contrast-agent 3.10.2 → 3.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +5 -2
- data/ext/build_funchook.rb +13 -17
- data/ext/cs__assess_active_record_named/cs__active_record_named.c +5 -12
- data/ext/cs__assess_active_record_named/extconf.rb +3 -0
- data/ext/cs__assess_array/cs__assess_array.c +3 -5
- data/ext/cs__assess_array/extconf.rb +3 -0
- data/ext/cs__assess_basic_object/cs__assess_basic_object.c +10 -4
- data/ext/cs__assess_basic_object/extconf.rb +3 -0
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c +4 -3
- data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h +3 -3
- data/ext/cs__assess_fiber_track/extconf.rb +3 -0
- data/ext/cs__assess_hash/cs__assess_hash.c +40 -17
- data/ext/cs__assess_hash/cs__assess_hash.h +4 -6
- data/ext/cs__assess_hash/extconf.rb +3 -0
- data/ext/cs__assess_kernel/cs__assess_kernel.c +10 -8
- data/ext/cs__assess_kernel/cs__assess_kernel.h +1 -0
- data/ext/cs__assess_kernel/extconf.rb +3 -0
- data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c +3 -6
- data/ext/cs__assess_marshal_module/extconf.rb +3 -0
- data/ext/cs__assess_module/cs__assess_module.c +13 -9
- data/ext/cs__assess_module/extconf.rb +3 -0
- data/ext/cs__assess_regexp/cs__assess_regexp.c +13 -9
- data/ext/cs__assess_regexp/cs__assess_regexp.h +1 -0
- data/ext/cs__assess_regexp/extconf.rb +3 -0
- data/ext/cs__assess_string/cs__assess_string.c +5 -8
- data/ext/cs__assess_string/cs__assess_string.h +2 -1
- data/ext/cs__assess_string/extconf.rb +3 -0
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c +2 -2
- data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.h +3 -3
- data/ext/cs__assess_string_interpolation26/extconf.rb +3 -0
- data/ext/cs__assess_yield_track/cs__assess_yield_track.h +1 -1
- data/ext/cs__assess_yield_track/extconf.rb +3 -0
- data/ext/cs__common/cs__common.c +79 -0
- data/ext/cs__common/cs__common.h +34 -0
- data/ext/cs__common/extconf.rb +9 -8
- data/ext/cs__contrast_patch/cs__contrast_patch.h +1 -6
- data/ext/cs__contrast_patch/extconf.rb +3 -0
- data/ext/cs__protect_kernel/cs__protect_kernel.c +20 -11
- data/ext/cs__protect_kernel/extconf.rb +3 -0
- data/ext/extconf_common.rb +10 -8
- data/funchook/autom4te.cache/output.0 +1 -13
- data/funchook/autom4te.cache/requests +44 -45
- data/funchook/autom4te.cache/traces.0 +0 -3
- data/funchook/config.log +378 -217
- data/funchook/config.status +23 -24
- data/funchook/configure +1 -13
- data/funchook/src/Makefile +7 -7
- data/funchook/src/config.h +2 -2
- data/funchook/src/decoder.o +0 -0
- data/funchook/src/distorm.o +0 -0
- data/funchook/src/funchook.o +0 -0
- data/funchook/src/funchook_io.o +0 -0
- data/funchook/src/funchook_syscall.o +0 -0
- data/funchook/src/funchook_unix.o +0 -0
- data/funchook/src/funchook_x86.o +0 -0
- data/funchook/src/instructions.o +0 -0
- data/funchook/src/insts.o +0 -0
- data/funchook/src/libfunchook.dylib +0 -0
- data/funchook/src/mnemonics.o +0 -0
- data/funchook/src/operands.o +0 -0
- data/funchook/src/os_func.o +0 -0
- data/funchook/src/os_func_unix.o +0 -0
- data/funchook/src/prefix.o +0 -0
- data/funchook/src/printf_base.o +0 -0
- data/funchook/src/textdefs.o +0 -0
- data/funchook/src/wstring.o +0 -0
- data/funchook/test/Makefile +2 -2
- data/funchook/test/funchook_test +0 -0
- data/funchook/test/libfunchook_test.so +0 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Info.plist +20 -0
- data/funchook/test/libfunchook_test.so.dSYM/Contents/Resources/DWARF/libfunchook_test.so +0 -0
- data/funchook/test/test_main.o +0 -0
- data/funchook/test/x86_64_test.o +0 -0
- data/lib/contrast.rb +1 -0
- data/lib/contrast/agent.rb +21 -15
- data/lib/contrast/agent/assess.rb +1 -2
- data/lib/contrast/agent/assess/adjusted_span.rb +3 -1
- data/lib/contrast/agent/assess/contrast_event.rb +16 -62
- data/lib/contrast/agent/assess/events/event_factory.rb +25 -0
