contrast-agent 3.10.2 → 3.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.simplecov +5 -2
- data/ext/build_funchook.rb +13 -17
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +5 -12
- data/ext/cs__assess_active_record_named/extconf.rb +3 -0
- data/ext/cs__assess_array/cs__assess_array.c +3 -5
- data/ext/cs__assess_array/extconf.rb +3 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +10 -4
- data/ext/cs__assess_basic_object/extconf.rb +3 -0
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
- data/ext/cs__assess_fiber_track/extconf.rb +3 -0
- data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
- data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
- data/ext/cs__assess_hash/extconf.rb +3 -0
- data/ext/cs__assess_kernel/cs__assess_kernel.c +10 -8
- data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
- data/ext/cs__assess_kernel/extconf.rb +3 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
- data/ext/cs__assess_marshal_module/extconf.rb +3 -0
- data/ext/cs__assess_module/cs__assess_module.c +13 -9
- data/ext/cs__assess_module/extconf.rb +3 -0
- data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
- data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
- data/ext/cs__assess_regexp/extconf.rb +3 -0
- data/ext/cs__assess_string/cs__assess_string.c +5 -8
- data/ext/cs__assess_string/cs__assess_string.h +2 -1
- data/ext/cs__assess_string/extconf.rb +3 -0
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
- data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +3 -0
- data/ext/cs__common/cs__common.c +79 -0
- data/ext/cs__common/cs__common.h +34 -0
- data/ext/cs__common/extconf.rb +9 -8
- data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
- data/ext/cs__contrast_patch/extconf.rb +3 -0
- data/ext/cs__protect_kernel/cs__protect_kernel.c +20 -11
- data/ext/cs__protect_kernel/extconf.rb +3 -0
- data/ext/extconf_common.rb +10 -8
- data/funchook/autom4te.cache/output.0 +1 -13
- data/funchook/autom4te.cache/requests +44 -45
- data/funchook/autom4te.cache/traces.0 +0 -3
- data/funchook/config.log +378 -217
- data/funchook/config.status +23 -24
- data/funchook/configure +1 -13
- data/funchook/src/Makefile +7 -7
- data/funchook/src/config.h +2 -2
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.dylib +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +2 -2
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +20 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast.rb +1 -0
- data/lib/contrast/agent.rb +21 -15
- data/lib/contrast/agent/assess.rb +1 -2
- data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
- data/lib/contrast/agent/assess/contrast_event.rb +16 -62
- data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
- data/lib/contrast/agent/assess/events/source_event.rb +83 -0
- data/lib/contrast/agent/assess/insulator.rb +0 -4
- data/lib/contrast/agent/assess/policy/patcher.rb +5 -2
- data/lib/contrast/agent/assess/policy/policy_node.rb +0 -7
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagation_method.rb +65 -33
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
- data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
- data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
- data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
- data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
- data/lib/contrast/agent/assess/policy/trigger_method.rb +29 -40
- data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -6
