contrast-agent 4.9.1 → 4.13.0

data/lib/contrast/agent/patching/policy/patch.rb

@@ -4,6 +4,7 @@
 require 'monitor'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/patching/policy/patch_utils'
 
 require 'contrast/agent'
 require 'contrast/logger/log'
@@ -32,6 +33,8 @@ module Contrast
         # provides a map for which methods our renamed functions need to call
         # and how.
         module Patch
+          extend Contrast::Utils::Patching::PatchUtils
+
           class << self
             include Contrast::Agent::Assess::Policy::SourceMethod
             include Contrast::Agent::Assess::Policy::PropagationMethod
@@ -57,226 +60,6 @@ module Contrast
               end
             end
 
-            # THIS IS CALLED FROM C. Do not change the signature lightly.
-            #
-            # This method functions to call the infilter methods from our
-            # patches, allowing for analysis and reporting at the point just
-            # before the patched code is invoked.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_pre_patch method_policy, method, exception, object, args
-              apply_protect(method_policy, method, exception, object, args)
-              apply_inventory(method_policy, method, exception, object, args)
-            rescue Contrast::SecurityException => e
-              # We were told to block something, so we gotta. Don't catch this
-              # one, let it get back to our Middleware or even all the way out to
-              # the framework
-              raise e
-            rescue StandardError => e
-              # Anything else was our bad and we gotta catch that to allow for
-              # normal application flow
-              logger.error('Unable to apply pre patch to method.', e)
-            rescue Exception => e # rubocop:disable Lint/RescueException
-              # This is something like NoMemoryError that we can't
-              # hope to handle.  Nonetheless, shouldn't leak scope.
-              exit_contrast_scope!
-              raise e
-            end
-
-            # THIS IS CALLED FROM C. Do not change the signature lightly.
-            #
-            # This method functions to call the infilter methods from our
-            # patches, allowing for analysis and reporting at the point just
-            # after the patched code is invoked
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
-            # @param object [Object] The object on which the method was
-            #   invoked, typically what would be returned by self.
-            # @param ret [Object] The return of the method that was invoked.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            # @param block [Proc] The block passed to the method that was
-            #   invoked.
-            def apply_post_patch method_policy, preshift, object, ret, args, block
-              apply_assess(method_policy, preshift, object, ret, args, block)
-            rescue StandardError => e
-              logger.error('Unable to apply post patch to method.', e)
-            end
-
-            # Apply the Protect patch which applies to the given method.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_protect method_policy, method, exception, object, args
-              return unless ::Contrast::AGENT.enabled?
-              return unless ::Contrast::PROTECT.enabled?
-
-              apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
-            end
-
-            # Apply the Inventory patch which applies to the given method.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_inventory method_policy, method, exception, object, args
-              return unless ::Contrast::INVENTORY.enabled?
-
-              apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
-            end
-
-            # Apply the Assess patches which apply to the given method.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
-            # @param object [Object] The object on which the method was
-            #   invoked, typically what would be returned by self.
-            # @param ret [Object] The return of the method that was invoked.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            # @param block [Proc] The block passed to the method that was
-            #   invoked.
-            def apply_assess method_policy, preshift, object, ret, args, block
-              source_ret = nil
-              propagated_ret = nil
-              return ret unless method_policy && ::Contrast::ASSESS.enabled?
-
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return ret if current_context && !current_context.analyze_request?
-
-              trigger_node = method_policy.trigger_node
-              if trigger_node
-                Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
-              end
-              if method_policy.source_node
-                # If we were given a frozen return, and it was the target of a
-                # source, and we have frozen sources enabled, we'll need to