- data/lib/contrast/agent/assess/events/source_event.rb +83 -0
- data/lib/contrast/agent/assess/insulator.rb +0 -4
- data/lib/contrast/agent/assess/policy/patcher.rb +5 -2
- data/lib/contrast/agent/assess/policy/policy_node.rb +0 -7
- data/lib/contrast/agent/assess/policy/policy_scanner.rb +1 -1
- data/lib/contrast/agent/assess/policy/preshift.rb +1 -1
- data/lib/contrast/agent/assess/policy/propagation_method.rb +65 -33
- data/lib/contrast/agent/assess/policy/propagation_node.rb +2 -1
- data/lib/contrast/agent/assess/policy/propagator.rb +1 -0
- data/lib/contrast/agent/assess/policy/propagator/match_data.rb +80 -0
- data/lib/contrast/agent/assess/policy/propagator/select.rb +35 -22
- data/lib/contrast/agent/assess/policy/propagator/split.rb +26 -6
- data/lib/contrast/agent/assess/policy/propagator/substitution.rb +2 -0
- data/lib/contrast/agent/assess/policy/rewriter_patch.rb +37 -26
- data/lib/contrast/agent/assess/policy/source_method.rb +20 -20
- data/lib/contrast/agent/assess/policy/source_node.rb +0 -15
- data/lib/contrast/agent/assess/policy/trigger_method.rb +29 -40
- data/lib/contrast/agent/assess/policy/trigger_node.rb +3 -6
- data/lib/contrast/agent/assess/policy/trigger_validation/ssrf_validator.rb +2 -31
- data/lib/contrast/agent/assess/properties.rb +5 -3
- data/lib/contrast/agent/assess/rule/base.rb +1 -5
- data/lib/contrast/agent/assess/rule/csrf/csrf_applicator.rb +2 -22
- data/lib/contrast/agent/assess/rule/csrf/csrf_watcher.rb +5 -1
- data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb +2 -2
- data/lib/contrast/agent/assess/rule/redos.rb +4 -4
- data/lib/contrast/agent/assess/tag.rb +24 -14
- data/lib/contrast/agent/at_exit_hook.rb +16 -13
- data/lib/contrast/agent/class_reopener.rb +14 -4
- data/lib/contrast/agent/deadzone/policy/policy.rb +2 -2
- data/lib/contrast/agent/disable_reaction.rb +3 -4
- data/lib/contrast/agent/exclusion_matcher.rb +8 -48
- data/lib/contrast/agent/feature_state.rb +45 -75
- data/lib/contrast/agent/logger.rb +173 -0
- data/lib/contrast/agent/middleware.rb +87 -250
- data/lib/contrast/agent/module_data.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patch.rb +2 -1
- data/lib/contrast/agent/patching/policy/after_load_patcher.rb +21 -4
- data/lib/contrast/agent/patching/policy/method_policy.rb +3 -3
- data/lib/contrast/agent/patching/policy/module_policy.rb +0 -25
- data/lib/contrast/agent/patching/policy/patch.rb +96 -23
- data/lib/contrast/agent/patching/policy/patcher.rb +19 -19
- data/lib/contrast/agent/patching/policy/policy.rb +7 -7
- data/lib/contrast/agent/patching/policy/policy_node.rb +2 -10
- data/lib/contrast/agent/patching/policy/trigger_node.rb +1 -4
- data/lib/contrast/agent/protect/rule/base.rb +14 -33
- data/lib/contrast/agent/protect/rule/base_service.rb +3 -1
- data/lib/contrast/agent/protect/rule/cmd_injection.rb +10 -13
- data/lib/contrast/agent/protect/rule/csrf.rb +2 -1
- data/lib/contrast/agent/protect/rule/csrf/csrf_evaluator.rb +11 -14
- data/lib/contrast/agent/protect/rule/default_scanner.rb +0 -13
- data/lib/contrast/agent/protect/rule/deserialization.rb +2 -0
- data/lib/contrast/agent/protect/rule/http_method_tampering.rb +2 -2
- data/lib/contrast/agent/protect/rule/no_sqli.rb +4 -4
- data/lib/contrast/agent/protect/rule/path_traversal.rb +5 -4
- data/lib/contrast/agent/protect/rule/sqli.rb +1 -0
- data/lib/contrast/agent/protect/rule/unsafe_file_upload.rb +2 -0
- data/lib/contrast/agent/protect/rule/xss.rb +2 -0
- data/lib/contrast/agent/protect/rule/xxe.rb +10 -4
- data/lib/contrast/agent/railtie.rb +2 -8
- data/lib/contrast/agent/reaction_processor.rb +5 -5
- data/lib/contrast/agent/request.rb +9 -12
- data/lib/contrast/agent/request_context.rb +12 -14
- data/lib/contrast/agent/request_handler.rb +35 -0
- data/lib/contrast/agent/response.rb +33 -30
- data/lib/contrast/agent/rewriter.rb +22 -10
