contrast-agent 6.2.0 → 6.5.0

data/lib/contrast/components/agent.rb

@@ -3,6 +3,8 @@
 
 require 'rubygems/version'
 require 'contrast/agent/rule_set'
+require 'contrast/components/logger'
+require 'contrast/components/heap_dump'
 
 module Contrast
   module Components
@@ -13,9 +15,50 @@ module Contrast
       class Interface
         include Contrast::Components::ComponentBase
 
+        def initialize hsh = {}
+          return unless hsh
+
+          @_enable = hsh[:enable]
+          @_start_bundled_service = hsh[:start_bundled_service]
+          @_omit_body = hsh[:omit_body]
+          @_service = Contrast::Config::ServiceConfiguration.new(hsh[:service])
+          @_logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
+          @_ruby = Contrast::Config::RubyConfiguration.new(hsh[:ruby])
+          @_heap_dump = Contrast::Components::HeapDump::Interface.new(hsh[:heap_dump])
+        end
+
+        # @return [Boolean, true]
+        def start_bundled_service?
+          @_start_bundled_service.nil? ? true : @_start_bundled_service
+        end
+
+        def service
+          return @_service unless @_service.nil?
+
+          @_service = Contrast::Config::ServiceConfiguration.new
+        end
+
+        def logger
+          return @_logger unless @_logger.nil?
+
+          @_logger = Contrast::Components::Logger::Interface.new
+        end
+
+        def ruby
+          return @_ruby unless @_ruby.nil?
+
+          @_ruby = Contrast::Config::RubyConfiguration.new
+        end
+
+        def heap_dump
+          return @_heap_dump unless @_heap_dump.nil?
+
+          @_heap_dump = Contrast::Components::HeapDump::Interface.new
+        end
+
         def enabled?
-          @_enabled = !false?(::Contrast::CONFIG.root.enable) if @_enabled.nil?
-          @_enabled
+          @_enable = !false?(::Contrast::CONFIG.root.enable) if @_enable.nil?
+          @_enable
         end
 
         def disabled?
@@ -23,11 +66,11 @@ module Contrast
         end
 
         def enable!
-          @_enabled = true
+          @_enable = true
         end
 
         def disable!
-          @_enabled = false
+          @_enable = false
           Contrast::Agent::TracePointHook.disable
           Contrast::Agent.thread_watcher&.shutdown!
         end
@@ -41,8 +84,7 @@ module Contrast
         end
 
         def patch_yield?
-          @_patch_yield = !false?(::Contrast::CONFIG.root.agent.ruby.propagate_yield) if @_patch_yield.nil?
-          @_patch_yield
+          !false?(ruby.propagate_yield)
         end
 
         def interpolation_enabled?
@@ -52,18 +94,14 @@ module Contrast
         end
 
         def omit_body?
-          @_omit_body = true?(::Contrast::CONFIG.root.agent.omit_body) if @_omit_body.nil?
           @_omit_body
         end
 
         def exception_control
           @_exception_control ||= {
-              enable: true?(::Contrast::CONFIG.root.agent.ruby.exceptions.capture),
-              status:
-                ::Contrast::CONFIG.root.agent.ruby.exceptions.override_status || 403,
-              message:
-                ::Contrast::CONFIG.root.agent.ruby.exceptions.override_message ||
-                    Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
+              enable: true?(ruby.exceptions.capture),
+              status: ruby.exceptions.override_status || 403,
+              message: ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
           }
         end
 

data/lib/contrast/components/assess.rb

@@ -76,12 +76,6 @@ module Contrast
           @_scan_response
         end
 
-        def track_frozen_sources?
-          @_track_frozen_sources = !false?(::Contrast::CONFIG.root.agent.ruby.track_frozen_sources) if
-            @_track_frozen_sources.nil?
-          @_track_frozen_sources
-        end
-
         def require_scan?
           @_require_scan = !false?(::Contrast::CONFIG.root.agent.ruby.require_scan) if @_require_scan.nil?
           @_require_scan
@@ -124,6 +118,22 @@ module Contrast
           ::Contrast::SETTINGS.assess_state.session_id
         end
 
