contrast-agent 6.4.0 → 6.6.0

data/lib/contrast/config/root_configuration.rb

@@ -1,15 +1,18 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/agent'
+require 'contrast/components/inventory'
+require 'contrast/components/protect'
 module Contrast
   module Config
     # The base of the Common Configuration settings.
     class RootConfiguration
       include Contrast::Config::BaseConfiguration
 
-      # @return [Contrast::Config::ApiConfiguration]
+      # @return [Contrast::Components::Api::Interface]
       attr_writer :api
-      # @return [Contrast::Config::AgentConfiguration]
+      # @return [Contrast::Components::Agent::Interface]
       attr_writer :agent
       # @return [Contrast::Config::ApplicationConfiguration]
       attr_writer :application
@@ -17,9 +20,9 @@ module Contrast
       attr_writer :server
       # @return [Contrast::Config::AssessConfiguration]
       attr_writer :assess
-      # @return [Contrast::Config::InventoryConfiguration]
+      # @return [Contrast::Components::Inventory::Interface]
       attr_writer :inventory
-      # @return [Contrast::Config::ProtectConfiguration]
+      # @return [Contrast::Components::Protect::Interface]
       attr_writer :protect
       # @return [Contrast::Config::ServiceConfiguration]
       attr_writer :service
@@ -30,25 +33,25 @@ module Contrast
       def initialize hsh = {}
         raise(ArgumentError, 'Expected a hash') unless hsh.is_a?(Hash)
 
-        @api = Contrast::Config::ApiConfiguration.new(hsh[:api])
+        @api = Contrast::Components::Api::Interface.new(hsh[:api])
         @enable = hsh[:enable]
-        @agent = Contrast::Config::AgentConfiguration.new(hsh[:agent])
+        @agent = Contrast::Components::Agent::Interface.new(hsh[:agent])
         @application = Contrast::Config::ApplicationConfiguration.new(hsh[:application])
         @server = Contrast::Config::ServerConfiguration.new(hsh[:server])
         @assess = Contrast::Config::AssessConfiguration.new(hsh[:assess])
-        @inventory = Contrast::Config::InventoryConfiguration.new(hsh[:inventory])
-        @protect = Contrast::Config::ProtectConfiguration.new(hsh[:protect])
+        @inventory = Contrast::Components::Inventory::Interface.new(hsh[:inventory])
+        @protect = Contrast::Components::Protect::Interface.new(hsh[:protect])
         @service = Contrast::Config::ServiceConfiguration.new(hsh[:service])
       end
 
-      # @return [Contrast::Config::ApiConfiguration]
+      # @return [Contrast::Components::Api::Interface]
       def api
-        @api ||= Contrast::Config::ApiConfiguration.new
+        @api ||= Contrast::Components::Api::Interface.new
       end
 
-      # @return [Contrast::Config::AgentConfiguration]
+      # @return [Contrast::Components::Agent::Interface]
       def agent
-        @agent ||= Contrast::Config::AgentConfiguration.new
+        @agent ||= Contrast::Components::Agent::Interface.new
       end
 
       # @return [Contrast::Config::ApplicationConfiguration]
@@ -66,14 +69,14 @@ module Contrast
         @assess ||= Contrast::Config::AssessConfiguration.new
       end
 
-      # @return [Contrast::Config::InventoryConfiguration]
+      # @return [Contrast::Components::Inventory::Interface]
       def inventory
-        @inventory ||= Contrast::Config::InventoryConfiguration.new
+        @inventory ||= Contrast::Components::Inventory::Interface.new
       end
 
-      # @return [Contrast::Config::ProtectConfiguration]
+      # @return [Contrast::Components::Protect::Interface]
       def protect
-        @protect ||= Contrast::Config::ProtectConfiguration.new
+        @protect ||= Contrast::Components::Protect::Interface.new
       end
 
       # @return [Contrast::Config::ServiceConfiguration]

data/lib/contrast/config/service_configuration.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/config/logger_configuration'
+require 'contrast/components/logger'
 
 module Contrast
   module Config
@@ -31,13 +31,13 @@ module Contrast
         @host = hsh[:host]
         @port = hsh[:port]
         @socket = hsh[:socket]
-        @logger = Contrast::Config::LoggerConfiguration.new(hsh[:logger])
+        @logger = Contrast::Components::Logger::Interface.new(hsh[:logger])
         @bypass = hsh[:bypass]
       end
 
-      # @return [Contrast::Config::LoggerConfiguration]
+      # @return [Contrast::Components::Logger::Interface]
       def logger
-        @logger ||= Contrast::Config::LoggerConfiguration.new
+        @logger ||= Contrast::Components::Logger::Interface.new
       end
 
