contrast-agent 4.9.1 → 4.13.0

data/lib/contrast/extension/assess/string.rb

@@ -12,7 +12,7 @@ module Contrast
       # methods which are too complex to fit into one of the standard
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
-      class StringPropagator
+      class StringPropagator # rubocop:disable Style/StaticClass
         extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
@@ -52,31 +52,6 @@ module Contrast
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
           end
-
-          def instrument_string
-            @_instrument_string ||= begin
-              require 'cs__assess_string/cs__assess_string'
-              true
-            end
-          rescue StandardError, LoadError => e
-            logger.error('Error loading hash track patch', e)
-            false
-          end
-
-          def instrument_string_interpolation
-            if @_instrument_string_interpolation.nil?
-              @_instrument_string_interpolation = begin
-                if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
-                  require 'cs__assess_string_interpolation26/cs__assess_string_interpolation26'
-                end
-                true
-              rescue StandardError, LoadError => e
-                logger.error('Error loading interpolation patch', e)
-                false
-              end
-            end
-            @_instrument_string_interpolation
-          end
         end
       end
     end

data/lib/contrast/extension/extension.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Extension
+    # Our top level Assess namespace in the Core Extension section of our
+    # code. These patches are those that are invoked directly from a patched
+    # Class.
+    #
+    module Assess
+      # This is the main instrument helper giving the method of requiring C patches
+      #
+      module InstrumentHelper
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+
+          # Unites the different require methods into one, using only
+          # the provided path for the C patches
+          # parameters
+          # @param path[String] Path to the required patch
+          #
+          def instrument path
+            var_name, extracted_name = gen_name(path)
+            return if instance_variable_get(var_name) == true
+
+            instance_variable_set(var_name, assign_value(path))
+          rescue StandardError, LoadError => e
+            logger.error("Error loading #{ extracted_name&.nil? ? '' : extracted_name } patch", e)
+            false
+          end
+
+          # Some of the requires have some extra conditions for them to require
+          # the C patches, so this method is helping us move the logic by making some
+          # conditions
+          def assign_value path
+            case path
+            when /fiber/
+              require path if Funchook.available?
+            when /interpolation26/
+              require path if ::Contrast::AGENT.patch_interpolation? && Funchook.available?
+            else
+              require path
+            end
+            true
+          end
+
+          # Generate the needed instance variable name and return the extracted name
+          def gen_name path
+            extracted_name = path.split(%r{[\s_/]})&.uniq&.delete_if do |s|
+              s.empty? || s == 'cs' || s == 'assess' || s == 'track'
+            end
+            extracted_name = (extracted_name&.length || 0) > 1 ? extracted_name&.join('_') : extracted_name&.pop
+            ["@_instrument_#{ extracted_name }_track", extracted_name]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/grape/support.rb

