contrast-agent 4.9.1 → 4.13.0

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -7,60 +7,29 @@ require 'contrast/agent/assess/policy/propagator'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/propagation_method_utils'
 
 module Contrast
   module Agent
     module Assess
       module Policy
-        # This class is responsible for the continuation of traces. A
-        # Propagator is any method that transforms an untrusted value. In
-        # general, these methods work on the String class or a holder of
-        # Strings
+        # This class is responsible for the continuation of traces. A Propagator is any method that transforms an
+        # untrusted value. In general, these methods work on the String class or a holder of Strings.
         module PropagationMethod
           extend Contrast::Components::Logger::InstanceMethods
-
-
-          APPEND_ACTION = 'APPEND'
-          CENTER_ACTION = 'CENTER'
-          INSERT_ACTION = 'INSERT'
-          KEEP_ACTION = 'KEEP'
-          NEXT_ACTION = 'NEXT'
-          NOOP_ACTION = 'NOOP'
-          PREPEND_ACTION = 'PREPEND'
-          REPLACE_ACTION = 'REPLACE'
-          REMOVE_ACTION = 'REMOVE'
-          REVERSE_ACTION = 'REVERSE'
-          SPLAT_ACTION = 'SPLAT'
-          SPLIT_ACTION = 'SPLIT'
-          DB_WRITE_ACTION = 'DB_WRITE'
-          CUSTOM_ACTION = 'CUSTOM'
+          extend Contrast::Utils::Assess::PropagationMethodUtils
 
           class << self
-            def determine_target propagation_node, ret, object, args
-              target = propagation_node.targets[0]
-              case target
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              else
-                args[target]
-              end
-            end
-
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that governs the patches to this method
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that governs the
+            #   patches to this method
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @param block [Block] the Block passed to the original method
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made; will replace the return of the original function if
-            #   not nil
+            # @return [Object, nil] the tracked Return or nil if no changes were made; will replace the return of the
+            #   original function if not nil
             def apply_propagation method_policy, preshift, object, ret, args, block
               return unless method_policy.propagation_node
               return unless preshift
@@ -71,41 +40,21 @@ module Contrast
               PropagationMethod.apply_propagator(propagation_node, preshift, target, object, ret, args, block)
             end
 
-            PROPAGATION_ACTIONS = {
-                APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
-                CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
-                INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
-                KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
-                NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
-                NOOP_ACTION => nil,
-                PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
-                REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
-                REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
-                REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
-                SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
-                SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
-            }.cs__freeze
-
-            # I lied above. We had to figure out what the target of the
-            # propagation was. Now that we know, we'll actually do things to
-            # it. Note that the return of this method will replace the original
-            # return of the patched function unless it is nil, so be sure
-            # you're returning what you intend.
+            # I lied above. We had to figure out what the target of the propagation was. Now that we know, we'll
+            # actually do things to it. Note that the return of this method will replace the original return of the
+            # patched function unless it is nil, so be sure you're returning what you intend.
             #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
-            #   the node that governs this propagation event.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
             # @param target [Object] the Target to which to propagate.
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @param block [Block] the Block passed to the original method
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made; will replace the return of the original function if
-            #   not nil
+            # @return [Object, nil] the tracked Return or nil if no changes were made; will replace the return of the
+            #   original function if not nil
             def apply_propagator propagation_node, preshift, target, object, ret, args, block
               return unless propagation_possible?(propagation_node, target)
 