-                # replace the return. Note, this is not the default case.
-                source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret,
-                                                                                           args)
-              end
-              if method_policy.propagation_node
-                propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
-                    method_policy,
-                    preshift,
-                    object,
-                    source_ret || ret,
-                    args,
-                    block)
-              end
-              handle_return(propagated_ret, source_ret, ret)
-            rescue StandardError => e
-              logger.error('Unable to assess method call.', e)
-              handle_return(propagated_ret, source_ret, ret)
-            rescue Exception => e # rubocop:disable Lint/RescueException
-              logger.error('Unable to assess method call.', e)
-              handle_return(propagated_ret, source_ret, ret)
-              raise e
-            end
-
-            # Generic invocation of the Inventory or Protect patch which apply
-            # to the given method.
-            #
-            # @param trigger_node [Contrast::Agent::Inventory::Policy::TriggerNode]
-            #   Mapping of the specific trigger on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_trigger_only trigger_node, method, exception, object, args
-              return unless trigger_node
-
-              # If that rule only applies in the case of an exception being
-              # thrown and there's no exception here, move along, or vice versa
-              return if trigger_node.on_exception && !exception
-              return if !trigger_node.on_exception && exception
-
-              # Each patch has an applicator that handles logic for it. Think
-              # of this as being similar to propagator actions, most closely
-              # resembling CUSTOM - they all have a common interface but their
-              # own logic based on what's in the method(s) they've been patched
-              # into.
-              # Each patch also knows the method of its applicator. Some
-              # things, like AppliesXxeRule, have different methods depending
-              # on the library patched. This lets us handle the boilerplate of
-              # patching while still allowing for custom handling of the
-              # methods.
-              applicator_method = trigger_node.applicator_method
-              # By calling send like this, we can reuse all the patching.
-              # We `send` to the given method of the given class
-              # (applicator) since they all accept the same inputs
-              trigger_node.applicator.send(applicator_method, method, exception, trigger_node.properties, object, args)
-            end
-
-            # Method to choose which replaced return from the post_patch to
-            # actually return
-            #
-            # @param propagated_ret [Object, nil] The replaced return from the
-            #   propagation patch.
-            # @param source_ret [Object, nil] The replaced return from the
-            #   source patch.
-            # @param ret [Object, nil] The original return of the patched
-            #   method.
-            # @return [Object, nil] The thing to return from the post patch.
-            def handle_return propagated_ret, source_ret, ret
-              safe_return = propagated_ret || source_ret || ret
-              safe_return.rewind if Contrast::Utils::IOUtil.should_rewind?(safe_return)
-              safe_return
-            end
-
-            # Given a module and method, construct an expected name for the
-            # alias by which Contrast will reference the original.
-            #
-            # @param patched_class [Module] the module being patched
-            # @param patched_method [Symbol] the method being patched
-            # @return [Symbol]
-            def build_method_name patched_class, patched_method
-              (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-                  patched_class.cs__name.gsub('::', '_').downcase +
-                  Contrast::Utils::ObjectShare::UNDERSCORE +
-                  patched_method.to_s).to_sym
-            end
-
-            # Given a method, return a symbol in the format
-            # <method_start>_unbound_<method_name>
-            def build_unbound_method_name patcher_method
-              (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-                'unbound' +
-                Contrast::Utils::ObjectShare::UNDERSCORE +
-                patcher_method.to_s).to_sym
-            end
-
             # @param mod [Module] the module in which the patch should be
             #   placed.
             # @param methods [Array(Symbol)] all the instance or singleton
@@ -290,6 +73,11 @@ module Contrast
               # we've already patched this class, don't do it again
               return true if methods.include?(cs_method_name)
 