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
- data/lib/contrast/agent/assess/properties.rb +5 -3
- data/lib/contrast/agent/assess/rule/base.rb +1 -5
- data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +2 -22
- data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +5 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +2 -2
- data/lib/contrast/agent/assess/rule/redos.rb +4 -4
- data/lib/contrast/agent/assess/tag.rb +24 -14
- data/lib/contrast/agent/at_exit_hook.rb +16 -13
- data/lib/contrast/agent/class_reopener.rb +14 -4
- data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
- data/lib/contrast/agent/disable_reaction.rb +3 -4
- data/lib/contrast/agent/exclusion_matcher.rb +8 -48
- data/lib/contrast/agent/feature_state.rb +45 -75
- data/lib/contrast/agent/logger.rb +173 -0
- data/lib/contrast/agent/middleware.rb +87 -250
- data/lib/contrast/agent/module_data.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +21 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
- data/lib/contrast/agent/patching/policy/patch.rb +96 -23
- data/lib/contrast/agent/patching/policy/patcher.rb +19 -19
- data/lib/contrast/agent/patching/policy/policy.rb +7 -7
- data/lib/contrast/agent/patching/policy/policy_node.rb +2 -10
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -4
- data/lib/contrast/agent/protect/rule/base.rb +14 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +10 -13
- data/lib/contrast/agent/protect/rule/csrf.rb +2 -1
- data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +11 -14
- data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +5 -4
- data/lib/contrast/agent/protect/rule/sqli.rb +1 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
- data/lib/contrast/agent/protect/rule/xss.rb +2 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
- data/lib/contrast/agent/railtie.rb +2 -8
- data/lib/contrast/agent/reaction_processor.rb +5 -5
- data/lib/contrast/agent/request.rb +9 -12
- data/lib/contrast/agent/request_context.rb +12 -14
- data/lib/contrast/agent/request_handler.rb +35 -0
- data/lib/contrast/agent/response.rb +33 -30
- data/lib/contrast/agent/rewriter.rb +22 -10
- data/lib/contrast/agent/rule_set.rb +49 -0
- data/lib/contrast/agent/scope.rb +0 -6
- data/lib/contrast/agent/service_heartbeat.rb +1 -2
- data/lib/contrast/agent/settings_state.rb +10 -74
- data/lib/contrast/agent/socket_client.rb +17 -11
- data/lib/contrast/agent/static_analysis.rb +42 -0
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/tracepoint_hook.rb +1 -5
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/decorators.rb +14 -0
- data/lib/contrast/api/decorators/application_settings.rb +37 -0
- data/lib/contrast/api/decorators/application_update.rb +66 -0
- data/lib/contrast/api/decorators/exclusion.rb +20 -0
- data/lib/contrast/api/decorators/input_analysis.rb +17 -0
- data/lib/contrast/api/decorators/server_features.rb +24 -0
- data/lib/contrast/api/speedracer.rb +27 -23
- data/lib/contrast/api/tcp_socket.rb +0 -2
- data/lib/contrast/components/agent.rb +27 -22
- data/lib/contrast/components/app_context.rb +18 -43
- data/lib/contrast/components/config.rb +7 -5
- data/lib/contrast/components/contrast_service.rb +0 -4
- data/lib/contrast/components/heap_dump.rb +12 -8
- data/lib/contrast/components/interface.rb +11 -10
- data/lib/contrast/components/logger.rb +3 -68
- data/lib/contrast/components/sampling.rb +22 -11
- data/lib/contrast/components/settings.rb +18 -5
- data/lib/contrast/config/base_configuration.rb +1 -0