- data/lib/contrast/agent/rule_set.rb +49 -0
- data/lib/contrast/agent/scope.rb +0 -6
- data/lib/contrast/agent/service_heartbeat.rb +1 -2
- data/lib/contrast/agent/settings_state.rb +10 -74
- data/lib/contrast/agent/socket_client.rb +17 -11
- data/lib/contrast/agent/static_analysis.rb +42 -0
- data/lib/contrast/agent/thread.rb +1 -1
- data/lib/contrast/agent/tracepoint_hook.rb +1 -5
- data/lib/contrast/agent/version.rb +1 -1
- data/lib/contrast/api.rb +1 -1
- data/lib/contrast/api/decorators.rb +14 -0
- data/lib/contrast/api/decorators/application_settings.rb +37 -0
- data/lib/contrast/api/decorators/application_update.rb +66 -0
- data/lib/contrast/api/decorators/exclusion.rb +20 -0
- data/lib/contrast/api/decorators/input_analysis.rb +17 -0
- data/lib/contrast/api/decorators/server_features.rb +24 -0
- data/lib/contrast/api/speedracer.rb +27 -23
- data/lib/contrast/api/tcp_socket.rb +0 -2
- data/lib/contrast/components/agent.rb +27 -22
- data/lib/contrast/components/app_context.rb +18 -43
- data/lib/contrast/components/config.rb +7 -5
- data/lib/contrast/components/contrast_service.rb +0 -4
- data/lib/contrast/components/heap_dump.rb +12 -8
- data/lib/contrast/components/interface.rb +11 -10
- data/lib/contrast/components/logger.rb +3 -68
- data/lib/contrast/components/sampling.rb +22 -11
- data/lib/contrast/components/settings.rb +18 -5
- data/lib/contrast/config/base_configuration.rb +1 -0
- data/lib/contrast/config/default_value.rb +1 -0
- data/lib/contrast/config/protect_rule_configuration.rb +0 -14
- data/lib/contrast/extensions/framework/rails/action_controller_inheritance.rb +39 -0
- data/lib/contrast/extensions/framework/rails/active_record_named.rb +13 -8
- data/lib/contrast/extensions/ruby_core/assess.rb +1 -2
- data/lib/contrast/extensions/ruby_core/assess/assess_extension.rb +27 -22
- data/lib/contrast/extensions/ruby_core/assess/erb.rb +0 -8
- data/lib/contrast/extensions/ruby_core/assess/exec_trigger.rb +6 -8
- data/lib/contrast/extensions/ruby_core/assess/fiber.rb +88 -100
- data/lib/contrast/extensions/ruby_core/assess/hash.rb +32 -15
- data/lib/contrast/extensions/ruby_core/assess/kernel.rb +28 -27
- data/lib/contrast/extensions/ruby_core/assess/regexp.rb +74 -196
- data/lib/contrast/extensions/ruby_core/assess/string.rb +15 -7
- data/lib/contrast/extensions/ruby_core/assess/tilt_template_trigger.rb +29 -24
- data/lib/contrast/extensions/ruby_core/assess/xpath_library_trigger.rb +2 -2
- data/lib/contrast/extensions/ruby_core/eval_trigger.rb +0 -1
- data/lib/contrast/extensions/ruby_core/inventory/datastores.rb +2 -2
- data/lib/contrast/extensions/ruby_core/protect/applies_command_injection_rule.rb +9 -20
- data/lib/contrast/extensions/ruby_core/protect/applies_deserialization_rule.rb +9 -19
- data/lib/contrast/extensions/ruby_core/protect/applies_no_sqli_rule.rb +10 -27
- data/lib/contrast/extensions/ruby_core/protect/applies_path_traversal_rule.rb +13 -21
- data/lib/contrast/extensions/ruby_core/protect/applies_sqli_rule.rb +11 -23
- data/lib/contrast/extensions/ruby_core/protect/applies_xxe_rule.rb +62 -78
- data/lib/contrast/extensions/ruby_core/protect/rule_applicator.rb +50 -0
- data/lib/contrast/framework/base_support.rb +10 -0
- data/lib/contrast/framework/manager.rb +28 -2
- data/lib/contrast/framework/platform_version.rb +1 -0
- data/lib/contrast/framework/rails_support.rb +16 -0
- data/lib/contrast/framework/sinatra_support.rb +12 -2
- data/lib/contrast/framework/view_technologies_descriptor.rb +1 -0
- data/lib/contrast/tasks/service.rb +2 -8
- data/lib/contrast/utils/assess/sampling_util.rb +4 -9
- data/lib/contrast/utils/assess/tracking_util.rb +7 -1
- data/lib/contrast/utils/boolean_util.rb +2 -2
- data/lib/contrast/utils/cache.rb +0 -11
- data/lib/contrast/utils/class_util.rb +20 -1
- data/lib/contrast/utils/gemfile_reader.rb +5 -3