+              # that method is within Contrast definition so it should be skipped
+              method = mod.instance_method(method_policy.method_name) if method_policy.instance_method
+              method = mod.singleton_method(method_policy.method_name) unless method_policy.instance_method
+              return true if method.owner <= Contrast
+
               begin
                 contrast_define_method(mod, method_policy, cs_method_name)
               rescue NameError => e
@@ -338,7 +126,7 @@ module Contrast
               underlying_method_name = build_unbound_method_name(method_name).to_sym
 
               target_module = Module.cs__const_get(target_module_name)
-
+              target_module = target_module.cs__singleton_class if %i[prepend_singleton prepend].include? impl
               target_module = target_module.cs__singleton_class if %i[alias_singleton prepend].include? impl
 
               visibility = if target_module.private_instance_methods(false).include?(method_name)
@@ -355,6 +143,30 @@ module Contrast
                                    ERR
                            end
 
+              reflect_implementation impl, target_module, unbound_method, visibility
+              # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
+              # can't invoke this logging method or we'll seg fault as we'd
+              # change the method definition mid-call
+              # if method_name != :[]= &&
+              #   Contrast::Agent::Logger.defined!
+              #   logger.trace(
+              #       'Registered C-defined patch',
+              #       implementation: impl,
+              #       module: target_mod,
+              #       method: method_name,
+              #       visibility: visibility)
+              # end
+              underlying_method_name
+            end
+
+            # @param impl [Symbol] Strategy for applying the patch: { :alias_instance, :alias_singleton, or :prepend }:
+            # @param target_module [Module] The targeted module
+            # @param unbound_method [UnboundMethod] An unbound method, to be patched into target_module.
+            # @param visibility [Symbol] method visibility
+            def reflect_implementation impl, target_module, unbound_method, visibility
+              method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
+              underlying_method_name = build_unbound_method_name(method_name).to_sym
+
               case impl
               when :alias_instance, :alias_singleton
                 # Core to patching. Ignore define method usage cop.
@@ -365,27 +177,19 @@ module Contrast
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
-              when :prepend
-                prepending_module = Module.new
-                prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                prepending_module.send(visibility, method_name)
+              when :prepend_instance, :prepend_singleton
+
+                unless target_module.instance_methods(false).include? underlying_method_name
+
+                  prepending_module = Module.new
+                  prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                  prepending_module.send(visibility, method_name)
+
+                end
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module
                 # rubocop:enable Performance/Kernel/DefineMethod
               end
-              # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
-              # can't invoke this logging method or we'll seg fault as we'd
-              # change the method definition mid-call
-              # if method_name != :[]= &&
-              #   Contrast::Agent::Logger.defined!
-              #   logger.trace(
-              #       'Registered C-defined patch',
-              #       implementation: impl,
-              #       module: target_module_name,
-              #       method: method_name,
-              #       visibility: visibility)
-              # end
-              underlying_method_name
             end
 
             # @return [Boolean]

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -15,13 +15,9 @@ module Contrast
             # @param mod [Module] the Module for which the status is asked
             # @return [Contrast::Agent::Patching::Policy::PatchStatus]
             def get_status mod
-              if mod.cs__const_defined?(status_key, false)
-                mod.cs__const_get(status_key, false)
-              else
-                s = new
-                mod.cs__const_set(status_key, s)
-                s
-              end
+              return mod.cs__const_get(status_key) if mod.cs__const_defined?(status_key, false)
+
+              mod.cs__const_set(status_key, new)
             end
 
             # Allows our C patches to look up the :MethodPolicy for a given

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -10,6 +10,7 @@ require 'contrast/agent/patching/policy/module_policy'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/class_util'
+require 'contrast/utils/patching/policy/patcher_utils'
 
 # assess
 require 'contrast/agent/assess/policy/policy'
@@ -44,6 +45,7 @@ module Contrast
         # and how.
         module Patcher
           extend Contrast::Agent::Patching::Policy::AfterLoadPatcher
+          extend Contrast::Utils::Patching::PatcherUtils
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Components::Scope::InstanceMethods
 
@@ -54,7 +56,8 @@ module Contrast
             def patch
               catchup_after_load_patches
               catchup_loaded_methods
-              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              # TODO: RUBY-714 remove guard w/ EOL of 2.5
+              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0'
             end
 
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -76,47 +79,6 @@ module Contrast
               end
             end
 