@@ -0,0 +1,174 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/framework/base_support'
+require 'contrast/components/logger'
+
+module Contrast
+  module Framework
+    module Grape
+      # Used when Grape is present to define framework specific behaviour
+      class Support
+        extend Contrast::Framework::BaseSupport
+        class << self
+          include Contrast::Components::Logger::InstanceMethods
+          def detection_class
+            'Grape::API'
+          end
+
+          def version
+            ::Grape::VERSION
+          end
+
+          def application_name
+            app_class&.cs__name
+          end
+
+          def application_root
+            app_instance&.root
+          end
+
+          def server_type
+            'grape'
+          end
+
+          # Given an object, determine if it is a Grape controller.
+          # Which could include cases of ::Grape::API subclass or actual class
+          #
+          # @param app [Object] suspected Grape app.
+          # @return [Boolean]
+          def grape_controller? app
+            # Grape is loaded?
+            return false unless grape_defined?
+
+            # App is a subclass of or actually is ::Grape::API.
+            return false unless app.cs__respond_to?(:<=) && app <= ::Grape::API
+
+            true
+          end
+
+          # Find all classes that subclass ::Grape::API, Gather their routes
+          #
+          # @return [Array<Contrast::Api::Dtm::RouteCoverage>, Array]- founded routes as Dtms
+          def collect_routes
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless grape_defined?
+
+            # Each Grape controller has endpoints and each endpoints has routes
+            # and that's why we need to go through each one and create separate RouteCoverage object
+            routes = []
+            grape_controllers.each do |c|
+              c&.endpoints&.each do |endpoint|
+                endpoint&.routes&.map do |r|
+                  pattern = r.pattern.pattern
+                  temp = Contrast::Api::Dtm::RouteCoverage.from_grape_controller(c, r.request_method, pattern, r.path)
+                  routes << temp
+                end
+              end
+            end
+            routes
+          end
+
+          # Given the current request return a RouteCoverage dtm.
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @param controller [::Grape::API] optionally use this controller instead of global ::Grape::API.
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil] a Dtm describing the route
+          # matched to the request if a match was found.
+          def current_route request, controller = ::Grape::API, full_route = nil
+            return unless grape_controller?(controller)
+
+            method = request.env[::Rack::REQUEST_METHOD] # GET, PUT, POST, etc...
+
+            # Find final controller - actually we gotta match the route to the scanned application
+            # Initially Grape compiles all routes on startup, so we can use the url from the request
+            # and create the observed route
+            # Class < Grape::API, Grape::Router::Route
+            final_controller, route_pattern = _route_recurse(method, _cleaned_route(request), grape_controllers)
+            return unless final_controller
+
+            full_route ||= request.env[::Rack::PATH_INFO]
+
+            Contrast::Api::Dtm::RouteCoverage.from_grape_controller(final_controller, method, route_pattern, full_route)
+          end
+
+          # Search object space for grape controllers--any class that subclasses ::Grape::API.
+          #
+          # @return [Array<::Grape::API>] grape controllers
+          def grape_controllers
+            ObjectSpace.each_object(Class).select { |klass| klass < ::Grape::API }
+          end
+
+          # Grape Request inherits the same as the Sinatra, so we can easily call it as it's called in Sinatra
+          def retrieve_request env
+            ::Grape::Request.new(env)
+          end
+
+          private
+
+          # Determine if, at the time of our Framework Support determination, Grape has been defined.
+          #
+          # @return [Boolean]
+          def grape_defined?
+            @_grape_defined = !!(defined?(::Grape) && defined?(::Grape::API)) if @_grape_defined.nil?
+            @_grape_defined
+          end
+
+          # @param method [::Rack::REQUEST_METHOD] GET, POST, PUT, etc...
+          # @param route [String] the relative route passed from Rack.
+          # @param controllers [Array<::Grape::API>] All Grape controllers found
+          # @return [Array[::Grape::API]], nil] Either the controller that
+          # will handle the route along with the route pattern or nil if no match.
+          def _route_recurse method, route, controllers = grape_controllers
+            # return if there aren't any controllers
+            return unless controllers&.any?
+
+            # Here we can go through the all detected controllers
+            # and find the one that's routes include the current one
+            # Grape controller actually has endpoints and each endpoint
+            # has routes and that's why we need to do it that way
+            controller = controllers.pop
+            return _route_recurse method, route, controllers unless controller
+
+            contr_routes = controller.endpoints&.map(&:routes)&.flatten || []
+            route_pattern = contr_routes&.find do |r|
+              r.pattern.to_regexp.match(route) # ::Mustermann::Grape match
+            end
+            return controller, route_pattern unless route_pattern.nil?
+
+            _route_recurse method, route, controllers
+          end
+
+          # Get route and do some cleaning
+          #
+          # @param request [Contrast::Agent::Request] a contrast tracked request.
+          # @return [String] the extracted and cleaned relative route.
+          def _cleaned_route request
+            route = request.env[::Rack::PATH_INFO]
+            return '/' if route.empty?
+
+            route.end_with?('/') ? route[0..-2] : route
+          end
+
+          def app_class
+            return unless grape_defined?
+
+            app_instance.cs__class
+          end
+
+          # Search the object space for the controller handling this request which will be
+          # the class inheriting from ::Grape::API with @app=nil
+          #
+          # @return [::Grape::API] the current controller as routed by Rack.
+          def app_instance
+            return unless grape_defined?
+
+            @_app_instance ||= begin
+              grape_layers = ObjectSpace.each_object(::Grape::API).to_a
+              grape_layers.find { |layer| layer.app.nil? }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/framework/manager.rb

