contrast-agent 6.6.3 → 6.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 38657595e182ad9ef1a26180b273061522dcea43e441e1750d9883d2d1d2d9f6
-  data.tar.gz: 37fe627c2fec00f17c6a2cd6b42aa96149bc4b01871fddd6bb929c5a2baabb63
+  metadata.gz: c688788c7666c5ea72351e52ad02fe838923dc0dde589199917d2bfa96080630
+  data.tar.gz: f63416e47b9b815f0ec7a79858fb11f866bf5c49c952cf278dfb851679f44957
 SHA512:
-  metadata.gz: 1a2a85843ec7ba80d84a84f21defd2333a1b1130165113777c324176597231ca17b6c861f1f44ff6024f71e01e7d3508f0d57e767381e3d7580e82c7e10bee4a
-  data.tar.gz: b7b98e93f5b8e3bfd826f730e3981bb6006aa69a71dbd24ecec6eeef373b0b147ce542f0e0416f42d9da33dbbe4a76945bb1341bde91ea9b7134a4ddee80b2fb
+  metadata.gz: 0b5ee56bb30a55609a6252a105c8ab60e0bf66bdcac23e4efa937cfbc99f7669ab5ed7ffdc41dfd1b9659a09a93d2f7714af0eb398b46069542f0dff753c1ccd
+  data.tar.gz: 84b72b0f516808677745cc1ea7ecdedf762309ceb79eaac2908f1f16ac6abc811f2997bc50673e78101d7845ddd67a73c996c7ed3ebdbca6d33cf88883926499

data/.gitignore

@@ -23,6 +23,9 @@ ruby-spec
 mspec
 service_executables
 
+# rspec generated files
+/spec/dummy_files/*
+
 # Funchook artifacts
 /ext/**/funchook.h
 /ext/**/libfunchook.dylib

data/.gitmodules

@@ -1,6 +1,3 @@
-[submodule "agent-service-api"]
-	path = agent-service-api
-	url = git@github.com:Contrast-Security-Inc/agent-service-api.git
 [submodule "funchook"]
 	path = funchook
 	url = https://github.com/kubo/funchook.git

data/ext/cs__scope/cs__scope.c

@@ -81,7 +81,7 @@ void rb_raise_scope_no_method_err(const VALUE method_scope_sym) {
  * sets scope instance variables.
  * def initialize
  *    @contrast_scope = 0
- *     @deserialization_scope = 0
+ *    @deserialization_scope = 0
  *    @split_scope = 0
  * end
  */

data/lib/contrast/agent/assess/contrast_event.rb

@@ -9,6 +9,7 @@ require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/timer'
 require 'contrast/agent/assess/contrast_object'
+require 'contrast/agent/reporting/reporting_events/finding_event'
 
 module Contrast
   module Agent
@@ -63,34 +64,11 @@ module Contrast
           capture_stacktrace!
         end
 
+        # @return [Array<Contrast::Agent::Assess::ContrastEvent>]
         def parent_events
           @_parent_events ||= []
         end
 
-        # We have to do a little work to figure out what our TS appropriate target is. To break this down, the logic is
-        # as follows:
-        # 1) If my policy_node has a target, work on targets. Else, work on sources. Per TS law, each policy_node must
-        #    have at least a source or a target. The only type of policy_node w/o targets is a Trigger, but that may
-        #    change.
-        # 2) I'll set the event's source and target to TS values.
-        # 3) Return the first source/target as the taint target.
-        def determine_taint_target event_dtm
-          if @policy_node&.targets&.any?
-            event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @policy_node.target_string
-            @policy_node.targets[0]
-          elsif policy_node&.sources&.any?
-            event_dtm.source = @policy_node.source_string
-            event_dtm.target = @policy_node.target_string if @policy_node.target_string
-            @policy_node.sources[0]
-          end
-        end
-
-        # Convert this event into a DTM that TeamServer can consume
-        def to_dtm_event
-          Contrast::Api::Dtm::TraceEvent.build(self)
-        end
-
         private
 
