to define framework specific behaviour
+      class Support
+        extend Contrast::Framework::BaseSupport
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+          def detection_class
+            'Grape::API'
+          end
+
+          def version
+            ::Grape::VERSION
+          end
+
+          def application_name
+            app_class&.cs__name
+          end
+
+          def application_root
+            app_instance&.root
+          end
+
+          def server_type
+            'grape'
+          end
+
+          # Given an object, determine if it is a Grape controller.
+          # Which could include cases of ::Grape::API subclass or actual class
+          #
+          # @param app [Object] suspected Grape app.
+          # @return [Boolean]
+          def grape_controller? app
+            # Grape is loaded?
+            return false unless grape_defined?
+
+            # App is a subclass of or actually is ::Grape::API.
+            return false unless app.cs__respond_to?(:<=) && app <= ::Grape::API
+
+            true
+          end
+
+          # Find all classes that subclass ::Grape::API, Gather their routes
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>, Array]- founded routes as Dtms
+          def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless grape_defined?
+
+            # Each Grape controller has endpoints and each endpoints has routes
+            # and that's why we need to go through each one and create separate RouteCoverage object
+            routes = []
+            grape_controllers.each do |c|
+              c&.endpoints&.each do |endpoint|
+                endpoint&.routes&.map do |r|
+                  pattern = r.pattern.pattern
+                  temp = Contrast::Api::Dtm::RouteCoverage.from_grape_controller(c, r.request_method, pattern, r.path)
+                  routes << temp
+                end
+              end
+            end
+            routes
+          end
+
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Grape::API] optionally use this controller instead of global ::Grape::API.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Grape::API, full_route = nil
+            return unless grape_controller?(controller)
+
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            # Find final controller - actually we gotta match the route to the scanned application
+            # Initially Grape compiles all routes on startup, so we can use the url from the request
+            # and create the observed route
+            # Class < Grape::API, Grape::Router::Route
+            final_controller, route_pattern = _route_recurse(method, _cleaned_route(request), grape_controllers)
+            return unless final_controller
+
+            full_route ||= request.env[::Rack::PATH_INFO]
+
+            Contrast::Api::Dtm::RouteCoverage.from_grape_controller(final_controller, method, route_pattern, full_route)
+          end
+
+          # Search object space for grape controllers--any class that subclasses ::Grape::API.
+          #
+          # @return [Array<::Grape::API>] grape controllers
+          def grape_controllers
+            ObjectSpace.each_object(Class).select { |klass| klass < ::Grape::API }
+          end
+
+          # Grape Request inherits the same as the Sinatra, so we can easily call it as it's called in Sinatra
+          def retrieve_request env
+            ::Grape::Request.new(env)
+          end
+
+          private
+
+          # Determine if, at the time of our Framework Support determination, Grape has been defined.
+          #
+          # @return [Boolean]
+          def grape_defined?
+            @_grape_defined = !!(defined?(::Grape) && defined?(::Grape::API)) if @_grape_defined.nil?
+            @_grape_defined
+          end
+
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param route [String] the relative route passed from Rack.
+          # @param controllers [Array<::Grape::API>] All Grape controllers found
+          # @return [Array[::Grape::API]], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse method, route, controllers = grape_controllers
+            # return if there aren't any controllers
+            return unless controllers&.any?
+
+            # Here we can go through the all detected controllers
+            # and find the one that's routes include the current one
+            # Grape controller actually has endpoints and each endpoint
+            # has routes and that's why we need to do it that way
+            controller = controllers.pop
+            return _route_recurse method, route, controllers unless controller
+
+            contr_routes = controller.endpoints&.map(&:routes)&.flatten || []
+            route_pattern = contr_routes&.find do |r|
+              r.pattern.to_regexp.match(route) # ::Mustermann::Grape match
+            end
+            return controller, route_pattern unless route_pattern.nil?
+
+            _route_recurse method, route, controllers
+          end
+
+          # Get route and do some cleaning
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty?
+
+            route.end_with?('/') ? route[0..-2] : route
+          end
+
+          def app_class
+            return unless grape_defined?
+
+            app_instance.cs__class
+          end
+
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Grape::API with @app=nil
+          #
+          # @return [::Grape::API] the current controller as routed by Rack.
+          def app_instance
+            return unless grape_defined?
+
+            @_app_instance ||= begin
+              grape_layers = ObjectSpace.each_object(::Grape::API).to_a
+              grape_layers.find { |layer| layer.app.nil? }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/manager.rb

@@ -2,9 +2,11 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/extension/module'
 require 'contrast/framework/platform_version'
 require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
+require 'contrast/framework/grape/support'
 require 'contrast/framework/sinatra/support'
 require 'contrast/utils/class_util'
 