@@ -127,70 +76,10 @@ module Contrast
               nil
             end
 
-            # Custom actions tend to be the more complex of our propagations.
-            # Often, the method has to make decisions about the target based on
-            # the context with which the method was called. As such, defer
-            # determining if the target is valid to that method.
-            #
-            # In all other cases, a target is valid for propagation if it is not
-            # nil
-            def valid_target? target, propagation_node
-              return true if propagation_node.action == CUSTOM_ACTION
-
-              !!target
-            end
-
-            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
-            # If the action required needs a length and the target does not have
-            # one, the length is not valid
-            def valid_length? target, action
-              return true if ZERO_LENGTH_ACTIONS.include?(action)
-
-              if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
-                target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
-              else
-                !target.to_s.empty?
-              end
-            end
-
-            # Before we do any work, we should check if we even need to.
-            # If the source of this patcher is not tracked, there's no need to do
-            # anything. A copy of nothing is still nothing.
-            def can_propagate? propagation_node, preshift, target
-              return false unless appropriate_target?(propagation_node, target)
-              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
-              return false unless preshift
-
-              propagation_node.sources.each do |source|
-                case source
-                when Contrast::Utils::ObjectShare::OBJECT_KEY
-                  return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
-                else # has to be P, there's no ret source type (yet? ever?)
-                  return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
-                end
-              end
-              false
-            end
-
-            # We cannot propagate to frozen things that have not been updated
-            # to work with our property tracking, unless they're duplicable and
-            # the return.
-            # We probably shouldn't propagate to frozen things at all, as
-            # they're supposed to be immutable, but third parties do jenky
-            # things, so allow it as long as it is safe to do.
-            #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
-            #   the node that governs this propagation event.
-            # @param target [Object] the Target to which to propagate.
-            # @return [Boolean] if the target can be propagated to
-            def appropriate_target? propagation_node, target
-              # special handle Returns b/c we can do unfreezing magic during propagation
-              return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-
-              Contrast::Agent::Assess::Tracker.trackable?(target)
-            end
-
             # If this patcher has tags, apply them to the entire target
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
             def apply_tags propagation_node, target
               return unless propagation_node.tags
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
@@ -202,6 +91,10 @@ module Contrast
             end
 
             # If this patcher has tags, remove them from the entire target
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
             def apply_untags propagation_node, target
               return unless propagation_node.untags
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(target))
@@ -214,6 +107,10 @@ module Contrast
             private
 
             # This is checked right before actual propagation
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param target [Object] the Target to which to propagate.
+            # @return [Boolean]
             def propagation_possible? propagation_node, target
               return false unless propagation_node && valid_target?(target, propagation_node)
               return false unless valid_length?(target, propagation_node.action)
@@ -224,12 +121,24 @@ module Contrast
             # Safely duplicate the target, or return nil
             #
             # @param target [Object] the thing to check for duplication
+            # @return [Object, nil]
             def safe_dup target
               target.dup
             rescue StandardError => _e
               nil
             end
 
+            # Iterate over each key and value in a hash to allow for propagation to each.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param block [Block] the Block passed to the original method
             def handle_hash_propagation propagation_node, preshift, target, object, ret, args, block
               target.each_pair do |key, value|
                 apply_propagator(propagation_node, preshift, key, object, ret, args, block)
@@ -237,6 +146,17 @@ module Contrast
               end
             end
 
+            # Iterate over each value in an enumerable to allow for propagation to each.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param block [Block] the Block passed to the original method
             def handle_enumerable_propagation propagation_node, preshift, target, object, ret, args, block
               target.each do |value|
                 next if target == value
@@ -245,6 +165,17 @@ module Contrast
               end
             end
 
+            # Move the properties from the source(s) to the target of the propagation.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+            #   propagation event.
+            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+            #   the invocation of the patched method.
+            # @param target [Object] the Target to which to propagate.
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @param _block [Block] the Block passed to the original method
             def handle_cs_properties_propagation propagation_node, preshift, target, object, ret, args, _block
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
@@ -266,12 +197,9 @@ module Contrast
               propagation_class.propagate(propagation_node, preshift, target)
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied
               apply_tags(propagation_node, target)
-              # Even though we skipped propagating tags from the source if they
-              # were included in untags, the target may have already had some on
-              # it. Let's go ahead and remove them.
-              # In this order, untags takes precedent over tags; but we control
-              # both and there should never be a propagator that has a tag in
-              # its untag.
+              # Even though we skipped propagating tags from the source if they were included in untags, the target may
+              # have already had some on it. Let's go ahead and remove them. In this order, untags takes precedent over
+              # tags; but we control both and there should never be a propagator that has a tag in its untag.
               apply_untags(propagation_node, target)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
@@ -302,7 +230,8 @@ module Contrast
             #   propagation event.
             # @return [Boolean]
             def can_handle_frozen? propagation_node
-              ::Contrast::ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              ::Contrast::ASSESS.track_frozen_sources? &&
+                  propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -95,8 +95,8 @@ module Contrast
 
           def needs_object?
             if @_needs_object.nil?
-              @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
-                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+              @_needs_object = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
+                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                   sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
                   targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
@@ -105,8 +105,8 @@ module Contrast
 
           def needs_args?
             if @_needs_args.nil?
-              @_needs_args = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
-                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+              @_needs_args = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
+                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                   sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
                   targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
             end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -11,10 +11,10 @@ module Contrast
           # results in new source nodes to track which columns in the database
           # have been tainted.
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
-
-
             class << self
               def propagate propagation_node, preshift, target
+                return unless Contrast::ASSESS.require_dynamic_sources?
+
                 class_type = preshift.object.cs__class
                 class_name = class_type.cs__name
                 tainted_columns = {}

