contrast-agent 4.9.1 → 4.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27e411d1ab6398ca59e77859552c6956b0590dc94973512d0bd6e8e63ffa7f74
-  data.tar.gz: 79fee8e128ace994b8aa791d6e945edada8bd69ff099494272af60fba437937c
+  metadata.gz: 469e09f0e64dcdb68643154ca601b20b8f61d634789dec642a374d6a51671fec
+  data.tar.gz: e4053b76ef09eaf13ee1cf09418d5ae50cd5e518b5e69f611c0a22d15a9bcd4d
 SHA512:
-  metadata.gz: 6029048d3bc67b6c4f0e5408d37c2b9a8362bd5b8bf5d5e5858f93a26f499e4454896613dc71003e123cd1ca9473d558ec11cc9d7fbebe648b192d9040a44d8e
-  data.tar.gz: e1e697c39c4611f3fadccc82c189e700facd5f399214f96b6bc053bd702ccd05b10aa37a302231e39f82611b13ae40adbf45c2ca0e2ef7fb10eef790310a1836
+  metadata.gz: 311a76a16c063b1d3afe09921e82efa59ea6367165d78fb26c833ab1dcf1e0daba2c3a0bf3597651cd86d146f4480004e916bb78842c6d8185f824dc768c204d
+  data.tar.gz: 3a4c0db4f013ccd0c7427ef01e451fa2d57b9458de7ce2c23df3444f3fcc4c824a7b841d81bf2aa25ecfd378be2afcea3ea57cded948bd350f4c6516a509477e

data/.rspec

@@ -3,4 +3,3 @@
 --format documentation
 --format RspecJunitFormatter
 --out ./test-results/results.xml
---color

data/.rspec_parallel

@@ -0,0 +1,6 @@
+--require spec_helper
+--order rand
+--format progress
+--format RspecJunitFormatter
+--out ./test-results/results.xml
+--format ParallelTests::RSpec::FailuresLogger --out tmp/failing_specs.log

data/ext/cs__assess_module/cs__assess_module.c

@@ -57,6 +57,45 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
     return ret;
 }
 
+VALUE
+contrast_assess_module_prepend(const int argc, const VALUE *argv,
+                               const VALUE self) {
+
+    rb_prepend_module(self, argv[0]);
+
+    VALUE module_at;
+    VALUE rb_incl_in_mod_ary = rb_funcall(self, rb_intern("included_in"), 0);
+
+    if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
+       int i = 0;
+       int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+       for (i = 0; i < size; ++i) {
+           module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
+           if (RB_TYPE_P(module_at, T_MODULE)) {
+              rb_include_module(module_at, argv[0]);
+           }
+       }
+    }
+    return self;
+}
+
+VALUE
+contrast_assess_module_included(const int argc, const VALUE *argv,
+                               const VALUE self) {
+   VALUE frozen;
+   if (RB_TYPE_P(self, T_MODULE)) {
+       // check if frozen
+       frozen = rb_funcall(self, rb_intern("cs__frozen?"), 0);
+       if (frozen == Qfalse) {
+           VALUE ary = rb_funcall(self, rb_intern("included_in"), 0);
+           if (RB_TYPE_P(ary, T_ARRAY)) {
+              rb_ary_push(ary, argv[0]);
+           }
+       }
+   }
+   return self;
+}
+
 void Init_cs__assess_module(void) {
     module_eval_trigger =
         rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
@@ -76,4 +115,13 @@ void Init_cs__assess_module(void) {
 
     contrast_register_patch("Module", "module_eval",
                             contrast_assess_module_module_eval);
+   /*
+    * We patch these for better ancestors handling, and only for older ruby versions.
+    */
+  if (rb_ver_below_three()) {
+     contrast_register_patch("Module", "included",
+                             contrast_assess_module_included);
+     contrast_register_patch("Module", "prepend",
+                             contrast_assess_module_prepend);
+     }
 }

data/ext/cs__assess_module/cs__assess_module.h

@@ -24,5 +24,12 @@ contrast_assess_module_class_eval(const int argc, const VALUE *argv,
 VALUE
 contrast_assess_module_module_eval(const int argc, const VALUE *argv,
                                    const VALUE mod);
+VALUE
+contrast_assess_module_prepend(const int argc, const VALUE *argv,
+                               const VALUE self);
+
+VALUE
+contrast_assess_module_included(const int argc, const VALUE *argv,
+                               const VALUE mod);
 
 void Init_cs__assess_module(void);

data/ext/cs__common/cs__common.c

@@ -73,11 +73,20 @@ VALUE contrast_register_singleton_patch(const char *module_name,
                                     IMPL_ALIAS_SINGLETON);
 }
 