+        def max_source_events
+          ::Contrast::CONFIG.root.assess.max_context_source_events
+        end
+
+        def max_propagation_events
+          ::Contrast::CONFIG.root.assess.max_propagation_events
+        end
+
+        def time_limit_threshold
+          ::Contrast::CONFIG.root.assess.time_limit_threshold
+        end
+
+        def max_rule_reported
+          ::Contrast::CONFIG.root.assess.max_rule_reported
+        end
+
         private
 
         def forcibly_enabled?

data/lib/contrast/components/config.rb

@@ -27,7 +27,7 @@ module Contrast
       CONTRAST_LOG = 'contrast_agent.log'
       CONTRAST_NAME = 'Contrast Agent'
 
-      class Interface # :nodoc:
+      class Interface # :nodoc: # rubocop:disable Metrics/ClassLength
         SESSION_VARIABLES = 'Invalid configuration. '\
                             "Setting both application.session_id and application.session_metadata is not allowed.\n"
         API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
@@ -57,6 +57,8 @@ module Contrast
           @config = Contrast::Configuration.new
           env_overrides
           validate
+        rescue ArgumentError => e
+          proto_logger.error('Configuration failed with error: ', e)
         end
         alias_method :rebuild, :build
 
@@ -136,7 +138,7 @@ module Contrast
             next unless env_key.to_s.start_with?(CONTRAST_ENV_MARKER)
 
             config_item = Contrast::Utils::EnvConfigurationItem.new(env_key, env_value)
-            @config.assign_value_to_path_array(config_item.dot_path_array, config_item.value)
+            assign_value_to_path_array(root, config_item.dot_path_array, config_item.value)
           end
         end
 
@@ -193,6 +195,20 @@ module Contrast
         def logger_path
           root.agent.logger.path
         end
+
+        # Assign the value from an ENV variable to the Contrast::Config::RootConfiguration object, when
+        # appropriate.
+        #
+        # @return nil
+        def assign_value_to_path_array current_level, dot_path_array, value
+          dot_path_array[0...-1].each do |segment|
+            segment = segment.tr('-', '_')
+            current_level = current_level.send(segment) if current_level.cs__respond_to?(segment)
+          end
+          return unless current_level.nil? == false && current_level.cs__respond_to?(dot_path_array[-1])
+
+          current_level.send("#{ dot_path_array[-1] }=", value)
+        end
       end
     end
   end

data/lib/contrast/components/contrast_service.rb

@@ -29,7 +29,7 @@ module Contrast
 
           # Requirement says "must be true" but that
           # should be "must not be false" -- oops.
-          @_use_bundled_service ||= !false?(::Contrast::CONFIG.root.agent.start_bundled_service) &&
+          @_use_bundled_service ||= !false?(::Contrast::CONFIG.root.agent.start_bundled_service?) &&
               # Either a valid host or a valid socket
               # Path validity is the service's problem
               (LOCALHOST.match?(host) || !!socket_path)

data/lib/contrast/components/heap_dump.rb

@@ -2,11 +2,61 @@
 # frozen_string_literal: true
 
 require 'contrast/components/base'
-require 'contrast/components/heap_dump'
+require 'contrast/config/base_configuration'
 
