contrast-agent 4.9.1 → 4.10.0

data/lib/contrast/framework/sinatra/support.rb

@@ -106,7 +106,7 @@ module Contrast
           def _route_recurse controller, method, route
             return if controller.nil? || controller.cs__class == NilClass
 
-            route_patterns = controller.routes.fetch(method, []).map(&:first)
+            route_patterns = controller.routes.fetch(method) { [] }.map(&:first)
             route_pattern = route_patterns&.find do |matcher|
               matcher.params(route) # ::Mustermann::Sinatra match.
             end

data/lib/contrast/logger/log.rb

@@ -13,6 +13,75 @@ require 'contrast/logger/time'
 require 'contrast/components/config'
 
 module Contrast
+  # This module allows us to dynamically weave timing into our code, so that only when the time is actually needed do
+  # we pay the penalty for that timing block
+  module TraceTiming
+    def methods_to_time
+      @_methods_to_time ||= []
+    end
+
+    # Store info about methods for later patching.
+    METHOD_INFO = Struct.new(:clazz, :method_name, :custom_msg, :aliased)
+
+    # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
+    # logger set to TRACE.
+    #
+    # @params: clazz [Class] the class of the method to time.
+    # @params: method [Symbol] the method to time.
+    # @params: method [String] optional custom logging message.
+    def add_method_to_trace_timing clazz, method, msg = nil
+      methods_to_time.append(METHOD_INFO.new(clazz, method, msg, false))
+      enable_trace_timing if logger.level == ::Ougai::Logging::TRACE
+    end
+
+    # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
+    # logger set to TRACE.
+    #
+    # @params: method_spec [METHOD_INFO] specs about the method to be timed.
+    # @params: class_method [Boolean] whether this is or isn't a class/module method.
+    def trace_time_class_method meth_spec, class_method
+      untimed_func_symbol = "untimed_#{ meth_spec.method_name }".to_sym
+      send_to = class_method ? meth_spec.clazz.cs__singleton_class : meth_spec.clazz
+      meth_spec.clazz.class_eval do
+        include Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Logger::InstanceMethods
+
+        send_to.send(:alias_method, untimed_func_symbol, meth_spec.method_name)
+        meth_spec.aliased = true
+
+        log_message = "Elapsed time for #{ meth_spec.method_name }."
+        log_message = meth_spec.custom_message if meth_spec.custom_msg
+
+        send_to.send(:define_method, meth_spec.method_name) do |*args, **kwargs, &block| # rubocop:disable Performance/Kernel/DefineMethod
+          start = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+          rv = if kwargs.empty?
+                 send(untimed_func_symbol, *args, &block)
+               else
+                 send(untimed_func_symbol, *args, **kwargs, &block)
+               end
+          delta = Process.clock_gettime(Process::CLOCK_MONOTONIC) - start
+          logger.trace(log_message, elapsed: delta * 1000)
+          rv
+        end
+      end
+    end
+
+    # Enable trace timing of methods specified in @_methods_to_time via aliasing.
+    def enable_trace_timing
+      methods_to_time.each do |meth_spec|
+        next if meth_spec.aliased
+
+        is_class_method = meth_spec.clazz.singleton_methods(false).include?(meth_spec.method_name)
+        trace_time_class_method meth_spec, is_class_method
+      end
+    end
+  end
+end
+
+module Contrast
+  # Used as a wrapper around our logging. The module option specifically adds in a new method for error that raises the
+  # logged exception, used in testing so that we can see if anything unexpected happens without it being swallowed
+  # while still providing safe options for customers.
   module Logger
     # For development set following env var to raise logged exceptions instead of just logging.
     if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
@@ -20,22 +89,22 @@ module Contrast
         alias_method :cs__error, :error
         alias_method :cs__warn, :warn
 
-        def error msg, exc, **kwargs
-          cs__error(msg, exc, **kwargs)
-          raise exc if exc && exc.cs__class < Exception
-        end
-
-        def warn msg, exc, **kwargs
-          cs__warn(msg, exc, **kwargs)
-          raise exc if exc && exc.cs__class < Exception
+        def error *args, **kwargs
+          if kwargs.empty?
+            cs__error(*args)
+          else
+            cs__error(*args, **kwargs)
+          end
+          args.each { |arg| raise arg if arg && arg.cs__class < Exception }
         end
       end
     end
 
-    # This class functions to serve as a wrapper around our logging, as we need
-    # to be able to dynamically update level based on updates to TeamServer.
+    # This class functions to serve as a wrapper around our logging, as we need to be able to dynamically update
+    # level based on updates to TeamServer.
     class Log
       include Singleton
+      include ::Contrast::TraceTiming
 