- data/lib/contrast/config/default_value.rb +1 -0
- data/lib/contrast/config/protect_rule_configuration.rb +0 -14
- data/lib/contrast/extensions/framework/rails/action_controller_inheritance.rb +39 -0
- data/lib/contrast/extensions/framework/rails/active_record_named.rb +13 -8
- data/lib/contrast/extensions/ruby_core/assess.rb +1 -2
- data/lib/contrast/extensions/ruby_core/assess/assess_extension.rb +27 -22
- data/lib/contrast/extensions/ruby_core/assess/erb.rb +0 -8
- data/lib/contrast/extensions/ruby_core/assess/exec_trigger.rb +6 -8
- data/lib/contrast/extensions/ruby_core/assess/fiber.rb +88 -100
- data/lib/contrast/extensions/ruby_core/assess/hash.rb +32 -15
- data/lib/contrast/extensions/ruby_core/assess/kernel.rb +28 -27
- data/lib/contrast/extensions/ruby_core/assess/regexp.rb +74 -196
- data/lib/contrast/extensions/ruby_core/assess/string.rb +15 -7
- data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +29 -24
- data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +2 -2
- data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -1
- data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +2 -2
- data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +9 -20
- data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +9 -19
- data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +10 -27
- data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +13 -21
- data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +11 -23
- data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +62 -78
- data/lib/contrast/extensions/ruby_core/protect/rule_applicator.rb +50 -0
- data/lib/contrast/framework/base_support.rb +10 -0
- data/lib/contrast/framework/manager.rb +28 -2
- data/lib/contrast/framework/platform_version.rb +1 -0
- data/lib/contrast/framework/rails_support.rb +16 -0
- data/lib/contrast/framework/sinatra_support.rb +12 -2
- data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
- data/lib/contrast/tasks/service.rb +2 -8
- data/lib/contrast/utils/assess/sampling_util.rb +4 -9
- data/lib/contrast/utils/assess/tracking_util.rb +7 -1
- data/lib/contrast/utils/boolean_util.rb +2 -2
- data/lib/contrast/utils/cache.rb +0 -11
- data/lib/contrast/utils/class_util.rb +20 -1
- data/lib/contrast/utils/gemfile_reader.rb +5 -3
- data/lib/contrast/utils/hash_digest.rb +0 -4
- data/lib/contrast/utils/heap_dump_util.rb +12 -11
- data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
- data/lib/contrast/utils/inventory_util.rb +2 -2
- data/lib/contrast/utils/io_util.rb +1 -11
- data/lib/contrast/utils/job_servers_running.rb +2 -2
- data/lib/contrast/utils/object_share.rb +1 -27
- data/lib/contrast/utils/os.rb +1 -25
- data/lib/contrast/utils/rack_assess_session_cookie.rb +3 -3
- data/lib/contrast/utils/rails_assess_configuration.rb +3 -3
- data/lib/contrast/utils/service_response_util.rb +27 -53
- data/lib/contrast/utils/service_sender_util.rb +9 -5
- data/lib/contrast/utils/sinatra_helper.rb +0 -6
- data/lib/contrast/utils/stack_trace_utils.rb +86 -182
- data/lib/contrast/utils/string_utils.rb +18 -2
- data/lib/contrast/utils/tag_util.rb +11 -1
- data/lib/contrast/utils/thread_tracker.rb +2 -2
- data/lib/contrast/utils/timer.rb +0 -40
- data/resources/assess/policy.json +33 -21
- data/resources/protect/policy.json +9 -9
- data/ruby-agent.gemspec +6 -3
- metadata +76 -51
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
- data/ext/cs__assess_regexp_track/extconf.rb +0 -2
- data/funchook/src/libfunchook.so +0 -0
