contrast-agent 6.0.0 → 6.1.2

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -32,22 +32,8 @@ module Contrast
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
-              different_ruby_version trace_point, provider_values, mod
-            end
-
-            def different_ruby_version trace_point, provider_values, mod
-              # TODO: RUBY-1014 - remove non-AST approach
-              if RUBY_VERSION >= '2.6.0'
-                # TODO: RUBY-714 EOL 2.5. That check will be removed and the code will be brought back in here.
-                ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
-                provider_values.each do |provider|
-                  provider.parse(trace_point, ast)
-                end
-              else
-                provider_values.each do |provider|
-                  provider.analyze(mod)
-                end
-              end
+              ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
+              provider_values.each { |provider| provider.parse(trace_point, ast) }
             end
 
             def policy

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -216,8 +216,8 @@ module Contrast
               # If we are using the original object tracking, the preshift object is not created.
               # Instead identify the source as the original object itself and propagate with it.
               source = propagation_node.use_original_object? ? propagation_data.object : preshift
-              handle_propagation propagation_class, propagation_node, source, target
-              update_properties restore_frozen_state, propagation_node, target, propagation_data, ret
+              handle_propagation(propagation_class, propagation_node, source, target)
+              update_properties(restore_frozen_state, propagation_node, target, propagation_data, ret)
             end
 
             def handle_propagation propagation_class, propagation_node, source, target
@@ -230,7 +230,7 @@ module Contrast
 
             def update_properties restore_frozen_state, propagation_node, target, propagation_data, ret
               if propagation_node.use_original_on_bang_method?
-                properties = use_original_object_properties propagation_data
+                properties = use_original_object_properties(propagation_data)
 
                 return unless properties
               else

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -22,6 +22,8 @@ module Contrast
           attr_reader :untags, :patch_method
           attr_accessor :action, :patch_class
 
+          TAGGER = 'Tagger'
+          PROPAGATOR = 'Propagator'
           # Most things here carry over from PolicyNode.
           # A couple things are new / have new rules
           #
@@ -41,9 +43,6 @@ module Contrast
             validate
           end
 
-          TAGGER = 'Tagger'
-          PROPAGATOR = 'Propagator'
-
           def node_class
             @_node_class ||= tagger? ? TAGGER : PROPAGATOR
           end

data/lib/contrast/agent/assess/policy/propagator/base.rb

@@ -26,7 +26,7 @@ module Contrast
               end
 
               def propagate _propagation_node, _preshift, _target
-                raise NoMethodError("Expected Base propagator subclass: #{ cs__class } to implement #propagate")
+                raise(NoMethodError("Expected Base propagator subclass: #{ cs__class } to implement #propagate"))
               end
             end
           end

data/lib/contrast/agent/assess/policy/propagator/buffer.rb

@@ -106,7 +106,8 @@ module Contrast
                   ret
                 else
                   # SELECT
-                  Contrast::Agent::Assess::Policy::Propagator::Select.select_tagger propagation_node, preshift, ret, nil
+                  Contrast::Agent::Assess::Policy::Propagator::Select.select_tagger(propagation_node, preshift, ret,
+                                                                                    nil)
                 end
               end
             end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -31,7 +31,7 @@ module Contrast
                   ::Contrast::ASSESS.tainted_columns[class_name] = tainted_columns.keys
                 end
 
-                Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns
+                Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources(class_type, tainted_columns)
               end
 
               private

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -51,7 +51,7 @@ module Contrast
                 if arg.is_a?(String) || arg.is_a?(File)
                   tracked_inputs << arg if tracked_value?(arg)
                 else
-                  iterable_arg tracked_inputs, arg
+                  iterable_arg(tracked_inputs, arg)
                 end
               end
 

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -41,7 +41,7 @@ module Contrast
                 source = find_source(propagation_node.sources[0], preshift)
                 return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
 
-                update_element_properties propagation_node, target, preshift, source_properties
+                update_element_properties(propagation_node, target, preshift, source_properties)
                 nil
               end
 