@@ -2,9 +2,11 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/extension/module'
 require 'contrast/framework/platform_version'
 require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
+require 'contrast/framework/grape/support'
 require 'contrast/framework/sinatra/support'
 require 'contrast/utils/class_util'
 
@@ -14,12 +16,12 @@ module Contrast
     class Manager
       include Contrast::Components::Logger::InstanceMethods
 
-      # Order here does matter as the first framework listed will be the first one we pull information from
-      # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
-      # do not exist
+      # Order here does matter as the first framework listed will be the first one we pull information from Rack will
+      # be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra do not
+      # exist
       SUPPORTED_FRAMEWORKS = [
         Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
-        Contrast::Framework::Rack::Support
+        Contrast::Framework::Grape::Support, Contrast::Framework::Rack::Support
       ].cs__freeze
 
       def initialize
@@ -32,9 +34,8 @@ module Contrast
         @_frameworks.compact!
       end
 
-      # Patches that have to be applied as early as possible to catch calls
-      # that happen prior to the first Request, typically those around
-      # configuration.
+      # Patches that have to be applied as early as possible to catch calls that happen prior to the first Request,
+      # typically those around configuration.
       def before_load_patches!
         @_before_load_patches ||= begin
           SUPPORTED_FRAMEWORKS.each(&:before_load_patches!)
@@ -77,19 +78,28 @@ module Contrast
         found || ::Rack::Directory.new('').root
       end
 
-      # If we have 0 or n > 1 frameworks, we need to use the default rack request
+      # Build a request from the provided env, based on the framework(s) we're currently supporting.
       #
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
-      # of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
+        # If we're mounted on Rails, use Rails.
+        if @_frameworks.include?(Contrast::Framework::Rails::Support)
+          return Contrast::Framework::Rails::Support.retrieve_request(env)
+        end
+
+        # If we know the framework, use it.
         return @_frameworks[0].retrieve_request(env) if @_frameworks.length == 1
 
+        # Fall back on a regular Rack::Request
         ::Rack::Request.new(env)
+      rescue StandardError => e
+        logger.warn('Unable to retrieve_request', e)
       end
 
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
       def streaming? env
         result = false
@@ -100,8 +110,8 @@ module Contrast
         result
       end
 
-      # Iterate through current frameworks and return the current request's route. This will be the first
-      # non-nil result.
+      # Iterate through current frameworks and return the current request's route. This will be the first non-nil
+      # result.
       #
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
@@ -109,6 +119,37 @@ module Contrast
         @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
       end
 
+      # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect
+      # if the loaded_module is the marker class for any of our supported frameworks. If it is, and we don't already
+      # have support enabled, we'll enable it now. We'll also need to catch up on any other startup actions that we've
+      # missed. Most likely, this is only necessary for those applications which have applications mounted on them.
+      #
+      # TODO: RUBY-1354
+      # TODO: RUBY-1356
+      #
+      # @param mod [Module] the module or class that was just loaded
+      def register_late_framework mod
+        return unless mod
+
+        module_name = mod.cs__name
+        # Otherwise, check if the provided module_name requires us to register a new support
+        SUPPORTED_FRAMEWORKS.each do |framework|
+          next if @_frameworks.include?(framework)
+          next unless module_name == framework.detection_class
+
+          @_frameworks << framework
+          # Report the registered routes of that framework now that we know we need to find them
+          app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
+          Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
+          logger.info('Framework detected after initialization. Enabling support.',
+                      framework: framework.detection_class,
+                      frameworks: @_frameworks)
+          break
+        end
+      rescue StandardError => e
+        logger.warn('Unable to register a late framework', e, module: mod.cs__name)
+      end
+
       private
 
       def enable_framework_support? klass
@@ -124,10 +165,7 @@ module Contrast
       # @param method_name [Symbol] the method to call on each FrameworkSupport class
       # @return [Array]
       def data_for_all_frameworks method_name
-        data = @_frameworks.flat_map do |framework|
-          framework.send(method_name)
-        end
-        data.compact
+        @_frameworks.flat_map { |framework| framework.send(method_name) }.compact
       end
 