- data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
- data/lib/contrast/agent/logger_manager.rb +0 -116
- data/lib/contrast/delegators.rb +0 -9
- data/lib/contrast/delegators/application_update.rb +0 -32
- data/lib/contrast/utils/comment_range.rb +0 -19
- data/lib/contrast/utils/environment_util.rb +0 -81
- data/lib/contrast/utils/performs_logging.rb +0 -152
- data/resources/factory-bot-spec/spec_helper.rb +0 -30
- data/resources/rubocops/kernel/catch_cop.rb +0 -37
- data/resources/rubocops/kernel/require_cop.rb +0 -37
- data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
- data/resources/rubocops/module/autoload_cop.rb +0 -37
- data/resources/rubocops/module/const_defined_cop.rb +0 -37
- data/resources/rubocops/module/const_get_cop.rb +0 -37
- data/resources/rubocops/module/const_set_cop.rb +0 -37
- data/resources/rubocops/module/constants_cop.rb +0 -37
- data/resources/rubocops/module/name_cop.rb +0 -37
- data/resources/rubocops/object/class_cop.rb +0 -37
- data/resources/rubocops/object/freeze_cop.rb +0 -37
- data/resources/rubocops/object/frozen_cop.rb +0 -37
- data/resources/rubocops/object/is_a_cop.rb +0 -37
- data/resources/rubocops/object/method_cop.rb +0 -37
- data/resources/rubocops/object/respond_to_cop.rb +0 -37
- data/resources/rubocops/object/singleton_class_cop.rb +0 -37
- data/resources/rubocops/regexp/spelling_cop.rb +0 -44
- data/resources/rubocops/thread/new_cop.rb +0 -39
- data/resources/ruby-spec/ancestors_spec.rb +0 -70
- data/resources/ruby-spec/modulo_spec.rb +0 -831
- data/resources/ruby-spec/parameters_spec.rb +0 -261
- data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9ef521f3316b8c5e911a3781bb0dc0c228b01a6166ad1f6a2abb429e67941878
|
|
4
|
+
data.tar.gz: 16305c60287b244efb6d0a1fb23a979b405e4960deaa2a84e45b1da994c21c14
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 228c42ed0e8453f3b2720818d7127729991e8d2cad7e480fc616f0975481e7810ff0ebfae44ebe406c62ff51398307e6cadd685a0805b34a7cb699641278c064
|
|
7
|
+
data.tar.gz: e9d180bb7004a818d346bb2d5f4ea5b57d1d6fef58284569fdb80dcbaf44cb215d4ae3b86c7984c683387011af9bf20f9428947820bf9e13fa67cc9084d6d8b8
|
data/.simplecov
CHANGED
|
@@ -1,4 +1,7 @@
|
|
|
1
|
-
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
SimpleCov.minimum_coverage line: 92.30
|
|
2
5
|
SimpleCov.start do
|
|
3
6
|
add_filter '/spec/'
|
|
4
|
-
end
|
|
7
|
+
end
|
data/ext/build_funchook.rb
CHANGED
|
@@ -31,15 +31,15 @@ unless find_header('funchook.h', ext_path)
|
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
SOURCE_PATHS = [
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
34
|
+
File.join('include', 'funchook.h'),
|
|
35
|
+
File.join('src', 'libfunchook.dylib'),
|
|
36
|
+
File.join('src', 'libfunchook.so')
|
|
37
37
|
].freeze
|
|
38
38
|
|
|
39
39
|
TARGET_PATHS = ([
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
] +
|
|
40
|
+
File.expand_path(File.join(File.expand_path(__dir__), '..', 'shared_libraries')),
|
|
41
|
+
File.expand_path(__dir__)
|
|
42
|
+
] + bundler_install_target_paths).freeze
|
|
43
43
|
|
|
44
44
|
puts 'Copying required files'
|
|
45
45
|
|
|
@@ -51,20 +51,16 @@ unless find_header('funchook.h', ext_path)
|
|
|
51
51
|
end
|
|
52
52
|
|
|
53
53
|
TARGET_PATHS.each do |target_path|
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
next
|
|
58
|
-
end
|
|
59
|
-
puts "Copying #{ source_file_path } into #{ target_path }"
|
|
60
|
-
FileUtils.cp(source_file_path, target_path)
|
|
61
|
-
rescue
|
|
62
|
-