@@ -97,7 +97,7 @@ module Contrast
               def instrument_string_split
                 @_instrument_string_split ||= begin
                   if ::Contrast::AGENT.patch_yield? && Funchook.available?
-                    require 'cs__assess_yield_track/cs__assess_yield_track'
+                    require('cs__assess_yield_track/cs__assess_yield_track')
                   end
                   true
                 rescue StandardError => e
@@ -178,27 +178,23 @@ module Contrast
   end
 end
 
-if RUBY_VERSION >= '2.6.0'
-  # Special class to handle String#split in 2.6 which, when given a block,
-  # propagates each split piece directly
-  class String
-    alias_method :cs__patched_string_split_special, :split
-
-    # Override of the the standard split method to handle the 2.6 direct yield case.
-    #
-    # Note: because this patch is applied before our standard propagation, this
-    # call is wrapped in it. As such, any call here happens in scope, so there is
-    # no need to manage it on our own.
-    def split *args, &block
-      if block
-        Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
-          cs__patched_string_split_special(*args, &block)
-        end
-      else
+# Special class to handle String#split in which, when given a block, propagates each split piece directly.
+class String
+  alias_method :cs__patched_string_split_special, :split
+
+  # Override of the the standard split method to handle the direct yield case.
+  #
+  # Note: because this patch is applied before our standard propagation, this call is wrapped in it. As such, any call
+  # here happens in scope, so there is no need to manage it on our own.
+  def split *args, &block
+    if block
+      Contrast::Agent::Assess::Policy::Propagator::Split.wrap_split(self, args) do
         cs__patched_string_split_special(*args, &block)
       end
+    else
+      cs__patched_string_split_special(*args, &block)
     end
   end
-
-  Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split
 end
+
+Contrast::Agent::Assess::Policy::Propagator::Split.instrument_string_split

data/lib/contrast/agent/assess/policy/propagator/trim.rb

@@ -40,7 +40,7 @@ module Contrast
                 source = preshift.object
                 args = preshift.args
                 properties.splat_from(source, ret)
-                event_data = Contrast::Agent::Assess::Events::EventData.new patcher, ret, source, ret, args
+                event_data = Contrast::Agent::Assess::Events::EventData.new(patcher, ret, source, ret, args)
                 properties.build_event(event_data)
                 ret
               end

data/lib/contrast/agent/assess/policy/source_node.rb

@@ -15,13 +15,13 @@ module Contrast
 
           JSON_TYPE = 'type'
           SOURCE_TAG = 'UNTRUSTED'
+          SOURCE = 'Source'
           def initialize source_hash = {}
             super(source_hash)
             @type = source_hash[JSON_TYPE]
             @tags << SOURCE_TAG
           end
 
-          SOURCE = 'Source'
           def node_class
             SOURCE
           end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -12,6 +12,7 @@ require 'contrast/agent/reporting/reporting_events/preflight'
 require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
+require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 
 module Contrast
   module Agent
@@ -92,7 +93,7 @@ module Contrast
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
 
               if content_type.nil? && trigger_node.collectable?
-                Contrast::Agent::FINDINGS.collect_finding trigger_node, source, object, ret, *args
+                Contrast::Agent::FINDINGS.collect_finding(trigger_node, source, object, ret, *args)
                 return
               end
 
@@ -105,8 +106,8 @@ module Contrast
                 handle_new_finding(trigger_node, source, object, ret, request, *args)
               else # TODO: RUBY-1438 -- remove
                 finding = Contrast::Api::Dtm::Finding.new
-                event_data = Contrast::Agent::Assess::Events::EventData.new trigger_node, source, object, ret, args
-                append_to_finding finding, event_data, request
+                event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
+                append_to_finding(finding, event_data, request)
                 logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
                                                 rule: trigger_node.rule_id)
                 report_finding(finding, request)
@@ -142,28 +143,19 @@ module Contrast
 
