contrast-agent 6.12.0 → 6.13.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb +38 -0
  3. data/lib/contrast/agent/version.rb +1 -1
  4. data/resources/assess/policy.json +26 -0
  5. data/ruby-agent.gemspec +1 -1
  6. metadata +12 -12
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6772cdef949fd96dd24342c5f4a9a7b813a4d77873a9aa117c1a6750088a647f
4
- data.tar.gz: 8008b5a90911e19594a32a5dba27079d0f7f5e857e34b1cedb974a4e8422fb2d
3
+ metadata.gz: bf537fe7f51e1701577cb567c81862d9ed3b9eaadf89d45da26ddc65e9135afb
4
+ data.tar.gz: b344f21256b15416fb395ed6f91880d4579b39d9bdb331df9492965ddf385129
5
5
  SHA512:
6
- metadata.gz: e70042ce2030918ecbafedfc2b254fd15ff9bc8316fecbd2901e0d8a6581e46505b039d5c21a932b595423565a36b16872362897bc344dc77d61ef8ac41ec8e8
7
- data.tar.gz: 3d8cf2341b2258470ec334be4b81efccbea5a27c26c49b5ca0106e3b44e29f6c878aee0c28dcb7b0c0a84887fb1f298978f0419522503ee8293e0053f9a63bc9
6
+ metadata.gz: cab435e1cfaf07a8f5c101805d3ca0046062071e10d61e3fcef4012e989e145bca2d586113176c89a96019eb32c2a6487de7149a01b4139d95c3b31d648a3ec5
7
+ data.tar.gz: 5270af8f8b5c398d974857194adff85b826c75cd603006eac060d8762985220f13d095cd4b01ae94976b22a261c6250daa4ee05176b2bc635f7455bbd5eeeaf0
data/lib/contrast/agent/assess/policy/trigger_validation/redos_validator.rb CHANGED
@@ -10,6 +10,10 @@ module Contrast
10
10
  # before serializing that finding as a DTM to report to the TeamServer.
11
11
  module REDOSValidator
12
12
  RULE_NAME = 'redos'
13
+ # If Regexp is set to Float::Infinite this is the maximum number it will receive
14
+ POSITIVE_INFINITY = 18_446_744_073.709553
15
+ # We are checking and for negative infinity (-1.0/0.0 )
16
+ NEGATIVE_INFINITY = -POSITIVE_INFINITY
13
17
 
14
18
  class << self
15
19
  def valid? _patcher, object, _ret, args
@@ -49,8 +53,42 @@ module Contrast
49
53
 
50
54
  # Use #match? because it doesn't fill out global variables
51
55
  # in the way match or =~ do.
56
+ #
57
+ # Since ruby 3.2.0 the Regexp now have a timeout option. we need to check and see if the timeout
58
+ # is set. If so we can assume that the regexp is safe.
59
+ # puts "SAFE #{regexp_timeout_safe?(regexp)}"
60
+ return false if regexp_timeout_safe?(regexp)
61
+
62
+ # report only if pattern is bad:
52
63
  VULNERABLE_PATTERN.match?(regexp.source)
53
64
  end
65
+
66
+ # Check and see if a regexp is with safely set Timeout or not.
67
+ #
68
+ # @param regexp [Regexp]
69
+ # @return [Boolean]
70
+ def regexp_timeout_safe? regexp
71
+ return false if RUBY_VERSION < '3.2.0'
72
+ # Global
73
+ return false if Regexp.timeout.nil? || regexp_infinite?(Regexp)
74
+
75
+ # Local
76
+ return false if regexp.cs__is_a?(Regexp) && !(regexp.timeout.nil? || regexp_infinite?(regexp))
77
+
78
+ true
79
+ end
80
+
81
+ private
82
+
83
+ # Check and see if the set timeout is set to infinity:
84
+ #
85
+ # @param regexp[Regexp] Instance or class
86
+ # @return[Boolean]
87
+ def regexp_infinite? regexp
88
+ return false unless regexp.timeout == POSITIVE_INFINITY || regexp.timeout == NEGATIVE_INFINITY
89
+
90
+ true
91
+ end
54
92
  end
55
93
  end
56
94
  end
data/lib/contrast/agent/version.rb CHANGED
@@ -3,6 +3,6 @@
3
3
 