 module Contrast
   module Components
     module HeapDump
+      # Interface used to build the HeapDump settings and component.
+      class Interface
+        include Contrast::Config::BaseConfiguration
+
+        DEFAULT_PATH = 'contrast_heap_dumps' # saved
+        DEFAULT_MS = 10_000
+        DEFAULT_COUNT = 5
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @_enable = hsh[:enable]
+          @_path = hsh[:path]
+          @_delay_ms = hsh[:delay_ms]
+          @_window_ms = hsh[:window_ms]
+          @_count = hsh[:count]
+          @_clean = hsh[:clean]
+        end
+
+        # @return [Boolean, String] should dumps be taken
+        def enable
+          @_enable.nil? ? Contrast::Utils::ObjectShare::FALSE : @_enable
+        end
+
+        # @return [String, DEFAULT_PATH] dir to which dumps should be
+        def path
+          @_path ||= DEFAULT_PATH
+        end
+
+        # @return [Integer, DEFAULT_MS] time, in ms, after initialization
+        def delay_ms
+          @_delay_ms ||= DEFAULT_MS
+        end
+
+        # @return [Integer, DEFAULT_MS] ms between each dump
+        def window_ms
+          @_window_ms ||= DEFAULT_MS
+        end
+
+        # @return [Integer, DEFAULT_COUNT] number of dumps to take
+        def count
+          @_count ||= DEFAULT_COUNT
+        end
+
+        # @return [Boolean, String] remove temporary objects or not
+        def clean
+          @_clean.nil? ? Contrast::Utils::ObjectShare::FALSE : @_clean
+        end
+      end
+
       # A wrapper build around the Common Agent Configuration project to allow
       # for access of the values contained in its
       # parent_configuration_spec.yaml.

data/lib/contrast/components/inventory.rb

@@ -1,29 +1,35 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/base'
+
 module Contrast
   module Components
     module Inventory
-      # A wrapper build around the Common Agent Configuration project to allow
-      # for access of the values contained in its
-      # parent_configuration_spec.yaml.
-      # Specifically, this allows for querying the state of the Inventory
-      # product.
+      # Interface component for Inventory settings used to store the values from
+      # settings file and assert state with check methods.
       class Interface
         include Contrast::Components::ComponentBase
 
-        def enabled?
-          @_enabled = !false?(::Contrast::CONFIG.root.inventory.enable) if @_enabled.nil?
-          @_enabled
+        # @return [Array, nil] tags
+        attr_accessor :tags
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @enable = !false?(hsh[:enable])
+          @analyze_libraries = !false?(hsh[:analyze_libraries])
+          @tags = hsh[:tags]
         end
 
-        def analyze_libraries?
-          @_analyze_libraries = !false?(::Contrast::CONFIG.root.inventory.analyze_libraries) if @_analyze_libraries.nil?
-          @_analyze_libraries
+        # return [Boolean]
+        def enable
+          @enable.nil? ? true : @enable
         end
 
-        def tags
-          ::Contrast::CONFIG.root.inventory&.tags
+        # return [Boolean]
+        def analyze_libraries
+          @analyze_libraries.nil? ? true : @analyze_libraries
         end
       end
     end

data/lib/contrast/components/logger.rb

@@ -28,8 +28,26 @@ module Contrast
         end
       end
 
+      # So This class here follows the update for the configuration
+      # and from know on ( if it's as we planned it to be) it will hold the
+      # instance methods and will initialize new instances for where they're needed
       class Interface
         include InstanceMethods
+
+        # @return [String, nil]
+        attr_accessor :path
+        # @return [String, nil]
+        attr_accessor :level
+        # @return [String, nil]
+        attr_accessor :progname
+
+        def initialize hsh = {}
+          return unless hsh
+
+          @path = hsh[:path]
+          @level = hsh[:level]
+          @progname = hsh[:progname]
+        end
       end
     end
   end

data/lib/contrast/config/assess_configuration.rb

@@ -15,6 +15,10 @@ module Contrast
       attr_writer :enable_scan_response, :enable_dynamic_sources, :sampling, :rules, :stacktraces
 