-VALUE contrast_register_singleton_prepend_patch(
-    const char *module_name, const char *method_name,
-    VALUE(c_fn)(const int, VALUE *, const VALUE)) {
+VALUE contrast_register_prepend_patch(const char *module_name,
+                              const char *method_name,
+                              VALUE(c_fn)(const int, VALUE *,
+                                          const VALUE)) {
     return _contrast_register_patch(module_name, method_name, c_fn,
-                                    IMPL_PREPEND);
+                                    IMPL_PREPEND_INSTANCE);
+}
+
+VALUE contrast_register_singleton_prepend_patch(const char *module_name,
+                              const char *method_name,
+                              VALUE(c_fn)(const int, VALUE *,
+                                          const VALUE)) {
+    return _contrast_register_patch(module_name, method_name, c_fn,
+                                    IMPL_PREPEND_SINGLETON);
 }
 
 static VALUE
@@ -122,8 +131,10 @@ _contrast_register_patch(const char *module_name, const char *method_name,
     case IMPL_ALIAS_SINGLETON:
         impl = ID2SYM(rb_sym_alias_singleton);
         break;
-    case IMPL_PREPEND:
-        impl = ID2SYM(rb_sym_prepend);
+    case IMPL_PREPEND_INSTANCE:
+        impl = ID2SYM(rb_sym_prepend_instance);
+    case IMPL_PREPEND_SINGLETON:
+         impl = ID2SYM(rb_sym_prepend_singleton);
         break;
     }
 
@@ -133,6 +144,11 @@ _contrast_register_patch(const char *module_name, const char *method_name,
     return SYM2ID(underlying_method_name);
 }
 
+int rb_ver_below_three() {
+  int ruby_version = FIX2INT(rb_funcall(rb_const_get(rb_cObject, rb_intern("RUBY_VERSION")), rb_intern("to_i"), 0));
+  return ruby_version < 3;
+}
+
 void Init_cs__common(void) {
     cs__send_method = rb_intern("send");
     cs__alias_method_sym = ID2SYM(rb_intern("alias_method"));
@@ -152,7 +168,8 @@ void Init_cs__common(void) {
     rb_sym_register_c_patch = rb_intern("register_c_patch");
     rb_sym_alias_instance = rb_intern("alias_instance");
     rb_sym_alias_singleton = rb_intern("alias_singleton");
-    rb_sym_prepend = rb_intern("prepend");
+    rb_sym_prepend_instance = rb_intern("prepend_instance");
+    rb_sym_prepend_singleton = rb_intern("prepend_singleton");
 
     /* Ensure definition of core Contrast instrumentation modules */
     contrast = rb_define_module("Contrast");

data/ext/cs__common/cs__common.h

@@ -6,7 +6,8 @@
 typedef enum {
     IMPL_ALIAS_INSTANCE,
     IMPL_ALIAS_SINGLETON,
-    IMPL_PREPEND
+    IMPL_PREPEND_INSTANCE,
+    IMPL_PREPEND_SINGLETON,
 } patch_impl;
 
 static VALUE cs__send_method;
@@ -30,7 +31,16 @@ static VALUE rb_sym_instance_method;
 static VALUE rb_sym_register_c_patch;
 static VALUE rb_sym_alias_instance;
 static VALUE rb_sym_alias_singleton;
-static VALUE rb_sym_prepend;
+static VALUE rb_sym_prepend_instance;
+static VALUE rb_sym_prepend_singleton;
+
+/*
+ * Check if ruby version is < 3.0.0.
+ * We are using this for handling ancestors of included modules.
+ * Since this is fixed after Ruby 3.0.0 we should remove this after
+ * dropping support for older versions, as no longer needed.
+ */
+int rb_ver_below_three();
 
 void patch_via_funchook(void *original_function, void *hook_function);
 