puts "Error while copying #{source_file} to #{target_path}"
|
|
54
|
+
unless File.writable?(target_path)
|
|
55
|
+
puts "Unable to copy into #{ target_path } - directory not writable"
|
|
56
|
+
next
|
|
63
57
|
end
|
|
58
|
+
puts "Copying #{ source_file_path } into #{ target_path }"
|
|
59
|
+
FileUtils.cp(source_file_path, target_path)
|
|
60
|
+
rescue StandardError
|
|
61
|
+
puts "Error while copying #{ source_file } to #{ target_path }"
|
|
64
62
|
end
|
|
65
63
|
end
|
|
66
64
|
end
|
|
67
65
|
|
|
68
|
-
|
|
69
|
-
|
|
70
66
|
have_header('funchook.h', ext_path)
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
|
|
4
4
|
#include "cs__active_record_named.h"
|
|
5
5
|
#include <ruby.h>
|
|
6
|
+
#include "../cs__common/cs__common.h"
|
|
6
7
|
|
|
7
8
|
VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
8
9
|
const VALUE self) {
|
|
@@ -32,16 +33,8 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
|
32
33
|
|
|
33
34
|
void Init_cs__assess_active_record_named(void) {
|
|
34
35
|
rb_sym_assess_rewrite = rb_intern("_cs__rewrite");
|
|
35
|
-
rb_sym_assess_scope
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
VALUE scoping_module =
|
|
39
|
-
rb_define_module_under(active_record_module, "Scoping");
|
|
40
|
-
VALUE named_module = rb_define_module_under(scoping_module, "Named");
|
|
41
|
-
VALUE class_methods_module =
|
|
42
|
-
rb_define_module_under(named_module, "ClassMethods");
|
|
43
|
-
|
|
44
|
-
contrast_alias_method(class_methods_module, "cs__patched_scope", "scope");
|
|
45
|
-
rb_define_method(class_methods_module, "scope",
|
|
46
|
-
contrast_assess_active_record_scope, -1);
|
|
36
|
+
rb_sym_assess_scope = contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
|
|
37
|
+
"scope",
|
|
38
|
+
contrast_assess_active_record_scope);
|
|
47
39
|
}
|
|
40
|
+
|
|
@@ -29,10 +29,8 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
|
|
|
29
29
|
}
|
|
30
30
|
|
|
31
31
|
void Init_cs__assess_array(void) {
|
|
32
|
-
rb_sym_assess_array_join = rb_intern("cs__patched_join");
|
|
33
32
|
rb_sym_assess_track_array_join = rb_intern("cs__track_join");
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
rb_define_method(array_class, "join", contrast_assess_array_join, -1);
|
|
33
|
+
rb_sym_assess_array_join = contrast_register_patch("Array",
|
|
34
|
+
"join",
|
|
35
|
+
contrast_assess_array_join);
|
|
38
36
|
}
|
|
@@ -43,8 +43,14 @@ contrast_assess_basic_object_instance_eval(const int argc, const VALUE *argv,
|
|
|
43
43
|
void Init_cs__assess_basic_object(void) {
|
|
44
44
|
instance_trigger_check_method = rb_intern("instance_eval_trigger_check");
|
|
45
45
|
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
46
|
+
/* We don't keep a reference to the underlying method.
|
|
47
|
+
* Instead, we call rb_obj_instance_eval directly.
|
|
48
|
+
* This should work an overwhelming majority of the time,
|
|
49
|
+
* but if someone else patched BasicObject#instance_eval,
|
|
50
|
+
* IDK if this is intentional... noting it. -ajm
|
|
51
|
+
*/
|
|
52
|
+
contrast_register_patch("BasicObject",
|
|
53
|
+
"instance_eval",
|
|
54
|
+
contrast_assess_basic_object_instance_eval);
|
|
55
|
+
|
|
50
56
|
}
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
* https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
|
|
3
3
|
|
|
4
4
|
#include "cs__assess_fiber_track.h"
|
|
5
|
+
#include "../cs__common/cs__common.h"
|
|
5
6
|
#include <funchook.h>
|
|
6
7
|
#include <ruby.h>
|
|
7
8
|
|
|