- data/lib/contrast/utils/hash_digest.rb +0 -4
- data/lib/contrast/utils/heap_dump_util.rb +12 -11
- data/lib/contrast/utils/invalid_configuration_util.rb +1 -1
- data/lib/contrast/utils/inventory_util.rb +2 -2
- data/lib/contrast/utils/io_util.rb +1 -11
- data/lib/contrast/utils/job_servers_running.rb +2 -2
- data/lib/contrast/utils/object_share.rb +1 -27
- data/lib/contrast/utils/os.rb +1 -25
- data/lib/contrast/utils/rack_assess_session_cookie.rb +3 -3
- data/lib/contrast/utils/rails_assess_configuration.rb +3 -3
- data/lib/contrast/utils/service_response_util.rb +27 -53
- data/lib/contrast/utils/service_sender_util.rb +9 -5
- data/lib/contrast/utils/sinatra_helper.rb +0 -6
- data/lib/contrast/utils/stack_trace_utils.rb +86 -182
- data/lib/contrast/utils/string_utils.rb +18 -2
- data/lib/contrast/utils/tag_util.rb +11 -1
- data/lib/contrast/utils/thread_tracker.rb +2 -2
- data/lib/contrast/utils/timer.rb +0 -40
- data/resources/assess/policy.json +33 -21
- data/resources/protect/policy.json +9 -9
- data/ruby-agent.gemspec +6 -3
- metadata +76 -51
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.c +0 -63
- data/ext/cs__assess_regexp_track/cs__assess_regexp_track.h +0 -29
- data/ext/cs__assess_regexp_track/extconf.rb +0 -2
- data/funchook/src/libfunchook.so +0 -0
- data/lib/contrast/agent/assess/frozen_properties.rb +0 -41
- data/lib/contrast/agent/logger_manager.rb +0 -116
- data/lib/contrast/delegators.rb +0 -9
- data/lib/contrast/delegators/application_update.rb +0 -32
- data/lib/contrast/utils/comment_range.rb +0 -19
- data/lib/contrast/utils/environment_util.rb +0 -81
- data/lib/contrast/utils/performs_logging.rb +0 -152
- data/resources/factory-bot-spec/spec_helper.rb +0 -30
- data/resources/rubocops/kernel/catch_cop.rb +0 -37
- data/resources/rubocops/kernel/require_cop.rb +0 -37
- data/resources/rubocops/kernel/require_relative_cop.rb +0 -33
- data/resources/rubocops/module/autoload_cop.rb +0 -37
- data/resources/rubocops/module/const_defined_cop.rb +0 -37
- data/resources/rubocops/module/const_get_cop.rb +0 -37
- data/resources/rubocops/module/const_set_cop.rb +0 -37
- data/resources/rubocops/module/constants_cop.rb +0 -37
- data/resources/rubocops/module/name_cop.rb +0 -37
- data/resources/rubocops/object/class_cop.rb +0 -37
- data/resources/rubocops/object/freeze_cop.rb +0 -37
- data/resources/rubocops/object/frozen_cop.rb +0 -37
- data/resources/rubocops/object/is_a_cop.rb +0 -37
- data/resources/rubocops/object/method_cop.rb +0 -37
- data/resources/rubocops/object/respond_to_cop.rb +0 -37
- data/resources/rubocops/object/singleton_class_cop.rb +0 -37
- data/resources/rubocops/regexp/spelling_cop.rb +0 -44
- data/resources/rubocops/thread/new_cop.rb +0 -39
- data/resources/ruby-spec/ancestors_spec.rb +0 -70
- data/resources/ruby-spec/modulo_spec.rb +0 -831
- data/resources/ruby-spec/parameters_spec.rb +0 -261
- data/resources/ruby-spec/ruby_spec_spec_helper.rb +0 -35
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9ef521f3316b8c5e911a3781bb0dc0c228b01a6166ad1f6a2abb429e67941878
|
|
4
|
+
data.tar.gz: 16305c60287b244efb6d0a1fb23a979b405e4960deaa2a84e45b1da994c21c14
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 228c42ed0e8453f3b2720818d7127729991e8d2cad7e480fc616f0975481e7810ff0ebfae44ebe406c62ff51398307e6cadd685a0805b34a7cb699641278c064
|
|
7
|
+
data.tar.gz: e9d180bb7004a818d346bb2d5f4ea5b57d1d6fef58284569fdb80dcbaf44cb215d4ae3b86c7984c683387011af9bf20f9428947820bf9e13fa67cc9084d6d8b8
|
data/.simplecov
CHANGED
|
@@ -1,4 +1,7 @@
|
|
|
1
|
-
|
|
1
|
+
# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
SimpleCov.minimum_coverage line: 92.30
|
|
2
5
|
SimpleCov.start do
|
|
3
6
|
add_filter '/spec/'
|
|
4
|
-
end
|
|
7
|
+
end
|
data/ext/build_funchook.rb
CHANGED
|
@@ -31,15 +31,15 @@ unless find_header('funchook.h', ext_path)