       DEFAULT_STACKTRACES = 'ALL'
+      DEFAULT_MAX_SOURCE_EVENTS = 50_000
+      DEFAULT_MAX_PROPAGATION_EVENTS = 50_000
+      DEFAULT_MAX_RULE_REPORTED = 50_000
+      DEFAULT_MAX_RULE_TIME_THRESHOLD = 300_000
 
       def initialize hsh = {}
         return unless hsh
@@ -27,6 +31,10 @@ module Contrast
         @sampling = Contrast::Config::SamplingConfiguration.new(hsh[:sampling])
         @rules = Contrast::Config::AssessRulesConfiguration.new(hsh[:rules])
         @stacktraces = hsh[:stacktraces]
+        @max_context_source_events = hsh[:max_context_source_events]
+        @max_propagation_events = hsh[:max_propagation_events]
+        @max_rule_reported = hsh[:max_rule_reported]
+        @time_limit_threshold = hsh[:time_limit_threshold]
       end
 
       # @return [Boolean, true]
@@ -58,6 +66,26 @@ module Contrast
       def stacktraces
         @stacktraces ||= DEFAULT_STACKTRACES
       end
+
+      # @return [int] max number of context source events in single request
+      def max_context_source_events
+        @max_context_source_events ||= DEFAULT_MAX_SOURCE_EVENTS
+      end
+
+      # @return [int] max number of propagation events in single request
+      def max_propagation_events
+        @max_propagation_events ||= DEFAULT_MAX_PROPAGATION_EVENTS
+      end
+
+      # @return [int] max number of rules reported within time_limit_threshold
+      def max_rule_reported
+        @max_rule_reported ||= DEFAULT_MAX_RULE_REPORTED
+      end
+
+      # @return [int] max ms threshold for reporting rules
+      def time_limit_threshold
+        @time_limit_threshold ||= DEFAULT_MAX_RULE_TIME_THRESHOLD
+      end
     end
   end
 end

data/lib/contrast/config/base_configuration.rb

@@ -10,29 +10,22 @@ module Contrast
     # Configuration settings to usable Ruby classes.
     module BaseConfiguration
       extend Forwardable
+      AT_UNDERSCORE = '@_'
 
       def to_hash
         hsh = {}
         instance_variables.each do |iv|
-          # strip the '@' to get the key
-          key = iv.to_s[1..]
+          # strip the '@' of '@_' to get the key
+          string_iv = iv.to_s
+          key = if string_iv.include?(AT_UNDERSCORE)
+                  string_iv[2..]
+                else
+                  string_iv[1..]
+                end
           hsh[key] = send(key.to_sym)
         end
         hsh
       end
-
-      def assign_value_to_path_array dot_path_array, value
-        current_level = self
-        dot_path_array[0...-1].each do |segment|
-          segment = segment.tr('-', '_')
-          current_level = current_level.send(segment) if current_level.cs__respond_to?(segment)
-        end
-        last_entry = dot_path_array[-1]
-        if current_level.nil? == false && current_level.cs__respond_to?(last_entry)
-          current_level.send("#{ last_entry }=", value)
-        end
-        nil
-      end
     end
   end
 end

data/lib/contrast/config/root_configuration.rb

@@ -1,6 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/agent'
+require 'contrast/components/inventory'
+
 module Contrast
   module Config
     # The base of the Common Configuration settings.
@@ -9,7 +12,7 @@ module Contrast
 
       # @return [Contrast::Config::ApiConfiguration]
       attr_writer :api
-      # @return [Contrast::Config::AgentConfiguration]
+      # @return [Contrast::Components::Agent::Interface]
       attr_writer :agent
       # @return [Contrast::Config::ApplicationConfiguration]
       attr_writer :application
@@ -17,7 +20,7 @@ module Contrast
       attr_writer :server
       # @return [Contrast::Config::AssessConfiguration]
       attr_writer :assess
-      # @return [Contrast::Config::InventoryConfiguration]
+      # @return [Contrast::Components::Inventory::Interface]
       attr_writer :inventory
       # @return [Contrast::Config::ProtectConfiguration]
       attr_writer :protect
@@ -26,16 +29,17 @@ module Contrast
       # @return [Boolean, nil]
       attr_accessor :enable
 
+      # @raise[ArgumentError]
       def initialize hsh = {}
         raise(ArgumentError, 'Expected a hash') unless hsh.is_a?(Hash)
 