       # @return [Boolean, false]

data/lib/contrast/config.rb

@@ -11,23 +11,14 @@ module Contrast
 end
 
 require 'contrast/config/base_configuration'
-
-require 'contrast/config/logger_configuration'
-
-require 'contrast/config/heap_dump_configuration'
 require 'contrast/config/service_configuration'
 require 'contrast/config/exception_configuration'
 require 'contrast/config/assess_rules_configuration'
 require 'contrast/config/protect_rule_configuration'
 require 'contrast/config/protect_rules_configuration'
-require 'contrast/config/sampling_configuration'
 
 require 'contrast/config/ruby_configuration'
-require 'contrast/config/api_configuration'
-require 'contrast/config/agent_configuration'
 require 'contrast/config/application_configuration'
 require 'contrast/config/server_configuration'
 require 'contrast/config/assess_configuration'
-require 'contrast/config/inventory_configuration'
-require 'contrast/config/protect_configuration'
 require 'contrast/config/root_configuration'

data/lib/contrast/extension/object.rb

@@ -0,0 +1,19 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+# Some developers override various methods on Object, which can often involve
+# changing expected method parity/behavior which in turn prevents us from being
+# able to reliably use affected methods.
+# We alias these method so that we always have access to them.
+#
+# Because we use these methods in constructing classes (e.g., calling #freeze
+# on constants within class definitions) we do this aliasing ASAP.
+class Object
+  alias_method :cs__class, :class
+  alias_method :cs__freeze, :freeze
+  alias_method :cs__frozen?, :frozen?
+  alias_method :cs__is_a?, :is_a?
+  alias_method :cs__method, :method
+  alias_method :cs__respond_to?, :respond_to?
+  alias_method :cs__singleton_class, :singleton_class
+end

data/lib/contrast/framework/rails/support.rb

@@ -59,7 +59,7 @@ module Contrast
             # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
             unless route
-              logger.warn('Unable to determine the current route of this request')
+              logger.warn("Unable to determine the current route of this request: #{ request.rack_request }")
               return
             end
 
@@ -90,7 +90,7 @@ module Contrast
             # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
             unless route
-              logger.warn('Unable to determine the current route of this request')
+              logger.warn("Unable to determine the current route of this request: #{ request.rack_request }")
               return
             end
 
@@ -135,8 +135,11 @@ module Contrast
           # @return [bool] whether the router is an engine or not.
           def engine_route? route
             return false unless route&.app&.app
+            return false unless route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) ||
+                route.app.is_a?(::ActionDispatch::Routing::RouteSet::Dispatcher)
 
-            route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
+            clazz = route.app.app.is_a?(Class) ? route.app.app : route.app.app.cs__class
+            clazz < ::Rails::Engine
           end
 
           # Recursively get final route traversing engines as required. Because this can only be called once, we store
@@ -179,6 +182,7 @@ module Contrast
                 route_list += find_all_routes(route.app.app, [])
               end
             end
+            logger.debug("Routes Found: #{ route_list }")
             route_list
           end
 

data/lib/contrast/logger/log.rb

@@ -134,7 +134,8 @@ module Contrast
 
         enable_trace_timing if current_level_const == ::Ougai::Logging::TRACE
 
-        @_logger = build(path: current_path, level_const: current_level_const)
+        progname = Contrast::CONFIG.root.agent.logger.progname
+        @_logger = build(path: current_path, level_const: current_level_const, progname: progname)
         # If we're logging to a new path, then let's start it w/ our helpful
         # data gathering messages
         log_update if path_change