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -14,16 +14,15 @@ module Contrast
               def square_bracket_tagger propagation_node, preshift, ret, _block
                 case ret
                 when Array
-                  ret.each_with_index do |return_value, index|
+                  idx = 0
+                  while idx < ret.length
+                    return_value = ret[idx]
+                    index = idx
+                    idx += 1
                     next unless return_value
 
-                    target_matchdata_index = if preshift.args[0].is_a?(Range)
-                                               arg_range = preshift.args[0]
-                                               arg_range.to_a.empty? ? index + 1 : arg_range.to_a[index]
-                                             else
-                                               preshift.args[index]
-                                             end
-                    square_bracket_single(target_matchdata_index, preshift, return_value, propagation_node)
+                    square_bracket_single(target_matchdata_index(preshift, index), preshift, return_value,
+                                          propagation_node)
                   end
                 when String
                   target_matchdata_index = preshift.args[0]
@@ -34,7 +33,11 @@ module Contrast
               end
 
               def captures_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, index|
+                idx = 0
+                while idx < ret.length
+                  return_value = ret[idx]
+                  index = idx
+                  idx += 1
                   next unless return_value
 
                   targetted_index = index + 1
@@ -44,7 +47,11 @@ module Contrast
               end
 
               def to_a_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, index|
+                idx = 0
+                while idx < ret.length
+                  return_value = ret[idx]
+                  index = idx
+                  idx += 1
                   next unless return_value
 
                   square_bracket_single(index, preshift, return_value, propagation_node)
@@ -53,7 +60,11 @@ module Contrast
               end
 
               def values_at_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, return_index|
+                idx = 0
+                while idx < ret.length
+                  return_value = ret[idx]
+                  return_index = idx
+                  idx += 1
                   next unless return_value
 
                   original_group_arg_index = preshift.args[return_index]
@@ -64,6 +75,15 @@ module Contrast
 
               private
 
+              def target_matchdata_index preshift, index
+                if preshift.args[0].is_a?(Range)
+                  arg_range = preshift.args[0]
+                  arg_range.to_a.empty? ? index + 1 : arg_range.to_a[index]
+                else
+                  preshift.args[index]
+                end
+              end
+
               def square_bracket_single argument_index, preshift, return_value, propagation_node
                 original_start_index = preshift.object.begin(argument_index)
                 original_end_index = preshift.object.end(argument_index)

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -26,7 +26,6 @@ module Contrast
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source_string = source.is_a?(String) ? source : source.to_s
-
                 # If the lengths are the same, we should just copy the tags because nothing was removed, but a new
                 # instance could have been created. copy_from will handle the case where the source is the target.
                 if source_string.length == target.length
@@ -34,10 +33,7 @@ module Contrast
                   return
                 end
 
-                source_chars = source_string.chars
                 source_idx = 0
-
-                target_chars = target.chars
                 target_idx = 0
 
                 remove_ranges = []
@@ -45,10 +41,9 @@ module Contrast
 
                 # loop over the target, the result of the delete every range of characters that it differs from the
                 # source represents a section that was deleted. these sections need to have their tags updated
-                target_len = target_chars.length
-                while target_idx < target_len
-                  target_char = target_chars[target_idx]
-                  source_char = source_chars[source_idx]
+                while target_idx < target.length
+                  target_char = target[target_idx]
+                  source_char = source_string[source_idx]
                   if target_char == source_char
                     target_idx += 1
                     if start
@@ -63,7 +58,7 @@ module Contrast
 
                 # once we're done looping over the target, anything left over is extra from the source that was
                 # deleted. tags applying to it need to be removed.
-                remove_ranges << (source_idx...source_chars.length) if source_idx != source_chars.length
+                remove_ranges << (source_idx...source_string.length) if source_idx != source_string.length
 
                 # handle deleting the removed ranges
                 properties.delete_tags_at_ranges(remove_ranges)

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -17,7 +17,6 @@ module Contrast
           class Split < Contrast::Agent::Assess::Policy::Propagator::Base
             extend Contrast::Components::Scope::InstanceMethods
             extend Contrast::Components::Logger::InstanceMethods
-            #cs__const_set('AGENT', Contrast::AGENT)
 
             SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
 
@@ -111,7 +110,9 @@ module Contrast
               # Load patch.
               def instrument_string_split
                 @_instrument_string_split ||= begin
-                  require 'cs__assess_yield_track/cs__assess_yield_track' if ::Contrast::AGENT.patch_yield? && Funchook.available?
+                  if ::Contrast::AGENT.patch_yield? && Funchook.available?
+                    require 'cs__assess_yield_track/cs__assess_yield_track'
+                  end
                   true
                 rescue StandardError => e
                   logger.error('Error loading split rb_yield patch', e)