@@ -44,7 +45,7 @@ VALUE rb_fiber_new_hook(VALUE (*func)(ANYARGS), VALUE obj) {
|
|
|
44
45
|
VALUE enumerator_method = ID2SYM(enum_ptr->meth);
|
|
45
46
|
/* e.g.: 1..100, #each_value. Should reflect #inspect on the enum. */
|
|
46
47
|
|
|
47
|
-
rb_funcall(
|
|
48
|
+
rb_funcall(fiber_propagator, track_rb_fiber_new, 5, fiber, obj,
|
|
48
49
|
enumerator_method, underlying, calling_method);
|
|
49
50
|
}
|
|
50
51
|
|
|
@@ -56,7 +57,7 @@ VALUE rb_fiber_yield_hook(int argc, const VALUE *argv) {
|
|
|
56
57
|
VALUE yielding_fiber = rb_fiber_current();
|
|
57
58
|
|
|
58
59
|
/* propagate from yielding_fiber -> result */
|
|
59
|
-
rb_funcall(
|
|
60
|
+
rb_funcall(fiber_propagator, track_rb_fiber_yield, 3, yielding_fiber,
|
|
60
61
|
calling_method, *argv);
|
|
61
62
|
|
|
62
63
|
return rb_fiber_yield_original(argc, argv);
|
|
@@ -78,7 +79,7 @@ int install_fiber_hooks() {
|
|
|
78
79
|
}
|
|
79
80
|
|
|
80
81
|
void Init_cs__assess_fiber_track(void) {
|
|
81
|
-
|
|
82
|
+
fiber_propagator = rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
|
|
82
83
|
track_rb_fiber_new = rb_intern("track_rb_fiber_new");
|
|
83
84
|
track_rb_fiber_yield = rb_intern("track_rb_fiber_yield");
|
|
84
85
|
rb_sym_next = rb_intern("next");
|
|
@@ -2,15 +2,15 @@
|
|
|
2
2
|
#include <ruby.h>
|
|
3
3
|
|
|
4
4
|
static VALUE rb_sym_next;
|
|
5
|
-
static VALUE
|
|
5
|
+
static VALUE fiber_propagator;
|
|
6
6
|
static VALUE track_rb_fiber_new;
|
|
7
7
|
static VALUE track_rb_fiber_yield;
|
|
8
8
|
|
|
9
9
|
VALUE rb_fiber_new(VALUE (*func)(ANYARGS), VALUE obj);
|
|
10
|
-
VALUE
|
|
10
|
+
VALUE (*rb_fiber_new_original)(VALUE (*func)(ANYARGS), VALUE obj);
|
|
11
11
|
|
|
12
12
|
VALUE rb_fiber_yield(int argc, const VALUE *argv);
|
|
13
|
-
VALUE
|
|
13
|
+
VALUE (*rb_fiber_yield_original)(int argc, const VALUE *argv);
|
|
14
14
|
|
|
15
15
|
/* If you call `#next` on an enumerator object, that enumerator object
|
|
16
16
|
* instantiates a fiber and runs its given proc inside of that fiber.
|
|
@@ -5,7 +5,14 @@
|
|
|
5
5
|
#include "../cs__common/cs__common.h"
|
|
6
6
|
#include <ruby.h>
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
/* Hashes can be constructed thusly):
|
|
9
|
+
* irb(main):001:0> Hash[:a, :b]
|
|
10
|
+
* => {:a=>:b}
|
|
11
|
+
*
|
|
12
|
+
* This method instruments that unique bracket-construction style
|
|
13
|
+
* of initializing a hash.
|
|
14
|
+
*/
|
|
15
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
|
|
9
16
|
const VALUE hash) {
|
|
10
17
|
VALUE result;
|
|
11
18
|
|
|
@@ -14,14 +21,14 @@ static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
|
|
|
14
21
|
int i;
|
|
15
22
|
for (i = 0; i < argc; i++) {
|
|
16
23
|
argv[i] =
|
|
17
|
-
rb_funcall(
|
|
24
|
+
rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
18
25
|
}
|
|
19
26
|
/* Hash[ key, value, ... ] -> new_hash */
|
|
20
27
|
} else if (argc > 1) {
|
|
21
28
|
int i;
|
|
22
29
|
for (i = 0; i < argc; i += 2) {
|
|
23
30
|
argv[i] =
|
|
24
|
-
rb_funcall(
|
|
31
|
+
rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
25
32
|
}
|
|
26
33
|
}
|
|
27
34
|
|
|
@@ -29,36 +36,52 @@ static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
|
|
|
29
36
|
* String keys
|
|
30
37
|
* # Hash[ object ] -> new_hash
|
|
31
38
|
*/
|
|
32
|
-
result = rb_funcall2(hash,
|
|
39
|
+
result = rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
|
|
33
40
|
|
|
34
41
|
return result;
|
|
35
42
|
}
|
|
36
43
|
|
|
44
|
+
/* Hashes, when keyed with a string, will dup & freeze that string.