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -43,7 +43,7 @@ VALUE contrast_patch_call_original(const VALUE *args) {
         if (rb_block_given_p()) {
             return rb_funcall_with_block_kw(object, method_id, argc, params, rb_block_proc(), RB_PASS_CALLED_KEYWORDS);
         } else {
-            return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS); 
+            return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS);
         }
     /* Ruby < 2.7 */
     #else
@@ -182,7 +182,8 @@ VALUE contrast_run_patches(const VALUE *wrapped_args) {
                                   contrast_patch_call_rescue,
                                   (VALUE)rescue_args, rb_eException, 0);
         break;
-    case IMPL_PREPEND:
+    case IMPL_PREPEND_INSTANCE:
+    case IMPL_PREPEND_SINGLETON:
         original_ret = rb_rescue2(contrast_call_super, original_args,
                                   contrast_patch_call_rescue,
                                   (VALUE)rescue_args, rb_eException, 0);
@@ -247,10 +248,14 @@ VALUE contrast_patch_dispatch(const int argc, const VALUE *argv,
      */
     switch (impl) {
     case IMPL_ALIAS_INSTANCE:
-    case IMPL_PREPEND:
+    case IMPL_PREPEND_INSTANCE:
         known =
             rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qtrue);
         break;
+    case IMPL_PREPEND_SINGLETON:
+       known =
+           rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qfalse);
+       break;
     case IMPL_ALIAS_SINGLETON:
         known = rb_funcall(patch_status, rb_sym_info_for, 3, object, method,
                            Qfalse);
@@ -323,7 +328,8 @@ call_original:
     case IMPL_ALIAS_INSTANCE:
     case IMPL_ALIAS_SINGLETON:
         return contrast_patch_call_original(original_args);
-    case IMPL_PREPEND:
+    case IMPL_PREPEND_INSTANCE:
+    case IMPL_PREPEND_SINGLETON:
         return contrast_call_super(original_args);
     };
 }
@@ -338,9 +344,14 @@ VALUE contrast_alias_singleton_patch(const int argc, const VALUE *argv,
     return contrast_patch_dispatch(argc, argv, IMPL_ALIAS_SINGLETON, object);
 }
 
-VALUE contrast_prepend_patch(const int argc, const VALUE *argv,
+VALUE contrast_prepend_instance_patch(const int argc, const VALUE *argv,
                              const VALUE object) {
-    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND, object);
+    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND_INSTANCE, object);
+}
+
+VALUE contrast_prepend_singleton_patch(const int argc, const VALUE *argv,
+                             const VALUE object) {
+    return contrast_patch_dispatch(argc, argv, IMPL_PREPEND_SINGLETON, object);
 }
 
 VALUE contrast_patch_define_method(const VALUE self, const VALUE clazz, const VALUE method_policy,
@@ -403,29 +414,55 @@ VALUE contrast_patch_define_method(const VALUE self, const VALUE clazz, const VA
 VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule,
                              const VALUE method_policy) {
 
+    const VALUE instance = Qtrue;
+    const VALUE singleton = Qfalse;
     const VALUE original_method_name =
         rb_funcall(method_policy, rb_sym_method_name, 0);
     const VALUE is_private =
         rb_funcall(method_policy, rb_sym_private_method, 0);
     const VALUE is_instance_method =
         rb_funcall(method_policy, rb_sym_instance_method, 0);
-    rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
-               original_method_name, method_policy, Qtrue, Qnil);
+
+// Set the value for instance or singleton method
+    if (RTEST(is_instance_method)){
+        rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
+                   original_method_name, method_policy, instance, Qnil);
+
+    } else {
+        rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule,
+                   original_method_name, method_policy, singleton, Qnil);
+    }
+
     VALUE module = rb_define_module_under(originalModule, "ContrastPrepend");
     VALUE str = rb_funcall(original_method_name, rb_sym_cs_to_s, 0);
     char *cMethodName = StringValueCStr(str);
     if (RTEST(is_instance_method)) {
         if (RTEST(is_private)) {
             rb_define_private_method(module, cMethodName,
-                                     contrast_prepend_patch, -1);
+                                     contrast_prepend_instance_patch, -1);
         } else {
-            rb_define_method(module, cMethodName, contrast_prepend_patch, -1);
+            rb_define_method(module, cMethodName, contrast_prepend_instance_patch, -1);
         }
     } else {
-        rb_define_singleton_method(module, cMethodName, contrast_prepend_patch,
+        rb_define_singleton_method(module, cMethodName, contrast_prepend_singleton_patch,
                                    -1);
     }
     rb_prepend_module(originalModule, module);
+
+    if (rb_ver_below_three()) {
+        VALUE module_at;
+        VALUE rb_incl_in_mod_ary = rb_funcall(originalModule, rb_intern("included_in"), 0);
+        if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
+            int i = 0;
+            int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+            for (i = 0; i < size; ++i) {
+                module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
+                if (RB_TYPE_P(module_at, T_MODULE)) {
+                    rb_include_module(module_at, module);
+                }
+            }
+        }
+   }
     return Qtrue;
 }
 