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -16,6 +16,7 @@ module Contrast
           # a 'get it right' state soon.
           class Substitution
             include Contrast::Components::Logger::InstanceMethods
+            extend Contrast::Components::Logger::InstanceMethods
 
             CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
             CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -22,7 +22,6 @@ module Contrast
         module RewriterPatch
           extend Contrast::Components::Logger::InstanceMethods
 
-
           class << self
             def rewrite_interpolations
               return unless agent_should_rewrite?

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -6,6 +6,7 @@ require 'contrast/agent/assess/policy/source_validation/source_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/source_method_utils'
 
 module Contrast
   module Agent
@@ -16,7 +17,7 @@ module Contrast
         # used in Assess vulnerability detection.
         module SourceMethod
           extend Contrast::Components::Logger::InstanceMethods
-
+          extend Contrast::Utils::Assess::SourceMethodUtils
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -26,8 +27,7 @@ module Contrast
           COOKIE_KEY_TYPE    = 'COOKIE_KEY'
 
           class << self
-            # This is called from within our woven proc. It will be called as if it were inline in the Rack
-            # application.
+            # This is called from within our woven proc. It will be called as if it were inline in the Rack application.
             #
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
             #   method being called
@@ -37,29 +37,27 @@ module Contrast
             # @return [Object, nil] the tracked Return or nil if no changes were made
             def source_patchers method_policy, object, ret, args
               return unless analyze?(method_policy, object, ret, args)
+              return unless (source_node = method_policy.source_node)
+              return unless (target = determine_target(source_node, object, ret, args))
 
-              source_node = method_policy.source_node
-              target = determine_target(source_node, object, ret, args)
-              restore_frozen_state = false
+              return_val = nil
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
                 return unless ::Contrast::ASSESS.track_frozen_sources?
                 return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+                return unless (dup = safe_dup(ret))
+                return unless Contrast::Agent::Assess::Tracker.trackable?(dup)
 
-                dup = safe_dup(ret)
-                return unless dup
-
-                restore_frozen_state = true
-                ret = dup
-                target = ret
-                Contrast::Agent::Assess::Tracker.pre_freeze(ret)
-                ret.cs__freeze
-                # double check that we were able to finalize the replaced return
-                return unless Contrast::Agent::Assess::Tracker.trackable?(target)
+                Contrast::Agent::Assess::Tracker.pre_freeze(dup)
+                return_val = dup.cs__freeze
+                target = dup
               end
+
               apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
                            source_node.type, nil, *args)
-              restore_frozen_state ? ret : nil
+
+              return_val
             end
+            Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :source_patchers)
 
             private
 
@@ -137,15 +135,6 @@ module Contrast
                   !Contrast::Agent::Assess::Tracker.trackable?(key)
             end
 
-            # Safely duplicate the target, or return nil
-            #
-            # @param target [Object] the thing to check for duplication
-            def safe_dup target
-              target.dup
-            rescue StandardError => _e
-              nil
-            end
-
             # Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
             # replace it with our new tracked one.
             def handle_hash_key target, to_replace
@@ -178,68 +167,6 @@ module Contrast
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
             end
 
-            # Find the name of the source
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
-            #   none provided by the node
-            def determine_source_name source_node, object, ret, *args
-              return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
-
-              source_node_source = source_node.sources[0]
-              case source_node_source
-              when nil
-                nil
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              else
-                args[source_node_source]
-              end
-            end
-
-            # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
-            # information to build the context of this invocation, we're not disabled, and we can't immediately
-            # determine the invocation was done safely.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
-            #   method being called
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method should be analyzed
-            def analyze? method_policy, object, ret, args
-              return false unless method_policy&.source_node
-              return false unless ::Contrast::ASSESS.enabled?
-              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
-
-              !safe_invocation?(method_policy.source_node, object, ret, args)
-            end
-
-            # Determine if the method was invoked safely.
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param _object [Object] the Object on which the method was invoked
-            # @param _ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method was safe
-            def safe_invocation? source_node, _object, _ret, args
-              # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
-              # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
-              # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
-              # instance, uses action_dispatch. to store several values. Technically, you can't call
-              # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
-              source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
-                  args&.any? &&
-                  !args[0].to_s.start_with?('HTTP_')
-            end
-
             # Find the literal target of the propagation
             #
             # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-
 module Contrast
   module Agent
     module Assess