         @api = Contrast::Config::ApiConfiguration.new(hsh[:api])
         @enable = hsh[:enable]
-        @agent = Contrast::Config::AgentConfiguration.new(hsh[:agent])
+        @agent = Contrast::Components::Agent::Interface.new(hsh[:agent])
         @application = Contrast::Config::ApplicationConfiguration.new(hsh[:application])
         @server = Contrast::Config::ServerConfiguration.new(hsh[:server])
         @assess = Contrast::Config::AssessConfiguration.new(hsh[:assess])
-        @inventory = Contrast::Config::InventoryConfiguration.new(hsh[:inventory])
+        @inventory = Contrast::Components::Inventory::Interface.new(hsh[:inventory])
         @protect = Contrast::Config::ProtectConfiguration.new(hsh[:protect])
         @service = Contrast::Config::ServiceConfiguration.new(hsh[:service])
       end
@@ -45,9 +49,9 @@ module Contrast
         @api ||= Contrast::Config::ApiConfiguration.new
       end
 
-      # @return [Contrast::Config::AgentConfiguration]
+      # @return [Contrast::Components::Agent::Interface]
       def agent
-        @agent ||= Contrast::Config::AgentConfiguration.new
+        @agent ||= Contrast::Components::Agent::Interface.new
       end
 
       # @return [Contrast::Config::ApplicationConfiguration]
@@ -65,9 +69,9 @@ module Contrast
         @assess ||= Contrast::Config::AssessConfiguration.new
       end
 
-      # @return [Contrast::Config::InventoryConfiguration]
+      # @return [Contrast::Components::Inventory::Interface]
       def inventory
-        @inventory ||= Contrast::Config::InventoryConfiguration.new
+        @inventory ||= Contrast::Components::Inventory::Interface.new
       end
 
       # @return [Contrast::Config::ProtectConfiguration]

data/lib/contrast/config/ruby_configuration.rb

@@ -21,7 +21,7 @@ module Contrast
       DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
 
       attr_writer :disabled_agent_rake_tasks, :exceptions, :interpolate, :propagate_yield, :require_scan,
-                  :track_frozen_sources, :non_request_tracking, :uninstrument_namespace
+                  :non_request_tracking, :uninstrument_namespace
 
       def initialize hsh = {}
         return unless hsh
@@ -31,7 +31,6 @@ module Contrast
         @interpolate = hsh[:interpolate]
         @propagate_yield = hsh[:propagate_yield]
         @require_scan = hsh[:require_scan]
-        @track_frozen_sources = hsh[:track_frozen_sources]
         @non_request_tracking = hsh[:non_request_tracking]
         @uninstrument_namespace = hsh[:uninstrument_namespace]
       end
@@ -67,16 +66,10 @@ module Contrast
         @require_scan.nil? ?  Contrast::Utils::ObjectShare::TRUE  : @require_scan
       end
 
-      # controls whether or not we track frozen Strings by replacing them
-      # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
-      def track_frozen_sources
-        @track_frozen_sources.nil? ?  Contrast::Utils::ObjectShare::TRUE : @track_frozen_sources
-      end
-
       # controls tracking outside of request
       # @return [Boolean, Contrast::Utils::ObjectShare::FALSE]
       def non_request_tracking
-        @non_request_tracking.nil? ?  Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
+        @non_request_tracking.nil? ? Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
       end
 
       # @return [Array, DEFAULT_UNINSTRUMENTED_NAMESPACES]

data/lib/contrast/config/service_configuration.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/config/logger_configuration'
+require 'contrast/components/logger'
 
 module Contrast
   module Config
@@ -31,13 +31,13 @@ module Contrast
         @host = hsh[:host]
         @port = hsh[:port]
         @socket = hsh[:socket]
-        @logger = Contrast::Config::LoggerConfiguration.new(hsh[:logger])
+        @logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
         @bypass = hsh[:bypass]
       end
 