|
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
SOURCE_PATHS = [
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
34
|
+
File.join('include', 'funchook.h'),
|
|
35
|
+
File.join('src', 'libfunchook.dylib'),
|
|
36
|
+
File.join('src', 'libfunchook.so')
|
|
37
37
|
].freeze
|
|
38
38
|
|
|
39
39
|
TARGET_PATHS = ([
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
] +
|
|
40
|
+
File.expand_path(File.join(File.expand_path(__dir__), '..', 'shared_libraries')),
|
|
41
|
+
File.expand_path(__dir__)
|
|
42
|
+
] + bundler_install_target_paths).freeze
|
|
43
43
|
|
|
44
44
|
puts 'Copying required files'
|
|
45
45
|
|
|
@@ -51,20 +51,16 @@ unless find_header('funchook.h', ext_path)
|
|
|
51
51
|
end
|
|
52
52
|
|
|
53
53
|
TARGET_PATHS.each do |target_path|
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
next
|
|
58
|
-
end
|
|
59
|
-
puts "Copying #{ source_file_path } into #{ target_path }"
|
|
60
|
-
FileUtils.cp(source_file_path, target_path)
|
|
61
|
-
rescue
|
|
62
|
-
puts "Error while copying #{source_file} to #{target_path}"
|
|
54
|
+
unless File.writable?(target_path)
|
|
55
|
+
puts "Unable to copy into #{ target_path } - directory not writable"
|
|
56
|
+
next
|
|
63
57
|
end
|
|
58
|
+
puts "Copying #{ source_file_path } into #{ target_path }"
|
|
59
|
+
FileUtils.cp(source_file_path, target_path)
|
|
60
|
+
rescue StandardError
|
|
61
|
+
puts "Error while copying #{ source_file } to #{ target_path }"
|
|
64
62
|
end
|
|
65
63
|
end
|
|
66
64
|
end
|
|
67
65
|
|
|
68
|
-
|
|
69
|
-
|
|
70
66
|
have_header('funchook.h', ext_path)
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
|
|
4
4
|
#include "cs__active_record_named.h"
|
|
5
5
|
#include <ruby.h>
|
|
6
|
+
#include "../cs__common/cs__common.h"
|
|
6
7
|
|
|
7
8
|
VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
8
9
|
const VALUE self) {
|
|
@@ -32,16 +33,8 @@ VALUE contrast_assess_active_record_scope(const int argc, const VALUE *argv,
|
|
|
32
33
|
|
|
33
34
|
void Init_cs__assess_active_record_named(void) {
|
|
34
35
|
rb_sym_assess_rewrite = rb_intern("_cs__rewrite");
|
|
35
|
-
rb_sym_assess_scope
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
VALUE scoping_module =
|
|
39
|
-
rb_define_module_under(active_record_module, "Scoping");
|
|
40
|
-
VALUE named_module = rb_define_module_under(scoping_module, "Named");
|
|
41
|
-
VALUE class_methods_module =
|
|
42
|
-
rb_define_module_under(named_module, "ClassMethods");
|
|
43
|
-
|
|
44
|
-
contrast_alias_method(class_methods_module, "cs__patched_scope", "scope");
|
|
45
|
-
rb_define_method(class_methods_module, "scope",
|
|
46
|
-
contrast_assess_active_record_scope, -1);
|
|
36
|
+
rb_sym_assess_scope = contrast_register_patch("ActiveRecord::Scoping::Named::ClassMethods",
|
|
37
|
+
"scope",
|
|
38
|
+
contrast_assess_active_record_scope);
|
|
47
39
|
}
|
|
40
|
+
|
|
@@ -29,10 +29,8 @@ static VALUE contrast_assess_array_join(const int argc, const VALUE *argv,
|
|
|
29
29
|
}
|
|
30
30
|
|
|
31
31
|
void Init_cs__assess_array(void) {
|
|
32
|
-
rb_sym_assess_array_join = rb_intern("cs__patched_join");
|
|
33
32
|
rb_sym_assess_track_array_join = rb_intern("cs__track_join");
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
rb_define_method(array_class, "join", contrast_assess_array_join, -1);
|
|
33
|
+
rb_sym_assess_array_join = contrast_register_patch("Array",
|
|
34
|
+
"join",
|
|
35
|
+
contrast_assess_array_join);
|
|
38
36
|
}
|
|
@@ -43,8 +43,14 @@ contrast_assess_basic_object_instance_eval(const int argc, const VALUE *argv,
|
|
|
43
43
|
void Init_cs__assess_basic_object(void) {
|
|
44
44
|
instance_trigger_check_method = rb_intern("instance_eval_trigger_check");
|
|
45
45
|
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
46
|
+
/* We don't keep a reference to the underlying method.