         # Parent events are the events of all the sources of this event which were tracked prior to this event

data/lib/contrast/agent/assess/events/source_event.rb

@@ -2,7 +2,8 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/contrast_event'
-require 'contrast/agent/reporting/reporting_events/trace_event_source'
+require 'contrast/agent/reporting/reporting_events/finding_event'
+require 'contrast/agent/reporting/reporting_events/finding_event_source'
 require 'contrast/utils/string_utils'
 
 module Contrast
@@ -19,6 +20,8 @@ module Contrast
           attr_reader :source_name
           # @return [String] the TeamServer understood type of source; i.e. parameter
           attr_reader :source_type
+          # @return [Contrast::Agent::Reporting::FindingEventSource] the source of this trace
+          attr_reader :event_source
 
           # @param event_data [Contrast::Agent::Assess::Events::EventData]
           # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
@@ -27,72 +30,15 @@ module Contrast
           #   nil if a type like
           def initialize event_data, source_type = nil, source_name = nil
             super(event_data)
-            @source_type = source_type
-            @source_name = source_name
+            @source_type = Contrast::Utils::StringUtils.force_utf8(source_type)
+            @source_name = Contrast::Utils::StringUtils.force_utf8(source_name)
+            @event_source = Contrast::Agent::Reporting::FindingEventSource.new(@source_type, @source_name)
             @request = Contrast::Agent::REQUEST_TRACKER.current&.request
           end
 
           def parent_events
             nil
           end
-
-          # Convert this event into a DTM that TeamServer can consume
-          def to_dtm_event
-            event = super
-            event.field_name = Contrast::Utils::StringUtils.force_utf8(source_name)
-            event_source_dtm = build_event_source_dtm
-            event.event_sources << event_source_dtm if event_source_dtm
-            event.object_id = event_id.to_i
-            event
-          end
-
-          def forced_source_type
-            @_forced_source_type ||= Contrast::Utils::StringUtils.force_utf8(source_type)
-          end
-
-          def forced_source_name
-            @_forced_source_name ||= Contrast::Utils::StringUtils.force_utf8(source_name)
-          end
-
-          # Probably only for source events, but we'll go with source_type instead. java & .net support source_type
-          # in propagation events, so we'll future proof this
-          #
-          # @return [Contrast::Agent::Reporting::TraceEventSource, nil]
-          def build_event_source
-            # You can have a source w/o a name, but not w/o a type
-            return unless source_type
-
-            trace_event_source = Contrast::Agent::Reporting::TraceEventSource.new
-            trace_event_source.type = forced_source_type
-            trace_event_source.name = forced_source_name
-            trace_event_source
-          end
-
-          # We have to do a little work to figure out what our TS appropriate target is. To break this down, the logic
-          # is as follows:
-          # 1) I'll set the event's source and target to TS values.
-          # 2) Return the first source/target as the taint target.
-          def determine_taint_target event_dtm
-            return unless @policy_node&.targets&.any?
-
-            event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @policy_node.target_string
-            @policy_node.targets[0]
-          end
-
-          private
-
-          # Probably only for source events, but we'll go with source_type instead. java & .net support source_type
-          # in propagation events, so we'll future proof this
-          def build_event_source_dtm
-            # You can have a source w/o a name, but not w/o a type
-            return unless source_type
-
-            dtm = Contrast::Api::Dtm::TraceEventSource.new
-            dtm.type = forced_source_type
-            dtm.name = forced_source_name
-            dtm
-          end
         end
       end
     end