       # This returns a single object from the first framework to successfully respond

data/lib/contrast/framework/rack/support.rb

@@ -14,7 +14,7 @@ module Contrast
         extend Contrast::Framework::Rack::Patch::Support
         class << self
           def detection_class
-            'don\'t let me be detected'
+            'rack -- don\'t let me be detected'
           end
         end
       end

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -5,10 +5,14 @@ module Contrast
   module Framework
     module Rails
       module Patch
-        # This class acts as our patch into the ActionController::Live::Buffer
-        # class, allowing us to track the close event on streamed responses.
+        # This class acts as our patch into the ActionController::Live::Buffer class, allowing us to track the close
+        # event on streamed responses.
         module ActionControllerLiveBuffer
           class << self
+            # TODO: RUBY-1353
+            # TODO: RUBY-1355
+            # TODO: RUBY-1357
+            # TODO: RUBY-1357
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
@@ -20,10 +24,9 @@ module Contrast
             def instrument
               @_instrument ||= begin
                 ::ActionController::Live::Buffer.class_eval do
-                  # normally pre->in->post filters are applied however, in a streamed response
-                  # we can run into a case where it's pre -> in -> post -> more infilters
-                  # in order to submit anything found during the infilters after the response has
-                  # been written we need to explicitly send them
+                  # normally pre->in->post filters are applied however, in a streamed response we can run into a case
+                  # where it's pre -> in -> post -> more infilters in order to submit anything found during the
+                  # infilters after the response has been written we need to explicitly send them
                   alias_method :cs__close, :close
                   def close
                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -11,7 +11,6 @@ module Contrast
         module AssessConfiguration
           include Contrast::Components::Logger::InstanceMethods
 
-
           CS__SESSION_TIMEOUT_NAME = 'session-timeout'
           SAFE_SESSION_TIMEOUT = (30 * 60 * 1000)
           CS__SECURE_RULE_NAME = 'secure-flag-missing'

data/lib/contrast/framework/rails/patch/support.rb

@@ -29,43 +29,48 @@ module Contrast
                                 Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
                                     'ActionController::Live::Buffer',
                                     'contrast/framework/rails/patch/action_controller_live_buffer',
-                                    instrumenting_module: 'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
+                                    instrumenting_module:
+                                      'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
                                 Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
                                     'Rails::Application::Configuration',
                                     'contrast/framework/rails/patch/rails_application_configuration',
                                     method_to_instrument: :session_store,
-                                    instrumenting_module: 'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
+                                    instrumenting_module:
+                                      'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
                               ])
-            if RUBY_VERSION < '2.6.0'
-              patches.merge([
-                              # TODO: RUBY-714 remove w/ EOL of 2.5
-                              #
-                              # @deprecated  Everything past here is used for Rewriting and can
-                              #   be removed once we no longer support 2.5.
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActionController::Railties::Helper::ClassMethods',
-                                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::Scoping::Named::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_named',
-                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
-                            ])
-            end
+            patches.merge(special_after_load_patches) if RUBY_VERSION < '2.6.0'
             patches
           end
+
+          def special_after_load_patches
+            [
+              # TODO: RUBY-714 remove w/ EOL of 2.5
+              #
+              # @deprecated  Everything past here is used for Rewriting and can
+              #   be removed once we no longer support 2.5.
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActionController::Railties::Helper::ClassMethods',
+                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::Scoping::Named::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_named',
+                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
+            ]
+          end
         end
       end
     end

data/lib/contrast/framework/rails/railtie.rb

@@ -12,7 +12,7 @@ module Contrast
         include Contrast::Components::Logger::InstanceMethods
 
         initializer 'Contrast Ruby Agent Initializer' do |app|
-        log_rails = defined?(Rails) && defined?(Rails.logger)
+          log_rails = defined?(Rails) && defined?(Rails.logger)
 
           Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if log_rails
 

data/lib/contrast/framework/rails/rewrite/active_record_named.rb

@@ -18,6 +18,7 @@ module Contrast
         #   being phased out with support for those language versions.
         class ActiveRecordNamed
           include Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Components::Logger::InstanceMethods
 
           class << self
             def rewrite mod, method_name, body