@@ -19,7 +21,7 @@ module Contrast
       # do not exist
       SUPPORTED_FRAMEWORKS = [
         Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
-        Contrast::Framework::Rack::Support
+        Contrast::Framework::Grape::Support, Contrast::Framework::Rack::Support
       ].cs__freeze
 
       def initialize
@@ -77,15 +79,24 @@ module Contrast
         found || ::Rack::Directory.new('').root
       end
 
-      # If we have 0 or n > 1 frameworks, we need to use the default rack request
+      # Build a request from the provided env, based on the framework(s) we're currently supporting.
       #
       # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
       # of this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
+        # If we're mounted on Rails, use Rails.
+        if @_frameworks.include?(Contrast::Framework::Rails::Support)
+          return Contrast::Framework::Rails::Support.retrieve_request(env)
+        end
+
+        # If we know the framework, use it.
         return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
 
+        # Fall back on a regular Rack::Request
         ::Rack::Request.new(env)
+      rescue StandardError => e
+        logger.warn('Unable to retrieve_request', e)
       end
 
       # @param env [Hash] the various variables stored by this and other Middlewares to know the state
@@ -109,6 +120,34 @@ module Contrast
         @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
       end
 
+      # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect
+      # if the loaded_module is the marker class for any of our supported frameworks. If it is, and we don't already
+      # have support enabled, we'll enable it now. We'll also need to catch up on any other startup actions that we've
+      # missed. Most likely, this is only necessary for those applications which have applications mounted on them.
+      #
+      # @param mod [Module] the module or class that was just loaded
+      def register_late_framework mod
+        return unless mod
+
+        module_name = mod.cs__name
+        # Otherwise, check if the provided module_name requires us to register a new support
+        SUPPORTED_FRAMEWORKS.each do |framework|
+          next if @_frameworks.include?(framework)
+          next unless module_name == framework.detection_class
+
+          @_frameworks << framework
+          # Report the registered routes of that framework now that we know we need to find them
+          app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
+          Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
+          logger.info('Framework detected after initialization. Enabling support.',
+                      framework: framework.detection_class,
+                      frameworks: @_frameworks)
+          break
+        end
+      rescue StandardError => e
+        logger.warn('Unable to register a late framework', e, module: mod.cs__name)
+      end
+
       private
 
       def enable_framework_support? klass
@@ -124,10 +163,7 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        data = @_frameworks.flat_map do |framework|
-          framework.send(method_name)
-        end
-        data.compact
+        @_frameworks.flat_map { |framework| framework.send(method_name) }.compact
       end
 
       # This returns a single object from the first framework to successfully respond

data/lib/contrast/framework/rack/support.rb

@@ -14,7 +14,7 @@ module Contrast
         extend Contrast::Framework::Rack::Patch::Support
         class << self
           def detection_class
-            'don\'t let me be detected'
+            'rack -- don\'t let me be detected'
           end
         end
       end

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -11,7 +11,6 @@ module Contrast
         module AssessConfiguration
           include Contrast::Components::Logger::InstanceMethods
 
-
           CS__SESSION_TIMEOUT_NAME = 'session-timeout'
           SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
           CS__SECURE_RULE_NAME = 'secure-flag-missing'

data/lib/contrast/framework/rails/patch/support.rb

@@ -29,12 +29,14 @@ module Contrast
                                 Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
                                     'ActionController::Live::Buffer',
                                     'contrast/framework/rails/patch/action_controller_live_buffer',
-                                    instrumenting_module: 'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
+                                    instrumenting_module:
+                                      'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
                                 Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
                                     'Rails::Application::Configuration',
                                     'contrast/framework/rails/patch/rails_application_configuration',
                                     method_to_instrument: :session_store,
-                                    instrumenting_module: 'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
+                                    instrumenting_module:
+                                      'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
                               ])
             if RUBY_VERSION < '2.6.0'
               patches.merge([
@@ -61,7 +63,8 @@ module Contrast
                                   'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
                                   'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
                                   method_to_instrument: :inherited,
-                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
+                                  instrumenting_module:
+                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
                             ])
             end
             patches

data/lib/contrast/framework/rails/railtie.rb

@@ -12,7 +12,7 @@ module Contrast
         include Contrast::Components::Logger::InstanceMethods
 
         initializer 'Contrast Ruby Agent Initializer' do |app|
-        log_rails = defined?(Rails) && defined?(Rails.logger)
+          log_rails = defined?(Rails) && defined?(Rails.logger)
 
           Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if log_rails
 

data/lib/contrast/framework/rails/rewrite/active_record_named.rb

@@ -18,6 +18,7 @@ module Contrast
         #   being phased out with support for those language versions.
         class ActiveRecordNamed
           include Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Components::Logger::InstanceMethods
 
           class << self
             def rewrite mod, method_name, body

data/lib/contrast/framework/rails/support.rb

@@ -13,6 +13,8 @@ module Contrast
       class Support
         extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rails::Patch::Support
+        include Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Logger::InstanceMethods
 
         class << self
           RAILS_MODULE_NAME_VERSION = Gem::Version.new('6.0.0')
@@ -49,31 +51,36 @@ module Contrast
           # Find the current route, based on the provided Request wrapper
           #
           # @param request[Contrast::Agent::Request]
-          # @return [Contrast::Api::Dtm::RouteCoverage]
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
 
+            # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
+            unless route
+              logger.warn('Unable to determine the current route of this request')
+              return
+            end
 
             original_url = request.rack_request.path_info
-
+            mounted_app = route&.app&.app
             # Route is either the final rails route, or a router that points to a Sinatra controller.
-            if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
-              # Create a request copied from current request, but with the base path removed from path_info.
-              new_req = ::ActionDispatch::Request.new(request.env)
-              new_req.path_info = new_req.path_info.gsub((path << match).join, '')
-
-              return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
+            if mounted_app && Contrast::Framework::Sinatra::Support.sinatra_controller?(mounted_app)
+              return mounted_sinatra_route(request, match, path, route, original_url)
+            end
+            if mounted_app && Contrast::Framework::Grape::Support.grape_controller?(mounted_app)
+              return mounted_grape_route(request, match, path, route, original_url)
             end
 
             Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
-          rescue StandardError => _e
+          rescue StandardError => e
+            logger.warn('Unable to determine the current route of this request', e)
             nil
           end
 
           # Copy a request for modification.
           #
-          # @param [::ActionDispatch::Request] original env.
+          # @param env [::ActionDispatch::Request] original env.
           # @return [::ActionDispatch::Request] a copy of original env with rails env merged.
           def retrieve_request env
             rails_env = ::Rails.application.env_config.merge(env)
@@ -91,18 +98,21 @@ module Contrast
 
           # Determine if route is a Rails engine route.
           #
-          # @param [Object] app or route that points to a ::Rails::Engine
+          # @param route [Object] app or route that points to a ::Rails::Engine
           # @return [bool] whether the router is an engine or not.
           def engine_route? route
+            return false unless route&.app&.app
+
             route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
           end
 
           # Recursively get final route traversing engines as required.
           #
           # @param request [::Rack::Request] the rack request as will be handed to rails controller.
-          # @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
+          # @param top_router [::ActionDispatch::Journey::Router] the current router relative to the previous.
           # @param path [Array<String>] the chunks of path that have been seen.
-          # @return [Array<array>] the final set of rails route classes.
+          # @return [Array<Object>] the final set of rails route classes.
+          #   ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
           def get_full_route request, top_router = ::Rails.application.routes.router, path = []
             return if (route_matches = top_router.send(:find_routes, request)).empty?
 
@@ -132,6 +142,43 @@ module Contrast
             end
             route_list
           end
+
+          # @param request[Contrast::Agent::Request]
+          # @param match [ActionDispatch::Journey::Path::Pattern::MatchData]
+          # @param path [Array<String>] the path of this request, built out from each nested
+          #   ActionDispatch::Journey::Path::Pattern::MatchData
+          # @param route [::ActionDispatch::Journey::Route]
+          # @param original_url [String] the full url of this request, including the mount
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil]
+          def mounted_sinatra_route request, match, path, route, original_url
+            new_req = unmounted_route(request, match, path)
+            Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
+          end
+
+          # @param request[Contrast::Agent::Request]
+          # @param match [ActionDispatch::Journey::Path::Pattern::MatchData]
+          # @param path [Array<String>] the path of this request, built out from each nested
+          #   ActionDispatch::Journey::Path::Pattern::MatchData
+          # @param route [::ActionDispatch::Journey::Route]
+          # @param original_url [String] the full url of this request, including the mount
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil]
+          def mounted_grape_route request, match, path, route, original_url
+            new_req = unmounted_route(request, match, path)
+            Contrast::Framework::Grape::Support.current_route(new_req, route.app.app, original_url)
+          end
+
+          # Create a request copied from current request, but with the base path removed from path_info, as that's
+          # the mount.
+          #
+          # @param request[Contrast::Agent::Request]
+          # @param match []
+          # @param path [String] the path of this request
+          # @return [::ActionDispatch::Request]
+          def unmounted_route request, match, path
+            new_req = ::ActionDispatch::Request.new(request.env)
+            new_req.path_info = new_req.path_info.gsub((path << match).join, '')
+            new_req
+          end
         end
       end
     end