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -10,8 +10,11 @@ module Contrast
       module Finalizers
         # An extension of Hash that doesn't impact GC of the object being stored by storing its ID as a Key to lookup
         # and registering a finalizer on the object to remove its entry from the Hash immediately after it's GC'd.
+        #
+        # NOTE: PROPERTIES_HASH is called from C
         class Hash < Hash
           FROZEN_FINALIZED_IDS = Set.new
+          KEEP_AGE = 600_000.cs__freeze # 10 minutes
 
           def []= key, obj
             return unless obj
@@ -89,6 +92,14 @@ module Contrast
           rescue StandardError => _e
             nil
           end
+
+          def cleanup!
+            ids = keys.dup
+            ids.each do |key|
+              properties = fetch(key.__id__, nil)
+              delete(key) unless properties&.event && (Contrast::Utils::Timer.now_ms - properties.event.time) < KEEP_AGE
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -44,11 +44,6 @@ module Contrast
                 Contrast::Agent::Assess::Policy::Policy.instance.add_node(dynamic_source_node, :dynamic_source)
                 method_policy = build_source_policy(method_name, dynamic_source_node)
                 Contrast::Agent::Patching::Policy::Patcher.patch_method(klass, instance_methods, method_policy)
-                next unless current_context
-
-                dynamic_source = create_dynamic_source(current_request, dynamic_source_node, field, properties)
-                node_id = Contrast::Utils::StringUtils.force_utf8(dynamic_source_node.id)
-                current_context.activity.dynamic_sources[node_id] = dynamic_source
               end
             end
 
@@ -97,56 +92,6 @@ module Contrast
                                                                       source_node: dynamic_source_node
                                                                   })
             end
-
-            # @param request [Contrast::Agent::Request] the request during
-            #   which this source is to be created.
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the SourceNode that applies to this method
-            # @param field [String] the name of the method to which this source
-            #   applies
-            # @param properties [Contrast::Agent::Assess::Properties] the
-            #   properties which this source should relate to the data tracked
-            #   as a result of this Source Method
-            # @return [Contrast::Api::Dtm::DynamicSource] the message to send
-            #   to the Service to allow it to report the events leading up to
-            #   the creation of the Dynamic Source
-            def create_dynamic_source request, source_node, field, properties
-              dynamic_source = Contrast::Api::Dtm::DynamicSource.new
-              dynamic_source.class_name = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
-              dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
-              dynamic_source.instance_method = source_node.instance_method?
-              dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
-              append_properties!(dynamic_source, request, source_node, field)
-              append_events!(dynamic_source, properties.event)
-              dynamic_source
-            end
-
-            # Append the properties needed to reconstruct the given DynamicSource in other dataflows and for rendering
-            # in TeamServer
-            #
-            # @param dynamic_source [Contrast::Api::Dtm::DynamicSource] the message to send to the Service to allow it
-            #   to report the events leading up to the creation of the Dynamic Source.
-            # @param request [Contrast::Agent::Request] the request during which this source is to be created.
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the SourceNode that applies to this
-            #   method.
-            # @param field [String] the name of the method to which this source applies.
-            def append_properties! dynamic_source, request, source_node, field
-              dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
-              dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
-              dynamic_source.properties[WRITE_QUERY_TIME] =
-                Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
-              dynamic_source.properties[WRITE_QUERY_URL] =
-                Contrast::Utils::StringUtils.force_utf8(request&.normalized_uri)
-            end
-
-            def append_events! dynamic_source, event
-              return unless event
-
-              event.parent_events&.each do |parent_event|
-                append_events(dynamic_source, parent_event)
-              end
-              dynamic_source.events << event.to_dtm_event
-            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/policy_node'
-require 'contrast/api/decorators/trace_taint_range_tags'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
 require 'contrast/utils/object_share'
 require 'contrast/agent/assess/policy/policy_node_utils'
 require 'contrast/components/logger'
@@ -123,8 +123,8 @@ module Contrast
             return unless tags
 
             tags.each do |tag|
-              next if Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
-                  Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
+              next if Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_TAGS.include?(tag) ||
+                  Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
 
               raise(ArgumentError, "#{ node_class } #{ id } had an invalid tag. #{ tag } is not a known value.")
             end

data/lib/contrast/agent/assess/policy/policy_node_utils.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/policy_node'
-require 'contrast/api/decorators/trace_taint_range_tags'
 require 'contrast/utils/object_share'
 
 module Contrast

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/policy_node'
-require 'contrast/api/decorators/trace_taint_range_tags'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
 require 'contrast/components/logger'
 
 module Contrast
@@ -22,8 +22,8 @@ module Contrast
           JSON_PATCH_CLASS = 'patch_class'
           JSON_PATCH_METHOD = 'patch_method'
 