4
4
  module Contrast
5
5
  module Agent
6
- VERSION = '6.12.0'
6
+ VERSION = '6.13.0'
7
7
  end
8
8
  end
data/resources/assess/policy.json CHANGED
@@ -932,6 +932,22 @@
932
932
  "source":"O",
933
933
  "target":"R",
934
934
  "action":"SPLAT"
935
+ }, {
936
+ "class_name":"IO",
937
+ "method_name":"to_path",
938
+ "instance_method": true,
939
+ "method_visibility": "public",
940
+ "source":"O",
941
+ "target":"R",
942
+ "action":"SPLAT"
943
+ }, {
944
+ "class_name":"IO",
945
+ "method_name":"path",
946
+ "instance_method": true,
947
+ "method_visibility": "public",
948
+ "source":"O",
949
+ "target":"R",
950
+ "action":"SPLAT"
935
951
  }, {
936
952
  "class_name": "ActiveModel::AttributeAssignment",
937
953
  "method_name": "assign_attributes",
@@ -1177,6 +1193,16 @@
1177
1193
  "action": "BUFFER",
1178
1194
  "patch_method": "buffer_keep_splat"
1179
1195
  },
1196
+ {
1197
+ "class_name": "IO::Buffer",
1198
+ "instance_method": true,
1199
+ "method_visibility": "public",
1200
+ "method_name": "read",
1201
+ "source":"P0,O",
1202
+ "target":"O",
1203
+ "action": "BUFFER",
1204
+ "patch_method": "buffer_keep_splat"
1205
+ },
1180
1206
  {
1181
1207
  "class_name": "ERB",
1182
1208
  "method_name": "result",
data/ruby-agent.gemspec CHANGED
@@ -178,7 +178,7 @@ Gem::Specification.new do |spec|
178
178
  'Testing and Protection.'
179
179
  spec.homepage = 'https://www.contrastsecurity.com'
180
180
  spec.license = 'CONTRAST SECURITY (see license file)'
181
- spec.required_ruby_version = ['>= 2.7.0', '< 3.2.0']
181
+ spec.required_ruby_version = ['>= 2.7.0', '< 3.3.0']
182
182
 
183
183
  spec.bindir = 'exe'
184
184
  # Keep cs__common first, it handles funchook.h right now.
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: contrast-agent
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.12.0
4
+ version: 6.13.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - galen.palmer@contrastsecurity.com
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: exe
15
15
  cert_chain: []
16
- date: 2023-01-10 00:00:00.000000000 Z
16
+ date: 2023-01-20 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: bundler
@@ -684,22 +684,22 @@ email:
684
684
  executables: []
685
685
  extensions:
686
686
  - ext/cs__common/extconf.rb
687
- - ext/cs__assess_module/extconf.rb
688
- - ext/cs__scope/extconf.rb
689
- - ext/cs__assess_string_interpolation/extconf.rb
690
- - ext/cs__assess_kernel/extconf.rb
691
687
  - ext/cs__assess_basic_object/extconf.rb
692
- - ext/cs__assess_test/extconf.rb
693
- - ext/cs__assess_yield_track/extconf.rb
694
688
  - ext/cs__assess_hash/extconf.rb
689
+ - ext/cs__assess_kernel/extconf.rb
690
+ - ext/cs__assess_string_interpolation/extconf.rb
691
+ - ext/cs__contrast_patch/extconf.rb
695
692
  - ext/cs__assess_string/extconf.rb
693
+ - ext/cs__assess_regexp/extconf.rb
696
694
  - ext/cs__tests/extconf.rb
695
+ - ext/cs__assess_module/extconf.rb
696
+ - ext/cs__assess_yield_track/extconf.rb
697
697
  - ext/cs__assess_fiber_track/extconf.rb
698
- - ext/cs__contrast_patch/extconf.rb
699
- - ext/cs__assess_array/extconf.rb
698
+ - ext/cs__scope/extconf.rb
699
+ - ext/cs__assess_test/extconf.rb
700
700
  - ext/cs__os_information/extconf.rb
701
701
  - ext/cs__assess_marshal_module/extconf.rb
702
- - ext/cs__assess_regexp/extconf.rb
702
+ - ext/cs__assess_array/extconf.rb
703
703
  extra_rdoc_files: []
704
704
  files:
705
705
  - ".clang-format"
@@ -1349,7 +1349,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
1349
1349
  version: 2.7.0
1350
1350
  - - "<"
1351
1351
  - !ruby/object:Gem::Version
1352
- version: 3.2.0
1352
+ version: 3.3.0
1353
1353
  required_rubygems_version: !ruby/object:Gem::Requirement
1354
1354
  requirements:
1355
1355
  - - ">="