@@ -437,7 +474,6 @@ void Init_cs__contrast_patch(void) {
     rb_sym_contrast_apply_pre_patch = rb_intern("apply_pre_patch");
     rb_sym_cs_to_s = rb_intern("to_s");
     rb_sym_custom_patch = rb_intern("requires_custom_patch?");
-    rb_sym_in_request_context = rb_intern("in_request_context?");
     rb_sym_info_for = rb_intern("info_for");
     rb_sym_propagation_node = rb_intern("propagation_node");
     rb_sym_set_info_for = rb_intern("set_info_for");

data/ext/cs__contrast_patch/cs__contrast_patch.h

@@ -16,8 +16,6 @@ static VALUE rb_sym_contrast_apply_pre_patch;
 static VALUE rb_sym_custom_patch;
 static VALUE rb_sym_cs_to_s;
 
-static VALUE rb_sym_in_request_context;
-
 static VALUE rb_sym_enter_method_scope;
 static VALUE rb_sym_exit_method_scope;
 
@@ -148,8 +146,11 @@ VALUE contrast_alias_instance_patch(const int argc, const VALUE *argv,
 VALUE contrast_alias_singleton_patch(const int argc, const VALUE *argv,
                                      const VALUE object);
 
-VALUE contrast_prepend_patch(const int argc, const VALUE *argv,
-                             const VALUE object);
+VALUE contrast_prepend_instance_patch(const int argc, const VALUE *argv,
+                                    const VALUE object);
+
+VALUE contrast_prepend_singleton_patch(const int argc, const VALUE *argv,
+                                     const VALUE object);
 
 /*
  * Patches a module's method by prepend:

data/ext/cs__os_information/cs__os_information.c

@@ -0,0 +1,31 @@
+/* Copyright (c) 2021 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__os_information.h"
+#include <dlfcn.h>
+#include <ruby.h>
+#include <sys/utsname.h>
+
+VALUE contrast, utils, os;
+
+VALUE contrast_get_system_information()
+{
+    struct utsname uname_pointer;
+
+    uname (&uname_pointer);
+
+    VALUE rb_data_hash = rb_hash_new();
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_type"), rb_str_new2(uname_pointer.sysname));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_version"), rb_str_new2(uname_pointer.release));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_complete_version"), rb_str_new2(uname_pointer.version));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_arch"), rb_str_new2(uname_pointer.machine));
+    return rb_data_hash;
+}
+
+void Init_cs__os_information(void)
+{
+    contrast = rb_define_module("Contrast");
+    utils = rb_define_module_under(contrast, "Utils");
+    os = rb_define_module_under(utils, "OS");
+    rb_define_module_function(os, "get_system_information", contrast_get_system_information, 0);
+}

data/ext/cs__os_information/cs__os_information.h

@@ -0,0 +1,7 @@
+#include <ruby.h>
+
+extern VALUE contrast, utils, os;
+
+VALUE contrast_get_system_information();
+
+void Init_cs__os_information(void);

data/lib/contrast/agent/assess/contrast_event.rb

@@ -28,7 +28,6 @@ module Contrast
       # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the safe representation of the Arguments
       #   with which the method was invoked
       class ContrastEvent
-
         attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args, :tags
 
         # We need this to track the parent id's of events to build up a flow chart of the finding
@@ -55,7 +54,7 @@ module Contrast
 
           # These methods rely on the above being set. Don't move them!
           @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
-          @tags = Contrast::Agent::Assess::Tracker.properties(tagged)&.tags
+          @tags = Contrast::Agent::Assess::Tracker.properties(tagged)&.get_tags
           find_parent_events!(policy_node, object, ret, args)
           snapshot!(object, ret, args)
           capture_stacktrace!