       DEFAULT_NAME     = 'contrast.log'
       DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
@@ -49,8 +118,8 @@ module Contrast
         update
       end
 
-      # Given new settings from TeamServer, update our logging to use the new
-      # file and level, assuming they weren't set by local configuration.
+      # Given new settings from TeamServer, update our logging to use the new file and level, assuming they weren't
+      # set by local configuration.
       #
       # @param log_file [String] the file to which to log, as provided by TeamServer settings
       # @param log_level [String] the level at which to log, as provided by TeamServer settings
@@ -67,6 +136,8 @@ module Contrast
         @previous_path  = current_path
         @previous_level = current_level_const
 
+        enable_trace_timing if current_level_const == ::Ougai::Logging::TRACE
+
         @_logger = build(path: current_path, level_const: current_level_const)
         # If we're logging to a new path, then let's start it w/ our helpful
         # data gathering messages
@@ -76,6 +147,9 @@ module Contrast
           logger.error('Unable to process update to LoggerManager.', e)
         else
           puts 'Unable to process update to LoggerManager.'
+          raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+
+          puts e.message
           puts e.backtrace.join("\n")
         end
       end
@@ -158,7 +232,8 @@ module Contrast
       # @return [::Ougai::Logging::Severity] the level at which to log
       def find_valid_level log_level
         config = ::Contrast::CONFIG.root.agent.logger
-        config_level = config.level&.length&.positive? ? config.level : nil
+        config_level = config&.level&.length&.positive? ? config.level : nil
+
         valid_level(config_level || log_level)
       end
 
@@ -174,8 +249,7 @@ module Contrast
         DEFAULT_LEVEL
       end
 
-      # Log that the Agent log has changed and include some default information
-      # at the start of the log.
+      # Log that the Agent log has changed and include some default information at the start of the log.
       def log_update
         logger.debug('Initialized new contrast agent logger')
         logger.debug_with_time('middleware: log environment') do

data/lib/contrast/utils/io_util.rb

@@ -6,7 +6,7 @@ require 'contrast/components/logger'
 module Contrast
   module Utils
     # Util for information about an IO
-    class IOUtil
+    module IOUtil
       extend Contrast::Components::Logger::InstanceMethods
 
       # We're only going to call rewind on things that we believe are safe to

data/lib/contrast/utils/ruby_ast_rewriter.rb

@@ -36,36 +36,39 @@ module Contrast
       # the replace within the given node.
       def on_dstr node
         return if node.children.all? { |child_node| child_node.type == :str }
-
         new_content = +'('
-        node.children.each_with_index do |child_node, index|
+        idx = 0
+        while idx < node.children.size
+          #node.children.each_with_index do |child_node, index|
+          child_node = node.children[idx]
           # A begin node looks like #{some_code} in ruby, we do a substring
           # from [2...-1] to get rid of the #{ & trailing }.
           if child_node.type == :begin
             code = child_node.
-                location.
-                expression.
-                source_buffer.
-                source[child_node.location.begin.begin_pos...child_node.location.end.end_pos]
+              location.
+              expression.
+              source_buffer.
+              source[child_node.location.begin.begin_pos...child_node.location.end.end_pos]
             code = code[2...-1]
             new_content += "((#{ code }).to_s)"
 
-          # For interpolations that use class, instance, or global variables,
-          # those are NOT within a begin block, but instead are a ivar, cvar,
-          # or gvar node, not stripping of interpolation markers required.
+            # For interpolations that use class, instance, or global variables,
+            # those are NOT within a begin block, but instead are a ivar, cvar,
+            # or gvar node, not stripping of interpolation markers required.
           elsif VARIABLES.include?(child_node.type)
             variable = child_node.children.first
             new_content << "((#{ variable }).to_s)"
 
-          # When interpolation includes strings before or after an
-          # interpolation they are simple :str nodes, in order to preserve
-          # escaping we need to do a dump of the string value.
+            # When interpolation includes strings before or after an
+            # interpolation they are simple :str nodes, in order to preserve
+            # escaping we need to do a dump of the string value.
           elsif child_node.type == :str
             literal_value = child_node.children.first
             literal_value = literal_value.dump[1...-1]
             new_content <<  "\"#{ literal_value }\""
           end
-          new_content << ' + ' unless index == node.children.length - 1
+          new_content << ' + ' unless idx == node.children.length - 1
+          idx += 1
         end
         new_content << ')'
         if node.location.cs__respond_to?(:heredoc_body)

data/lib/contrast/utils/tag_util.rb

@@ -8,7 +8,8 @@ module Contrast
       class << self
         # Determine if the given array of tags is covered by the other
         #
-        # @param remaining_ranges [Array<Contrast::Agent::Assess::Tag>] the tags left that haven't been covered by those given
+        # @param remaining_ranges [Array<Contrast::Agent::Assess::Tag>] the tags left that haven't been covered by
+        #   those given
         # @param ranges Array<Contrast::Agent::Assess::Tag> the tags that are covering the first
         def covered? remaining_ranges, ranges
           return true unless remaining_ranges&.any?