               # If we're out of request context, then we need to report this finding ourselves,
               # so we'll send it in the one-off activity we created.
-              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+              Contrast::Agent.messaging_queue&.send_event_eventually(activity)
             end
 
             def handle_new_finding trigger_node, source, object, ret, request, *args
               # sent to reporter
               # here we will generate new type of finding
-              ruby_finding = Contrast::Agent::Reporting::Finding.new trigger_node.rule_id
-              ruby_finding.attach_data trigger_node, source, object, ret, request, *args
+              ruby_finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
+              ruby_finding.attach_data(trigger_node, source, object, ret, request, *args)
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
               ruby_finding.hash_code = hash_code
-              # save the current finding
-              Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
 
-              new_preflight = Contrast::Agent::Reporting::Preflight.new
-              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-              if request.route
-                new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
-              end
-              new_preflight_message.hash_code = hash_code
-              new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
-              new_preflight.messages << new_preflight_message
-              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+              new_preflight = Contrast::Agent::Reporting::BuildPreflight.build(ruby_finding, request)
+              Contrast::Agent.reporter&.send_event(new_preflight)
             end
 
             private
@@ -217,7 +209,7 @@ module Contrast
               properties = Contrast::Agent::Assess::Tracker.properties(source)
               return unless properties
 
-              build_events finding, properties.event if properties.event
+              build_events(finding, properties.event) if properties.event
 
               # Google::Protobuf::Map doesn't support merge!, so we have to do this long form
               source_props = properties.properties

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -28,6 +28,21 @@ module Contrast
 
           attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
 
+          ENCODER_START = 'CUSTOM_ENCODED_'
+          # By default, any rule will be triggered if the source
+          # of the rule event has an untrusted tag range that is
+          # not covered by one of its disallowed tags.
+          UNTRUSTED = 'UNTRUSTED'
+          TRIGGER = 'Trigger'
+          VALIDATOR_START = 'CUSTOM_VALIDATED_'
+          # If a level 1 rule comes from TeamServer, it will have the
+          # tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
+          # All rules should take this into account.
+          # Additionally, if something is marked 'limited-chars' it means
+          # it has been properly vetted to not contain dangerous input.
+          LIMITED_CHARS = 'LIMITED_CHARS'
+          CUSTOM_ENCODED = 'CUSTOM_ENCODED'
+          CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             good_value = trigger_hash[JSON_GOOD_VALUE]
@@ -46,7 +61,6 @@ module Contrast
             validate
           end
 
-          TRIGGER = 'Trigger'
           def node_class
             TRIGGER
           end
@@ -138,10 +152,6 @@ module Contrast
 
           private
 
-          # By default, any rule will be triggered if the source
-          # of the rule event has an untrusted tag range that is
-          # not covered by one of its disallowed tags.
-          UNTRUSTED = 'UNTRUSTED'
           def populate_tags required_tags
             return unless dataflow?
 
@@ -150,16 +160,6 @@ module Contrast
             @required_tags << UNTRUSTED
           end
 
-          ENCODER_START = 'CUSTOM_ENCODED_'
-          VALIDATOR_START = 'CUSTOM_VALIDATED_'
-          # If a level 1 rule comes from TeamServer, it will have the
-          # tag 'custom-encoder-#{ name }' or 'custom-validator-#{ name }'.
-          # All rules should take this into account.
-          # Additionally, if something is marked 'limited-chars' it means
-          # it has been properly vetted to not contain dangerous input.
-          LIMITED_CHARS = 'LIMITED_CHARS'
-          CUSTOM_ENCODED = 'CUSTOM_ENCODED'
-          CUSTOM_VALIDATED = 'CUSTOM_VALIDATED'
           def populate_disallowed disallowed_tags
             return unless dataflow?
 