data/lib/contrast/utils/assess/event_limit_utils.rb

@@ -0,0 +1,96 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Utils
+    module Assess
+      # EventLimitUtils is used to check and validate the number of source, propagation, or trigger events collected
+      # during the reporting time frame
+      module EventLimitUtils
+        include Contrast::Components::Logger::InstanceMethods
+        # Checks to see if the event limit for the policy type has been met or exceeded
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] method to check for event limit
+        def event_limit? method_policy
+          return false unless (context = Contrast::Agent::REQUEST_TRACKER.current)
+
+          if method_policy.source_node
+            max =  (::Contrast::ASSESS.max_source_events ||
+              Contrast::Config::AssessConfiguration::DEFAULT_MAX_SOURCE_EVENTS)
+            return at_limit?(method_policy, context.source_event_count, max)
+
+          end
+          if method_policy.propagation_node
+            max = (::Contrast::ASSESS.max_propagation_events ||
+              Contrast::Config::AssessConfiguration::DEFAULT_MAX_PROPAGATION_EVENTS)
+            return at_limit?(method_policy, context.propagation_event_count, max)
+          end
+
+          false # policy does not have limit
+        end
+
+        def event_limit_for_rule? rule_id
+          if Contrast::Utils::Timer.now_ms > threshold_time_limit
+            @_rule_counts = nil
+            @_threshold_time_limit = nil
+            threshold_time_limit
+          end
+          rule_counts[rule_id] += 1
+          # TODO: RUBY-1680 remove default
+          rule_counts[rule_id] >=
+              (::Contrast::ASSESS.max_rule_reported || Contrast::Config::AssessConfiguration::DEFAULT_MAX_RULE_REPORTED)
+        end
+
+        # Increments the event count for the type of event that is being tracked
+        #
+        # @param node [Contrast::Agent::Assess::Policy::PolicyNode] policy to increment
+        def increment_event_count node
+          return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
+
+          context.source_event_count += 1 if node.cs__is_a?(Contrast::Agent::Assess::Policy::SourceNode)
+          context.propagation_event_count += 1 if node.cs__is_a?(Contrast::Agent::Assess::Policy::PropagationNode)
+        end
+
+        private
+
+        # helper method to check limit and log when necessary
+        def at_limit? method_policy, current_count, event_max
+          if current_count == event_max
+            logger.warn('Event Limit Reached:',
+                        {
+                            count: current_count,
+                            max: event_max,
+                            policy: method_policy.method_name,
+                            node: method_policy
+                        })
+            # increment to be over count for logging purposes
+            increment_event_count(method_policy)
+            return true
+          elsif current_count > event_max
+            # increment to be over count for logging purposes
+            increment_event_count(method_policy)
+            logger.warn('Event Limit Exceeded:',
+                        {
+                            count: current_count,
+                            policy: method_policy.method_name,
+                            node: method_policy
+                        })
+            return true
+          end
+          false
+        end
+
+        def rule_counts
+          @_rule_counts ||= Hash.new { |h, k| h[k] = 0 }
+        end
+
+        # the time threshold for which to track rule counts resets when now >= threshold_time_limit
+        # @return [Integer]
+        def threshold_time_limit
+          @_threshold_time_limit ||= Contrast::Utils::Timer.now_ms + (::Contrast::ASSESS.time_limit_threshold || 0)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -92,20 +92,24 @@ module Contrast
         # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
         #   the invocation of the patched method.
         # @param target [Object] the thing to which to propagate
+        # @param propagation_data [Contrast::Agent::Assess::Events::EventData] this will hold the
+        #                         object [Object] the Object on which the method was invoked
+        #                         args [Array<Object>] the Arguments with which the method was invoked
         # @return [Boolean]
-        def can_propagate? propagation_node, preshift, target
+        def can_propagate? propagation_node, preshift, target, propagation_data
           return false unless appropriate_target?(propagation_node, target)
           return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
-          if propagation_node.use_original_object?
-            # return true since we don't have preshift while using the original object.
-            return true
-          end
-          return false unless preshift
+          return false unless appropriate_source?(propagation_node, propagation_data, preshift)
 
           propagation_node.sources.each do |source|
             case source
             when Contrast::Utils::ObjectShare::OBJECT_KEY
-              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
+              source_object = if propagation_node.use_original_object?
+                                propagation_data.object
+                              else
+                                preshift.object
+                              end
+              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(source_object)
             else
               # has to be P, there's no ret source type (yet? ever?)
               return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
@@ -129,6 +133,22 @@ module Contrast
 
           Contrast::Agent::Assess::Tracker.trackable?(target)
         end
+
+        # A source is appropriate if it is available for propagation
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param propagation_data [Contrast::Agent::Assess::Events::EventData] this will hold the
+        #                         object [Object] the Object on which the method was invoked
+        #                         args [Array<Object>] the Arguments with which the method was invoked
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+        #   the invocation of the patched method.
+        # @return [Boolean]
+        def appropriate_source? propagation_node, propagation_data, preshift
+          return true if preshift
+
+          propagation_node.use_original_object? && propagation_data&.object
+        end
       end
     end
   end

data/lib/contrast/utils/log_utils.rb

@@ -19,7 +19,7 @@ module Contrast
 
       private
 
-      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL, progname: PROGNAME
         logger = case path
                  when STDOUT_STR, STDERR_STR
                    ::Ougai::Logger.new(Object.cs__const_get(path))
@@ -27,7 +27,7 @@ module Contrast
                    ::Ougai::Logger.new(path)
                  end
         add_contrast_loggers(logger)
-        logger.progname = PROGNAME
+        logger.progname = progname
         logger.level = level_const
         logger.formatter = Contrast::Logger::Format.new
         logger.formatter.datetime_format = DATE_TIME_FORMAT

data/lib/contrast/utils/net_http_base.rb

@@ -131,7 +131,7 @@ module Contrast
                             end
         return initialize_client if addr.host.to_s.include?('localhost') # TODO: RUBY-99999 allow http w/ localhost
 
-        assign_cert(initialize_client) if use_custom_cert && Contrast::API.certification_enabled?
+        assign_cert(initialize_client) if use_custom_cert && Contrast::API.certification_enable
         initialize_client.use_ssl = true
         initialize_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
         initialize_client.verify_depth = 5
@@ -150,7 +150,7 @@ module Contrast
       def proxy_enabled?
         return @_proxy_enabled unless @_proxy_enabled.nil?
 