data/resources/assess/policy.json

@@ -34,6 +34,23 @@
       "type": "BODY",
       "tags":["NO_NEWLINES", "CROSS_SITE"]
     }, {
+      "class_name":"ActionDispatch::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "body",
+      "source": "P0",
+      "target": "R",
+      "type": "BODY",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    },  {
+      "class_name":"ActionDispatch::Cookies::CookieJar",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "[]",
+      "target": "R",
+      "type": "COOKIE",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    },  {
       "class_name":"Rack::Request::Helpers",
       "instance_method": true,
       "method_visibility": "public",
@@ -129,10 +146,45 @@
       "target":"R",
       "type":"PARAMETER",
       "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Env",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"[]",
+      "source": "P0",
+      "target":"R",
+      "type":"HEADER",
+      "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"headers",
+      "source": "P0",
+      "target":"R",
+      "type":"HEADER",
+      "tags":["NO_NEWLINES", "CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Request",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"body",
+      "target":"R",
+      "type":"BODY",
+      "tags":["CROSS_SITE"]
+    }, {
+      "class_name":"Grape::Validations::Base",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"validate!",
+      "source": "P0",
+      "target":"R",
+      "type":"PARAMETER",
+      "tags":["CROSS_SITE"]
     }
   ],
   "propagators":[
-    {
+     {
       "class_name":"String",
       "instance_method": true,
       "method_visibility": "public",
@@ -140,7 +192,7 @@
       "source":"O",
       "target":"R",
       "action":"KEEP"
-    },     {
+    }, {
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -722,6 +774,24 @@
       "patch_method": "select_tagger",
       "source": "O",
       "target": "R"
+    },{
+      "class_name":"CGI::Util",
+      "method_name":"unescape",
+      "instance_method": true,
+      "method_visibility": "public",
+      "source":"P0",
+      "target":"R",
+      "action":"SPLAT",
+      "tags":[],
+      "untags":[]
+    }, {
+      "class_name":"StringIO",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name": "read",
+      "source": "O",
+      "target": "R",
+      "action": "SPLAT"
     }, {
       "class_name":"CGI::Util",
       "method_name":"escapeHTML",
@@ -742,6 +812,16 @@
       "action":"SPLAT",
       "tags":["HTML_ENCODED"],
       "untags":["HTML_DECODED"]
+    }, {
+      "class_name":"Rack::Utils",
+      "method_name":"escape_html",
+      "instance_method": false,
+      "method_visibility": "public",
+      "source":"P0",
+      "target":"R",
+      "action":"SPLAT",
+      "tags":["HTML_ENCODED"],
+      "untags":["HTML_DECODED"]
     }, {
       "class_name":"CGI::Util",
       "method_name":"h",
@@ -1287,6 +1367,18 @@
           "instance_method": true,
           "method_visibility": "public",
           "source":"P0"
+        }, {
+          "class_name":"Rack::Response",
+          "method_name":"body=",
+          "instance_method": true,
+          "method_visibility": "public",
+          "source":"P0"
+        }, {
+          "class_name":"Rack::Response",
+          "method_name":"write",
+          "instance_method": true,
+          "method_visibility": "public",
+          "source":"P0"
         }, {
           "class_name":"Sinatra::Helpers",
           "method_name":"body",
@@ -1347,12 +1439,108 @@
           "method_visibility": "public",
           "method_name":"async_exec",
           "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation::Calculations",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"calculate",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::FinderMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"exists?",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::FinderMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"find_by",
+          "source":"P0"
         }, {
           "class_name":"ActiveRecord::Querying",
           "instance_method": false,
           "method_visibility": "public",
           "method_name":"select",
           "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"from",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"group",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"having",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"joins",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"lock",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"select",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"reselect",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"where",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"rewhere",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::QueryMethods::WhereChain",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"not",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"delete_by",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"destroy_by",
+          "source":"P0"
+        }, {
+          "class_name":"ActiveRecord::Relation",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name":"update_all",
+          "source":"P0"
         }
       ]
     }, {
@@ -1685,6 +1873,13 @@
           "method_visibility": "public",
           "method_name": "redirect_to",
           "source": "P0"
+        },
+        {
+          "class_name": "Grape::DSL::InsideRoute",
+          "instance_method": true,
+          "method_visibility": "public",
+          "method_name": "redirect",
+          "source": "P0"
         }
       ]
     }, {