-            # This method is called by TracePointHook to instrument a specific class during a require
-            # or eval of dynamic class definition
-            def patch_specific_module mod
-              with_contrast_scope do
-                mod_name = mod.cs__name
-                return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
-                return if ::Contrast::AGENT.skip_instrumentation?(mod_name)
-
-                load_patches_for_module(mod_name)
-
-                return unless all_module_names.any?(mod_name)
-
-                module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
-                patch_into_module(module_data)
-                all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
-              rescue StandardError => e
-                logger.error('Unable to patch module', e, module: mod_name)
-              end
-            end
-
-            # We did it, team. We found a patcher(s) that applies to the given
-            # class (or module) and the given method. Time to do some tracking.
-            #
-            # @param mod [Module] the module in which the patch should be
-            #   placed.
-            # @param methods [Array(Symbol)] all the instance or singleton
-            #   methods in this mod.
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that applies to the given method_name.
-            # @return [Boolean] if patched, either by this invocation or a
-            #   previous, or not
-            def patch_method mod, methods, method_policy
-              return false unless methods&.any? # don't even build the name if there are no methods
-
-              if Contrast::Utils::ClassUtil.prepended_method?(mod, method_policy)
-                Contrast::Agent::Patching::Policy::Patch.instrument_with_prepend(mod, method_policy)
-              else
-                Contrast::Agent::Patching::Policy::Patch.instrument_with_alias(mod, methods, method_policy)
-              end
-            end
-
             private
 
             POLICIES = [
@@ -176,12 +138,13 @@ module Contrast
             # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
             #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
             def patch_into_module module_data, redo_patch = false
-              status = status_type.get_status(module_data.mod)
+              status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
               # Begin patching our sources into the given module. Any patcher that has the name of the module will be
               # evaluated for patching. Find all the patchers that apply to this class, sorted by type.
               module_policy = Contrast::Agent::Patching::Policy::ModulePolicy.create_module_policy(module_data.mod_name)
+
               # If there's nothing to match, then set that status and exit
               if module_policy.empty?
                 status.no_patch!
@@ -191,8 +154,8 @@ module Contrast
               status.patching!
               num_applied_patches = patch_into_instance_methods(module_data, module_policy)
               num_applied_patches += patch_into_singleton_methods(module_data, module_policy)
-              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
 
+              if adjust_for_prepend(module_data) || module_policy.num_expected_patches == num_applied_patches
                 status.patched!
               else
                 status.partial_patch!
@@ -244,6 +207,7 @@ module Contrast
             def patch_into_instance_methods module_data, module_policy
               mod = module_data.mod
               methods = all_instance_methods(mod, true)
+              methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
               patch_into_methods(mod, methods, module_policy, true)
             end
 
@@ -258,8 +222,7 @@ module Contrast
               patch_into_methods(mod, methods, module_policy, false)
             end
 
-            # We've found the patchers that apply to this class (or module). Now we'll
-            # filter on the given method.
+            # We've found the patchers that apply to this class (or module). Now we'll filter on the given method.
             #
             # @param mod [Module] The module from which to retrieve instance methods.
             # @param methods [Array<Symbol>] The names of all the methods in in this module
@@ -276,8 +239,7 @@ module Contrast
                                                                                                     is_instance_method)
                 next if method_policy.empty?
 
-                patched = patch_method(mod, methods, method_policy)
-                count += 1 if patched
+                count += 1 if patch_method(mod, methods, method_policy)
               end
               count
             end
@@ -309,6 +271,5 @@ require 'contrast/extension/module'
 require 'contrast/extension/assess'
 require 'contrast/extension/inventory'
 require 'contrast/extension/protect'
-require 'contrast/extension/protect/kernel'
 
 require 'cs__contrast_patch/cs__contrast_patch'

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -14,7 +14,7 @@ module Contrast
         # infilter methods of the rule should be invoked.
         module AppliesNoSqliRule
           extend Contrast::Agent::Protect::Policy::RuleApplicator
-
+          DATABASE_NOSQL = 'MongoDB'
           class << self
             def invoke method, _exception, properties, _object, args
               return unless valid_input?(args)

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/sql_sample_builder'
 
 module Contrast
   module Agent
@@ -9,6 +10,12 @@ module Contrast
       module Rule
         # The Ruby implementation of the Protect NoSQL Injection rule.
         class NoSqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::NoSqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
 
@@ -31,40 +38,6 @@ module Contrast
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
-
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return unless query_string.match?(regexp)
-
-            scanner = select_scanner
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
-
-              result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
-            end
-
-            result
-          end
-
           protected
 
           def find_attacker context, potential_attack_string, **kwargs
@@ -79,25 +52,6 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
-            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
-            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
-            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
-            sample
-          end
-
-          private
-
-          def select_scanner
-            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
-          end
         end
       end
     end