@@ -195,7 +195,7 @@ module Contrast
             chunking = false
             ranges = []
             # find the start and end range of required tags:
-            search_ranges = find_required_ranges properties, required_tags
+            search_ranges = find_required_ranges(properties, required_tags)
             start_range = search_ranges.first
             end_range = search_ranges.last + 1
 

data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb

@@ -49,7 +49,7 @@ module Contrast
 
                 # Use #match? because it doesn't fill out global variables
                 # in the way match or =~ do.
-                VULNERABLE_PATTERN.match? regexp.source
+                VULNERABLE_PATTERN.match?(regexp.source)
               end
             end
           end

data/lib/contrast/agent/assess/property/evented.rb

@@ -42,8 +42,8 @@ module Contrast
             return unless event.source_type
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
 
-            append_to_dtm current_request, event
-            append_to_ruby_object current_request, event
+            append_to_dtm(current_request, event)
+            append_to_ruby_object(current_request, event)
           end
 
           def append_to_dtm current_request, event

data/lib/contrast/agent/assess/property/tagged.rb

@@ -91,7 +91,7 @@ module Contrast
               value.each do |tag|
                 comparison = tag.compare_range(range.begin, range.end)
                 # ABOVE and BELOW are not affected by this check
-                tags_remove_comparison comparison, tag, remove, add, range
+                tags_remove_comparison(comparison, tag, remove, add, range)
               end
               value.delete_if { |tag| remove.include?(tag) }
               Contrast::Utils::TagUtil.ordered_merge(value, add)
@@ -166,7 +166,7 @@ module Contrast
                 comparison = tag.compare_range(range.begin, range.end)
                 length = range.end - range.begin
                 # BELOW is not affected by this check
-                shift_tags_comparison comparison, add, tag, length, range
+                shift_tags_comparison(comparison, add, tag, length, range)
               end
               Contrast::Utils::TagUtil.ordered_merge(value, add)
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_key.rb

@@ -12,28 +12,27 @@ module Contrast
           # 2) the value is a non-empty array of only Fixnums
           class HardcodedKey
             include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
-
+            REDACTED_MARKER = ' = [**REDACTED**]'
             NAME = 'hardcoded-key'
-            def rule_id
-              NAME
-            end
-
             # These are names, determined by the security team (Matt & Ar), that
             # indicate a field is likely to be a password or secret token of some
             # sort.
             KEY_FIELD_NAMES = %w[KEY AES DES IV SECRET].cs__freeze
-
             # These are markers whose presence indicates that a field is more
             # likely to be a descriptor or requirement than an actual key.
             # We should ignore fields that contain them.
             NON_KEY_PARTIAL_NAMES = %w[CONTENT_CODES RESPONSE_CODES ERROR_CODES].cs__freeze
+            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
+
+            def rule_id
+              NAME
+            end
 
             def name_passes? constant_string
               KEY_FIELD_NAMES.any? { |name| constant_string.index(name) } &&
                   NON_KEY_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
             end
 
-            BYTE_HOLDERS = %i[ARRAY LIST].cs__freeze
             # Determine if the given value node violates the hardcode key rule
             # @param value_node [RubyVM::AbstractSyntaxTree::Node] the node to
             #   evaluate
@@ -66,7 +65,6 @@ module Contrast
               true
             end
 
-            REDACTED_MARKER = ' = [**REDACTED**]'
             def redacted_marker
               REDACTED_MARKER
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_password.rb

@@ -15,12 +15,9 @@ module Contrast
           #     mixing the characters counts as a violation of this rule
           class HardcodedPassword
             include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
-
             NAME = 'hardcoded-password'
-            def rule_id
-              NAME
-            end
-
+            REDACTED_MARKER = ' = "**REDACTED**"'
+            PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
             # These are names, determined by the security team (Matt & Ar), that
             # indicate a field is likely to be a password or secret token of some
             # sort.
@@ -34,6 +31,10 @@ module Contrast
               URI
             ].cs__freeze
 
+            def rule_id
+              NAME
+            end
+
             # If the constant looks like a password and it doesn't look like a
             # password descriptor, it passes for this rule
             def name_passes? constant_string
@@ -62,12 +63,10 @@ module Contrast
             # characters are probably more likely to appear together in a
             # default placeholder than in a password. Note this is opposite of
             # the behavior in Java
-            PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
             def probably_property_name? value
               value.match?(PROPERTY_NAME_PATTERN)
             end
 
-            REDACTED_MARKER = ' = "**REDACTED**"'
             def redacted_marker
               REDACTED_MARKER
             end