-      # @return [Contrast::Config::LoggerConfiguration]
+      # @return [Contrast::Components::Logger::Interface]
       def logger
-        @logger ||= Contrast::Config::LoggerConfiguration.new
+        @logger ||= Contrast::Components::Logger::Interface.new
       end
 
       # @return [Boolean, false]

data/lib/contrast/config.rb

@@ -11,10 +11,6 @@ module Contrast
 end
 
 require 'contrast/config/base_configuration'
-
-require 'contrast/config/logger_configuration'
-
-require 'contrast/config/heap_dump_configuration'
 require 'contrast/config/service_configuration'
 require 'contrast/config/exception_configuration'
 require 'contrast/config/assess_rules_configuration'
@@ -24,10 +20,8 @@ require 'contrast/config/sampling_configuration'
 
 require 'contrast/config/ruby_configuration'
 require 'contrast/config/api_configuration'
-require 'contrast/config/agent_configuration'
 require 'contrast/config/application_configuration'
 require 'contrast/config/server_configuration'
 require 'contrast/config/assess_configuration'
-require 'contrast/config/inventory_configuration'
 require 'contrast/config/protect_configuration'
 require 'contrast/config/root_configuration'

data/lib/contrast/configuration.rb

@@ -18,8 +18,6 @@ module Contrast
     include Contrast::Components::Scope::InstanceMethods
     extend Contrast::Components::Scope::InstanceMethods
 
-    def_delegator :root, :assign_value_to_path_array
-
     attr_reader :default_name, :root
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'

data/lib/contrast/extension/assess/eval_trigger.rb

@@ -25,10 +25,6 @@ module Contrast
           def apply_trigger obj, source, ret, clazz, method
             return unless ::Contrast::ASSESS.non_request_tracking? || Contrast::Agent::REQUEST_TRACKER.current
 
-            # Since we know this is the source of the trigger, we can do some
-            # optimization here and return when it is not tracked
-            return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
-
             # source might not be all the args passed in, but it is the one we care
             # about. we could pass in all the args in the last param here if it
             # becomes an issue in rendering on TS

data/lib/contrast/extension/assess/hash.rb

@@ -15,11 +15,12 @@ module Contrast
         class << self
           def cs__duplicate_and_freeze object
             return object unless object.is_a?(String) && !object.cs__frozen?
-            return object unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
             # Copy the object, then freeze it, so that it looks the same
             # externally, but will have our finalizer on it.
-            object.dup&.cs__freeze
+            copy = object.dup
+            Contrast::Agent::Assess::Tracker.pre_freeze(copy)
+            copy&.cs__freeze
           rescue StandardError
             # we'll rescue this error, but we can't log it here as that will
             # result in a seg fault

data/lib/contrast/extension/assess/kernel.rb

@@ -4,6 +4,7 @@
 require 'contrast/extension/assess/exec_trigger'
 require 'contrast/components/logger'
 require 'contrast/agent/assess/events/event_data'
+require 'contrast/agent/patching/policy/patch'
 
 module Contrast
   module Extension
@@ -97,6 +98,27 @@ module Contrast
           end
         end
       end
+
+      # Used for Kernel exec aliasing since we have no other way of accessing the
+      # Kernel#exec under C if we alias it there.
+      module ContrastKernel
+        # Method to replace the call to Kernel#exec when applying alias patch.
+        # It will invoke  Contrast::Extension::Assess::KernelPropagator before
+        # calling the original method.
+        #
+        # @param source [String, Proc] Potentially untrusted shell command to execute.
+        # @return nil - This method will invoke the Kernel#exec which will
+        def cs__kernel_exec source
+          # Check if in contrast scope and we have source.
+          unless Contrast::Agent::Patching::Policy::Patch.in_contrast_scope? || source.nil?
+            Contrast::Agent::Patching::Policy::Patch.with_contrast_scope do
+              Contrast::Extension::Assess::KernelPropagator.apply_trigger(source)
+            end
+          end
+          # Call this in the end else any code bellow this call won't be executed.
+          Kernel.exec(source)
+        end
+      end
     end
   end
 end