|
|
47
|
+
* Instead, we call rb_obj_instance_eval directly.
|
|
48
|
+
* This should work an overwhelming majority of the time,
|
|
49
|
+
* but if someone else patched BasicObject#instance_eval,
|
|
50
|
+
* IDK if this is intentional... noting it. -ajm
|
|
51
|
+
*/
|
|
52
|
+
contrast_register_patch("BasicObject",
|
|
53
|
+
"instance_eval",
|
|
54
|
+
contrast_assess_basic_object_instance_eval);
|
|
55
|
+
|
|
50
56
|
}
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
* https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
|
|
3
3
|
|
|
4
4
|
#include "cs__assess_fiber_track.h"
|
|
5
|
+
#include "../cs__common/cs__common.h"
|
|
5
6
|
#include <funchook.h>
|
|
6
7
|
#include <ruby.h>
|
|
7
8
|
|
|
@@ -44,7 +45,7 @@ VALUE rb_fiber_new_hook(VALUE (*func)(ANYARGS), VALUE obj) {
|
|
|
44
45
|
VALUE enumerator_method = ID2SYM(enum_ptr->meth);
|
|
45
46
|
/* e.g.: 1..100, #each_value. Should reflect #inspect on the enum. */
|
|
46
47
|
|
|
47
|
-
rb_funcall(
|
|
48
|
+
rb_funcall(fiber_propagator, track_rb_fiber_new, 5, fiber, obj,
|
|
48
49
|
enumerator_method, underlying, calling_method);
|
|
49
50
|
}
|
|
50
51
|
|
|
@@ -56,7 +57,7 @@ VALUE rb_fiber_yield_hook(int argc, const VALUE *argv) {
|
|
|
56
57
|
VALUE yielding_fiber = rb_fiber_current();
|
|
57
58
|
|
|
58
59
|
/* propagate from yielding_fiber -> result */
|
|
59
|
-
rb_funcall(
|
|
60
|
+
rb_funcall(fiber_propagator, track_rb_fiber_yield, 3, yielding_fiber,
|
|
60
61
|
calling_method, *argv);
|
|
61
62
|
|
|
62
63
|
return rb_fiber_yield_original(argc, argv);
|
|
@@ -78,7 +79,7 @@ int install_fiber_hooks() {
|
|
|
78
79
|
}
|
|
79
80
|
|
|
80
81
|
void Init_cs__assess_fiber_track(void) {
|
|
81
|
-
|
|
82
|
+
fiber_propagator = rb_define_class_under(core_assess, "FiberPropagator", rb_cObject);
|
|
82
83
|
track_rb_fiber_new = rb_intern("track_rb_fiber_new");
|
|
83
84
|
track_rb_fiber_yield = rb_intern("track_rb_fiber_yield");
|
|
84
85
|
rb_sym_next = rb_intern("next");
|
|
@@ -2,15 +2,15 @@
|
|
|
2
2
|
#include <ruby.h>
|
|
3
3
|
|
|
4
4
|
static VALUE rb_sym_next;
|
|
5
|
-
static VALUE
|
|
5
|
+
static VALUE fiber_propagator;
|
|
6
6
|
static VALUE track_rb_fiber_new;
|
|
7
7
|
static VALUE track_rb_fiber_yield;
|
|
8
8
|
|
|
9
9
|
VALUE rb_fiber_new(VALUE (*func)(ANYARGS), VALUE obj);
|
|
10
|
-
VALUE
|
|
10
|
+
VALUE (*rb_fiber_new_original)(VALUE (*func)(ANYARGS), VALUE obj);
|
|
11
11
|
|
|
12
12
|
VALUE rb_fiber_yield(int argc, const VALUE *argv);
|
|
13
|
-
VALUE
|
|
13
|
+
VALUE (*rb_fiber_yield_original)(int argc, const VALUE *argv);
|
|
14
14
|
|
|
15
15
|
/* If you call `#next` on an enumerator object, that enumerator object
|
|
16
16
|
* instantiates a fiber and runs its given proc inside of that fiber.
|
|
@@ -5,7 +5,14 @@
|
|
|
5
5
|
#include "../cs__common/cs__common.h"
|
|
6
6
|
#include <ruby.h>
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
/* Hashes can be constructed thusly):
|
|
9
|
+
* irb(main):001:0> Hash[:a, :b]
|
|
10
|
+
* => {:a=>:b}
|
|
11
|
+
*
|
|
12
|
+
* This method instruments that unique bracket-construction style
|
|
13
|
+
* of initializing a hash.