data/lib/contrast/agent/assess/contrast_object.rb

@@ -35,10 +35,7 @@ module Contrast
           if object
             @object = Contrast::Utils::ClassUtil.to_contrast_string(object)
             @object_type = object.cs__class.cs__name
-            # TODO: RUBY-1084 determine if we need to copy these tags to
-            #   restore immutability. For instance, if these tags were on a
-            #   String that was then #reverse!'d, would our tags be wrong?
-            @tags = Contrast::Agent::Assess::Tracker.properties(object)&.tags
+            @tags = Contrast::Agent::Assess::Tracker.properties(object)&.get_tags
           else
             @object = Contrast::Utils::ObjectShare::NIL_STRING
             @object_type = nil.cs__class.cs__name

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -10,7 +10,6 @@ module Contrast
         # An extension of Hash that doesn't impact GC of the object being stored by storing its ID as a Key to lookup
         # and registering a finalizer on the object to remove its entry from the Hash immediately after it's GC'd.
         class Hash < Hash
-
           FROZEN_FINALIZED_IDS = Set.new
 
           def []= key, obj

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -24,6 +24,8 @@ module Contrast
             #   the name of the method to taint, mapped to the properties it
             #   should apply
             def create_sources klass, tainted_columns
+              return unless Contrast::ASSESS.require_dynamic_sources?
+
               class_name = klass.cs__name
               instance_methods = klass.instance_methods
               instance_methods.concat(klass.private_instance_methods)

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -20,7 +20,6 @@ module Contrast
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Components::Scope::InstanceMethods
 
-
           class << self
             def policy
               Contrast::Agent::Assess::Policy::Policy.instance

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -12,8 +12,6 @@ module Contrast
         # of a file vs data flow, such as the detection of Hardcoded Passwords
         # or Keys.
         module PolicyScanner
-
-
           class << self
             # Use the given trace_point, built from an :end event, to determine
             # where the loaded code lives and scan that code for policy

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/utils/lru_cache'
 
 module Contrast
   module Agent
@@ -10,8 +11,9 @@ module Contrast
       # caused, we'll need to store the state before the change occurred.
       class PreShift
         include Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Logger::InstanceMethods
 
-
+        @lru_cache = Contrast::Utils::LRUCache.new
         UNDUPLICABLE_MODULES = [
           Enumerator # dup'ing results in 'can't copy execution context'
         ].cs__freeze
@@ -70,29 +72,44 @@ module Contrast
 
           def append_object_details preshift, initializing, object
             can = can_dup?(initializing, object)
-            preshift.object = can ? object.dup : object
+            preshift.object = if @lru_cache.key?(object.__id__) && !Contrast::Agent::Assess::Tracker.tracked?(object)
+                                @lru_cache[object.__id__]
+                              else
+                                can ? object.dup : object
+                              end
             preshift.object_length = if Contrast::Utils::DuckUtils.quacks_to?(preshift.object, :length)
                                        object.length
                                      else
                                        0
                                      end
+
             return unless can
+
             return unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
             Contrast::Agent::Assess::Tracker.copy(object, preshift.object)
+            @lru_cache[object.__id__] = object
           end
 
           def append_arg_details preshift, args
-            preshift.args = args.dup
-            preshift.args.each_with_index do |preshift_arg, index|
-              original_arg = args[index]
-              next if preshift_arg.__id__ == original_arg.__id__
-              next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
-
-              Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
-            end
-            preshift.arg_lengths = preshift.args.map do |preshift_arg|
-              Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0
+            args_length = args.length
+            preshift.args = Array.new(args_length)
+            preshift.arg_lengths = Array.new(args_length)
+            idx = 0
+            while idx < args_length
+              or_arg = args[idx]
+              p_arg = if @lru_cache.key?(or_arg.__id__)
+                        @lru_cache[or_arg.__id__]
+                      else
+                        can_dup?(false, or_arg) ? or_arg.dup : or_arg
+                      end
+              preshift.args[idx] = p_arg
+              preshift.arg_lengths[idx] = Contrast::Utils::DuckUtils.quacks_to?(p_arg, :length) ? p_arg.length : 0
+              idx += 1
+              next if p_arg.__id__ == or_arg.__id__
+
+              Contrast::Agent::Assess::Tracker.copy(or_arg, p_arg)
+              @lru_cache[p_arg.__id__] = p_arg
             end
           end
         end