|
|
45
|
+
* This is resource-efficient, but inconvenient for instrumentation.
|
|
46
|
+
*/
|
|
37
47
|
static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
38
48
|
const VALUE hash) {
|
|
39
49
|
VALUE result;
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
50
|
+
/* Current name (assess_hash_bracket_set).
|
|
51
|
+
* It doesn't set anything on the hash.
|
|
52
|
+
* It takes the arg that /would/ have been the key, and preemptively
|
|
53
|
+
* calls #dup and then #freeze, and then gives you that key.
|
|
54
|
+
*
|
|
55
|
+
* We intentionally don't enter Contrast scope for this patch.
|
|
56
|
+
* #dup instruments the string, and #freeze gets the hash to accept
|
|
57
|
+
* the key directly, without calling its own #dup/#freeze.
|
|
58
|
+
* (That naturally happens in C-land, our instrumentation is in Ruby,
|
|
59
|
+
* so our patches to #dup don't take effect within Hash#[]= unless we
|
|
60
|
+
* specifically do this instrumentation.
|
|
61
|
+
* We haven't revisited this approach since we started more extensively
|
|
62
|
+
* hooking public C functions.)
|
|
63
|
+
*/
|
|
64
|
+
if(argc > 0) {
|
|
65
|
+
argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[0]);
|
|
66
|
+
}
|
|
67
|
+
/* This is the underlying assignment, w/ our instrumented key. */
|
|
44
68
|
result = rb_funcall2(hash, rb_sym_assess_hash_bracket_equals, argc, argv);
|
|
45
69
|
|
|
46
70
|
return result;
|
|
47
71
|
}
|
|
48
72
|
|
|
49
73
|
void Init_cs__assess_hash(void) {
|
|
74
|
+
hash_propagator = rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
|
|
50
75
|
rb_sym_assess_hash_dup_and_freeze = rb_intern("cs__duplicate_and_freeze");
|
|
51
|
-
rb_sym_assess_hash_brackets = rb_intern("cs__patched_[]");
|
|
52
|
-
rb_sym_assess_hash_bracket_set = rb_intern("cs__bracket_set");
|
|
53
|
-
rb_sym_assess_hash_bracket_equals = rb_intern("cs__patched_[]=");
|
|
54
76
|
|
|
55
77
|
VALUE hash_class = rb_define_class("Hash", rb_cObject);
|
|
56
|
-
array_class = rb_define_class("Array", rb_cObject);
|
|
57
78
|
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
79
|
+
rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch("Hash",
|
|
80
|
+
"[]",
|
|
81
|
+
contrast_assess_hash_bracket_constructor);
|
|
82
|
+
|
|
83
|
+
rb_sym_assess_hash_bracket_equals = contrast_register_patch("Hash",
|
|
84
|
+
"[]=",
|
|
85
|
+
contrast_assess_hash_bracket_set);
|
|
61
86
|
|
|
62
|
-
contrast_alias_method(hash_class, "cs__patched_[]=", "[]=");
|
|
63
|
-
rb_define_method(hash_class, "[]=", contrast_assess_hash_bracket_set, -1);
|
|
64
87
|
}
|
|
@@ -1,11 +1,9 @@
|
|
|
1
1
|
#include <ruby.h>
|
|
2
2
|
|
|
3
|
-
static VALUE array_class;
|
|
4
|
-
|
|
5
3
|
static VALUE rb_sym_assess_hash_dup_and_freeze;
|
|
6
|
-
static VALUE
|
|
7
|
-
static VALUE rb_sym_assess_hash_bracket_set;
|
|
4
|
+
static VALUE rb_sym_assess_hash_bracket_constructor;
|
|
8
5
|
static VALUE rb_sym_assess_hash_bracket_equals;
|
|
6
|
+
static VALUE hash_propagator;
|
|
9
7
|
|
|
10
8
|
/*
|
|
11
9
|
* Monkeypatch Ruby Hash with Contrast Security Hash in order ot avoid losing
|
|
@@ -15,8 +13,8 @@ static VALUE rb_sym_assess_hash_bracket_equals;
|
|
|
15
13
|
* ahead of time should avoid this, similar to the behavior of the -@ Strings
|
|
16
14
|
* -HM
|
|
17
15
|
*/
|
|
18
|
-
static VALUE
|
|
19
|
-
|
|
16
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
|
|
17
|
+
const VALUE hash);
|
|
20
18
|
|
|
21
19
|
static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
22
20
|
const VALUE hash);
|
|
@@ -18,19 +18,21 @@ contrast_patched_kernel_exec(const int argc, const VALUE *argv,
|
|
|
18
18
|
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
19
19
|
}
|
|
20
20
|
|
|
21
|
-
|
|
21
|
+
/* maybe this should be rb_funcall2. this works right now because *argv == argv[0].