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -86,9 +86,9 @@ module Contrast
               return unless value_node_passes?(value)
 
               if Contrast::Agent::Reporter.enabled?
-                new_finding_and_reporting mod, name
+                new_finding_and_reporting(mod, name)
               else # TODO: RUBY-1438 -- remove
-                build_finding mod, name
+                build_finding(mod, name)
               end
             end
 
@@ -112,13 +112,18 @@ module Contrast
             def build_finding clazz, constant_string
               class_name = clazz.cs__name
 
-              finding = assign_finding class_name, constant_string
-              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+              finding = assign_finding(class_name, constant_string)
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              Contrast::Agent.messaging_queue.send_event_eventually(activity, force: true)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
               nil
             end
 
+            # @param class_name [String] the name of the class in which the hardcoded value is present
+            # @param constant_string [String] the name of the constant
+            # @return [Contrast::Api::Dtm::Finding]
             def assign_finding class_name, constant_string
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
@@ -148,17 +153,17 @@ module Contrast
 
               # extract to new method
               # here we will generate new type of finding
-              ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
+              ruby_finding = Contrast::Agent::Reporting::Finding.new(rule_id)
               ruby_finding.hash_code = hash
               ruby_finding.properties[SOURCE_KEY] = clazz.cs__name
               ruby_finding.properties[CONSTANT_NAME_KEY] = constant_string
               ruby_finding.properties[CODE_SOURCE_KEY] = constant_string + redacted_marker
-              save_and_report_finding ruby_finding, new_preflight
+              save_and_report_finding(ruby_finding, new_preflight)
             end
 
             def save_and_report_finding ruby_finding, new_preflight
               Contrast::Agent::Reporting::ReportingStorage[hash] = ruby_finding
-              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+              Contrast::Agent.reporter&.send_event(new_preflight)
             end
           end
         end

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -4,6 +4,7 @@
 require 'rack'
 require 'json'
 require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
@@ -16,6 +17,7 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if something was set incorrectly or
           # insecurely in it.
           class BaseRule
+            DATA = 'data'.cs__freeze
             # Analyze a given application response to determine if it violates the rule
             #
             # TODO: RUBY-999999 either extract the response's body or memoize it to some degree so that it's not
@@ -32,8 +34,13 @@ module Contrast
 
               if Contrast::Agent::Reporter.enabled?
                 report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
-                # TODO: RUBY-99999 preflight
-                Contrast::Agent.reporter.send_event(report)
+                if report.is_a?(Contrast::Agent::Reporting::Finding)
+                  request = Contrast::Agent::REQUEST_TRACKER.current&.request
+                  preflight = Contrast::Agent::Reporting::BuildPreflight.build(report, request)
+                  Contrast::Agent.reporter&.send_event(preflight)
+                else
+                  Contrast::Agent.reporter&.send_event(report)
+                end
               else
                 Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
               end
@@ -41,8 +48,6 @@ module Contrast
 
             protected
 
-            DATA = 'data'.cs__freeze
-
             # Rules discern which responses they can/should analyze.
             #
             # @param response [Contrast::Agent::Response] the response of the application
@@ -58,7 +63,7 @@ module Contrast
 
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
-            # @param response [Contrast::Agent::Response] the response of the application
+            # @param _response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? _response; end
 
@@ -76,7 +81,7 @@ module Contrast
               finding.rule_id = rule_id
               context = Contrast::Agent::REQUEST_TRACKER.current
               finding.routes << context.route if context&.route
-              build_evidence evidence, finding
+              build_evidence(evidence, finding)
               hash = Contrast::Utils::HashDigest.generate_config_hash(finding)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
@@ -92,6 +97,8 @@ module Contrast
               evidence.each_pair do |key, value|
                 finding.properties[key] = if value.cs__is_a?(Hash)
                                             Contrast::Utils::StringUtils.protobuf_format(value.to_json)
+                                          elsif value.cs__is_a?(Array)
+                                            value.map { Contrast::Utils::StringUtils.protobuf_format(_1) }.to_s
                                           else
                                             Contrast::Utils::StringUtils.protobuf_format(value)
                                           end