-        @_proxy_enabled = Contrast::API.proxy_enabled? && !Contrast::API.proxy_url.nil?
+        @_proxy_enabled = Contrast::API.proxy_enable && !Contrast::API.proxy_url.nil?
       end
 
       # Retrieve the IP address from the client.

data/lib/contrast/utils/patching/policy/patch_utils.rb

@@ -95,7 +95,7 @@ module Contrast
         # @param object [Object] The object on which the method is invoked, typically what would be returned by self.
         # @param args [Array<Object>] The arguments passed to the method being invoked.
         def apply_inventory method_policy, method, exception, object, args
-          return unless ::Contrast::INVENTORY.enabled?
+          return unless ::Contrast::INVENTORY.enable
 
           apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
         end

data/lib/contrast.rb

@@ -4,22 +4,7 @@
 # Used to prevent deprecation warnings from flooding stdout
 ENV['PB_IGNORE_DEPRECATIONS'] = 'true'
 
-# Some developers override various methods on Object, which can often involve
-# changing expected method parity/behavior which in turn prevents us from being
-# able to reliably use affected methods.
-# We alias these method so that we always have access to them.
-#
-# Because we use these methods in constructing classes (e.g., calling #freeze
-# on constants within class definitions) we do this aliasing ASAP.
-class Object
-  alias_method :cs__class, :class
-  alias_method :cs__freeze, :freeze
-  alias_method :cs__frozen?, :frozen?
-  alias_method :cs__is_a?, :is_a?
-  alias_method :cs__method, :method
-  alias_method :cs__respond_to?, :respond_to?
-  alias_method :cs__singleton_class, :singleton_class
-end
+require 'contrast/extension/object'
 
 # ActiveRecord gives access to the `String#blank?` method, which we've started using. We need to make sure that method
 # actually exists.
@@ -86,15 +71,15 @@ require 'contrast/agent/telemetry/events/exceptions/telemetry_exception_event'
 require 'protobuf' # TODO: RUBY-1438
 
 module Contrast
-  API = Contrast::Components::Api::Interface.new
-  SCOPE = Contrast::Components::Scope::Interface.new
   CONFIG = Contrast::Components::Config::Interface.new
+  SCOPE = Contrast::Components::Scope::Interface.new
+  API = CONFIG.root.api
   SETTINGS = Contrast::Components::Settings::Interface.new
   ASSESS = Contrast::Components::Assess::Interface.new
   PROTECT = Contrast::Components::Protect::Interface.new
-  INVENTORY = Contrast::Components::Inventory::Interface.new
-  LOGGER = Contrast::Components::Logger::Interface.new
-  AGENT = Contrast::Components::Agent::Interface.new
+  INVENTORY = CONFIG.root.inventory
+  AGENT = CONFIG.root.agent
+  LOGGER = AGENT.logger
   CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
   APP_CONTEXT = Contrast::Components::AppContext::Interface.new
 end

data/resources/assess/policy.json

@@ -692,15 +692,7 @@
       "action":"CUSTOM",
       "patch_class": "Contrast::Agent::Assess::Policy::Propagator::MatchData",
       "patch_method": "values_at_tagger"
-    }, {
-      "class_name":"String",
-      "instance_method": true,
-      "method_visibility": "public",
-      "method_name":"to_sym",
-      "source":"O",
-      "target":"R",
-      "action":"KEEP"
-    }, {
+    },{
       "class_name": "String",
       "instance_method": true,
       "method_visibility": "public",
@@ -1104,6 +1096,17 @@
       "tags":["SQL_ENCODED"],
       "untags":["SQL_DECODED"]
     },
+    {
+      "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
+      "instance_method": true,
+      "method_visibility": "public",
+      "method_name":"quote",
+      "source": "P0",
+      "target": "R",
+      "action": "SPLAT",
+      "tags":["SQL_ENCODED"],
+      "untags":["SQL_DECODED"]
+    },
     {
       "class_name":"IO",
       "method_name":"initialize",
@@ -1860,9 +1863,9 @@
           "source": "P0"
         },{
           "class_name": "Excon",
-          "instance_method": true,
-          "method_visibility": "private",
-          "method_name": "initialize",
+          "instance_method": false,
+          "method_visibility": "public",
+          "method_name": "new",
           "source": "P0"
         },
         {