|
|
22
|
+
* exec shouldn't ever be called with != 1 argc, so not a huge problem */
|
|
23
|
+
return rb_funcall(self, rb_sym_assess_kernel_exec, argc, *argv);
|
|
22
24
|
}
|
|
23
25
|
|
|
24
26
|
void Init_cs__assess_kernel(void) {
|
|
25
27
|
kernel_propagator = rb_define_module("KernelPropagator");
|
|
26
28
|
exec_apply_trigger = rb_intern("apply_trigger");
|
|
27
29
|
|
|
28
|
-
|
|
30
|
+
rb_sym_assess_kernel_exec = contrast_register_patch("Kernel",
|
|
31
|
+
"exec",
|
|
32
|
+
contrast_patched_kernel_exec);
|
|
29
33
|
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
contrast_alias_method(singleton, "cs__assess_kernel_exec", "exec");
|
|
35
|
-
rb_define_method(singleton, "exec", contrast_patched_kernel_exec, -1);
|
|
34
|
+
/* should return the same value as above */
|
|
35
|
+
rb_sym_assess_kernel_exec = contrast_register_singleton_patch("Kernel",
|
|
36
|
+
"exec",
|
|
37
|
+
contrast_patched_kernel_exec);
|
|
36
38
|
}
|
|
@@ -38,10 +38,7 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
|
|
|
38
38
|
void Init_cs__assess_marshal_module(void) {
|
|
39
39
|
rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
|
|
40
40
|
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
rb_define_method(contrast_marshal, "load",
|
|
45
|
-
contrast_assess_marshal_module_load, -1);
|
|
46
|
-
rb_prepend_module(rb_singleton_class(marshal_module), contrast_marshal);
|
|
41
|
+
contrast_register_singleton_prepend_patch("Marshal",
|
|
42
|
+
"load",
|
|
43
|
+
&contrast_assess_marshal_module_load);
|
|
47
44
|
}
|
|
@@ -65,13 +65,17 @@ void Init_cs__assess_module(void) {
|
|
|
65
65
|
|
|
66
66
|
trigger_check_method = rb_intern("eval_trigger_check");
|
|
67
67
|
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
68
|
+
/* Returns of these 2 patches are discarded.
|
|
69
|
+
* We're calling the underlying via direct C, instead of
|
|
70
|
+
* whatever method was there before.
|
|
71
|
+
* See similar comments in basic_object C ext patch.
|
|
72
|
+
*/
|
|
73
|
+
|
|
74
|
+
contrast_register_patch("Module",
|
|
75
|
+
"class_eval",
|
|
76
|
+
contrast_assess_module_class_eval);
|
|
77
|
+
|
|
78
|
+
contrast_register_patch("Module",
|
|
79
|
+
"module_eval",
|
|
80
|
+
contrast_assess_module_module_eval);
|
|
77
81
|
}
|