-          attr_reader :untags, :patch_method
-          attr_accessor :action, :patch_class
+          attr_reader :action, :untags, :patch_method
+          attr_accessor :patch_class
 
           TAGGER = 'Tagger'
           PROPAGATOR = 'Propagator'
@@ -90,7 +90,7 @@ module Contrast
             return unless untags
 
             untags.each do |tag|
-              unless Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag)
+              unless Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_TAGS.include?(tag)
                 raise(ArgumentError,
                       "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
               end

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -3,6 +3,7 @@
 
 require 'set'
 require 'contrast/agent/assess/policy/source_validation/source_validation'
+require 'contrast/agent/excluder'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
@@ -28,6 +29,8 @@ module Contrast
           HEADER_KEY_TYPE    = 'HEADER_KEY'
           COOKIE_TYPE        = 'COOKIE'
           COOKIE_KEY_TYPE    = 'COOKIE_KEY'
+          BODY_TYPE          = 'BODY'
+          QUERYSTRING_TYPE   = 'QUERYSTRING'
 
           class << self
             # This is called from within our woven proc. It will be called as if it were inline in the Rack application.
@@ -42,6 +45,7 @@ module Contrast
                 return unless analyze?(method_policy, object, ret, args)
                 return if event_limit?(method_policy)
                 return unless (source_node = method_policy.source_node)
+                return if excluded_by_url?
 
                 # used to hold the object and ret
                 source_data = Contrast::Agent::Assess::Events::EventData.new(nil, nil, object, ret, nil)
@@ -66,13 +70,16 @@ module Contrast
             # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
             #   nil if a type like BODY
             # @param args [Array<Object>] the Arguments with which the method was invoked
-            def process_source source_node, target, source_data, source_type, source_name = nil, *args
+            def process_source source_node, target, source_data, source_type, source_name = nil, *args # rubocop:disable Metrics/PerceivedComplexity
               context = Contrast::Agent::REQUEST_TRACKER.current
               return unless context && source_node && target
 
               increment_event_count(source_node)
 
               source_name ||= determine_source_name(source_node, source_data.object, source_data.ret, *args)
+
+              return if excluded_by_input?(source_type, source_name)
+
               # We know we only work on certain things.
               # Skip if this isn't one of them
               if Contrast::Agent::Assess::Tracker.trackable?(target)
@@ -177,6 +184,22 @@ module Contrast
                 source_type
               end
             end
+
+            # Should a source be excluded because it matches one of the input exclusion rules?
+            #
+            # @return [Boolean]
+            def excluded_by_input? source_type, source_name
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              Contrast::SETTINGS.excluder.assess_excluded_by_input?(context.request, source_type, source_name)
+            end
+
+            # Should a source be excluded because it matches one of the url exclusion rules?
+            #
+            # @return [Boolean]
+            def excluded_by_url?
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              Contrast::SETTINGS.excluder.assess_excluded_by_url?(context.request)
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -38,6 +38,7 @@ module Contrast
                                                                             ret,
                                                                             interpolated_inputs)
                 properties.build_event(event_data)
+                properties.copy_from(erb_template_prerender, ret, 0)
                 unless interpolated_inputs.empty?
                   current_event = properties.event
                   interpolated_inputs.each do |input|
@@ -49,11 +50,12 @@ module Contrast
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
-                                                                               ret,
-                                                                               erb_template_prerender,
-                                                                               ret,
-                                                                               interpolated_inputs)
+                  finding = Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                                         ret,
+                                                                                         erb_template_prerender,
+                                                                                         ret,
+                                                                                         interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding) if finding
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -38,7 +38,12 @@ module Contrast
                   next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
 
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
+                  finding = Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                                         arg,
+                                                                                         object,
+                                                                                         ret,
+                                                                                         *args)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding) if finding
                 end
 
                 ret