|
|
14
|
+
*/
|
|
15
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
|
|
9
16
|
const VALUE hash) {
|
|
10
17
|
VALUE result;
|
|
11
18
|
|
|
@@ -14,14 +21,14 @@ static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
|
|
|
14
21
|
int i;
|
|
15
22
|
for (i = 0; i < argc; i++) {
|
|
16
23
|
argv[i] =
|
|
17
|
-
rb_funcall(
|
|
24
|
+
rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
18
25
|
}
|
|
19
26
|
/* Hash[ key, value, ... ] -> new_hash */
|
|
20
27
|
} else if (argc > 1) {
|
|
21
28
|
int i;
|
|
22
29
|
for (i = 0; i < argc; i += 2) {
|
|
23
30
|
argv[i] =
|
|
24
|
-
rb_funcall(
|
|
31
|
+
rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[i]);
|
|
25
32
|
}
|
|
26
33
|
}
|
|
27
34
|
|
|
@@ -29,36 +36,52 @@ static VALUE contrast_assess_hash_bracket_get(const int argc, VALUE *argv,
|
|
|
29
36
|
* String keys
|
|
30
37
|
* # Hash[ object ] -> new_hash
|
|
31
38
|
*/
|
|
32
|
-
result = rb_funcall2(hash,
|
|
39
|
+
result = rb_funcall2(hash, rb_sym_assess_hash_bracket_constructor, argc, argv);
|
|
33
40
|
|
|
34
41
|
return result;
|
|
35
42
|
}
|
|
36
43
|
|
|
44
|
+
/* Hashes, when keyed with a string, will dup & freeze that string.
|
|
45
|
+
* This is resource-efficient, but inconvenient for instrumentation.
|
|
46
|
+
*/
|
|
37
47
|
static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
38
48
|
const VALUE hash) {
|
|
39
49
|
VALUE result;
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
50
|
+
/* Current name (assess_hash_bracket_set).
|
|
51
|
+
* It doesn't set anything on the hash.
|
|
52
|
+
* It takes the arg that /would/ have been the key, and preemptively
|
|
53
|
+
* calls #dup and then #freeze, and then gives you that key.
|
|
54
|
+
*
|
|
55
|
+
* We intentionally don't enter Contrast scope for this patch.
|
|
56
|
+
* #dup instruments the string, and #freeze gets the hash to accept
|
|
57
|
+
* the key directly, without calling its own #dup/#freeze.
|
|
58
|
+
* (That naturally happens in C-land, our instrumentation is in Ruby,
|
|
59
|
+
* so our patches to #dup don't take effect within Hash#[]= unless we
|
|
60
|
+
* specifically do this instrumentation.
|
|
61
|
+
* We haven't revisited this approach since we started more extensively
|
|
62
|
+
* hooking public C functions.)
|
|
63
|
+
*/
|
|
64
|
+
if(argc > 0) {
|
|
65
|
+
argv[0] = rb_funcall(hash_propagator, rb_sym_assess_hash_dup_and_freeze, 1, argv[0]);
|
|
66
|
+
}
|
|
67
|
+
/* This is the underlying assignment, w/ our instrumented key. */
|
|
44
68
|
result = rb_funcall2(hash, rb_sym_assess_hash_bracket_equals, argc, argv);
|
|
45
69
|
|
|
46
70
|
return result;
|
|
47
71
|
}
|
|
48
72
|
|
|
49
73
|
void Init_cs__assess_hash(void) {
|
|
74
|
+
hash_propagator = rb_define_class_under(core_assess, "HashPropagator", rb_cObject);
|
|
50
75
|
rb_sym_assess_hash_dup_and_freeze = rb_intern("cs__duplicate_and_freeze");
|
|
51
|
-
rb_sym_assess_hash_brackets = rb_intern("cs__patched_[]");
|
|
52
|
-
rb_sym_assess_hash_bracket_set = rb_intern("cs__bracket_set");
|
|
53
|
-
rb_sym_assess_hash_bracket_equals = rb_intern("cs__patched_[]=");
|
|
54
76
|
|
|
55
77
|
VALUE hash_class = rb_define_class("Hash", rb_cObject);
|
|
56
|
-
array_class = rb_define_class("Array", rb_cObject);
|
|
57
78
|
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
79
|
+
rb_sym_assess_hash_bracket_constructor = contrast_register_singleton_patch("Hash",
|
|
80
|
+
"[]",
|
|
81
|
+
contrast_assess_hash_bracket_constructor);
|
|
82
|
+
|
|
83
|
+
rb_sym_assess_hash_bracket_equals = contrast_register_patch("Hash",
|
|
84
|
+
"[]=",
|
|
85
|
+
contrast_assess_hash_bracket_set);
|
|
61
86
|
|
|
62
|
-
contrast_alias_method(hash_class, "cs__patched_[]=", "[]=");
|
|
63
|
-
rb_define_method(hash_class, "[]=", contrast_assess_hash_bracket_set, -1);
|
|
64
87
|
}
|
|
@@ -1,11 +1,9 @@
|
|
|
1
1
|
#include <ruby.h>
|
|
2
2
|
|
|
3
|
-
static VALUE array_class;
|
|
4
|
-
|
|
5
3
|
static VALUE rb_sym_assess_hash_dup_and_freeze;
|
|
6
|
-
static VALUE
|
|
7
|
-
static VALUE rb_sym_assess_hash_bracket_set;
|
|
4
|
+
static VALUE rb_sym_assess_hash_bracket_constructor;
|
|
8
5
|
static VALUE rb_sym_assess_hash_bracket_equals;
|
|
6
|
+
static VALUE hash_propagator;
|
|
9
7
|
|
|
10
8
|
/*
|
|
11
9
|
* Monkeypatch Ruby Hash with Contrast Security Hash in order ot avoid losing
|
|
@@ -15,8 +13,8 @@ static VALUE rb_sym_assess_hash_bracket_equals;
|
|
|
15
13
|
* ahead of time should avoid this, similar to the behavior of the -@ Strings
|
|
16
14
|
* -HM
|
|
17
15
|
*/
|
|
18
|
-
static VALUE
|
|
19
|
-
|
|
16
|
+
static VALUE contrast_assess_hash_bracket_constructor(const int argc, VALUE *argv,
|
|
17
|
+
const VALUE hash);
|
|
20
18
|
|
|
21
19
|
static VALUE contrast_assess_hash_bracket_set(const int argc, VALUE *argv,
|
|
22
20
|
const VALUE hash);
|
|
@@ -18,19 +18,21 @@ contrast_patched_kernel_exec(const int argc, const VALUE *argv,
|
|
|
18
18
|
rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
|
|
19
19
|
}
|
|
20
20
|
|
|
21
|
-
|
|
21
|
+
/* maybe this should be rb_funcall2. this works right now because *argv == argv[0].
|
|
22
|
+
* exec shouldn't ever be called with != 1 argc, so not a huge problem */
|
|
23
|
+
return rb_funcall(self, rb_sym_assess_kernel_exec, argc, *argv);
|
|
22
24
|
}
|
|
23
25
|
|
|
24
26
|
void Init_cs__assess_kernel(void) {
|
|
25
27
|
kernel_propagator = rb_define_module("KernelPropagator");
|
|
26
28
|
exec_apply_trigger = rb_intern("apply_trigger");
|
|
27
29
|
|
|
28
|
-
|
|
30
|
+
rb_sym_assess_kernel_exec = contrast_register_patch("Kernel",
|
|
31
|
+
"exec",
|
|
32
|
+
contrast_patched_kernel_exec);
|
|
29
33
|
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
contrast_alias_method(singleton, "cs__assess_kernel_exec", "exec");
|
|
35
|
-
rb_define_method(singleton, "exec", contrast_patched_kernel_exec, -1);
|
|
34
|
+
/* should return the same value as above */
|
|
35
|
+
rb_sym_assess_kernel_exec = contrast_register_singleton_patch("Kernel",
|
|
36
|
+
"exec",
|
|
37
|
+
contrast_patched_kernel_exec);
|
|
36
38
|
}
|
|
@@ -38,10 +38,7 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
|
|
|
38
38
|
void Init_cs__assess_marshal_module(void) {
|
|
39
39
|
rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
|
|
40
40
|
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
rb_define_method(contrast_marshal, "load",
|
|
45
|
-
contrast_assess_marshal_module_load, -1);
|
|
46
|
-
rb_prepend_module(rb_singleton_class(marshal_module), contrast_marshal);
|
|
41
|
+
contrast_register_singleton_prepend_patch("Marshal",
|
|
42
|
+
"load",
|
|
43
|
+
&contrast_assess_marshal_module_load);
|
|
47
44
|
}
|
|
@@ -65,13 +65,17 @@ void Init_cs__assess_module(void) {
|
|
|
65
65
|
|
|
66
66
|
trigger_check_method = rb_intern("eval_trigger_check");
|
|
67
67
|
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
68
|
+
/* Returns of these 2 patches are discarded.
|
|
69
|
+
* We're calling the underlying via direct C, instead of
|
|
70
|
+
* whatever method was there before.
|
|
71
|
+
* See similar comments in basic_object C ext patch.
|
|
72
|
+
*/
|
|
73
|
+
|
|
74
|
+
contrast_register_patch("Module",
|
|
75
|
+
"class_eval",
|
|
76
|
+
contrast_assess_module_class_eval);
|
|
77
|
+
|
|
78
|
+
contrast_register_patch("Module",
|
|
79
|
+
"module_eval",
|
|
80
|
+
contrast_assess_module_module_eval);
|
|
77
81
|
}
|