contrast-agent 3.12.2 → 3.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c4c1231012886dbd14e4cd13bef64286f18d970be8c3b5c7daa7e585ae500aa
-  data.tar.gz: 23a64e21d451cea85ce8b2e4c19ac98c5d7e14c294abac30e3a4310c8809a7ea
+  metadata.gz: 64a4e6fe5f8f75e8ab4bb911e696330a10e1a3edb95c027a03dd0b8704e23f3e
+  data.tar.gz: f031d456741cb0d955030805efd73f8cb2495ca7c927a15121c5ef88a6d86ec7
 SHA512:
-  metadata.gz: 49c90e08126185be367fef4c5494fc074faf0af77e1d376966a976e8f4c839d94ba292a24fa0826e332c9adf1ae42fa281ab0ab44dfc0040128856b332f28e82
-  data.tar.gz: 58f501e22a5c0654b8fbe64f7f1668de9308a63e61749d3ebc8b0c033cf6e41cc4928d890db8de6943ec38a53d90d5affc812c258382137249bde0d3471a18e8
+  metadata.gz: e2fac539c17b2cb20ab407f6ded931316f97529073907a3f03ee7ef8774a2e18a597d5c47406e44cb86111338e7d31170399543a1778bb7154eaf618b4e03635
+  data.tar.gz: 44e2552f7ee995f73514c62b10002096fcf8f462bdbc573cceb623f9a42786c2421d16490962a9575d777a792fd9ea459d41630e2de9cf60e55c61ecc0fb8403

data/.dockerignore

@@ -4,7 +4,6 @@ docker/
 code-deploy/
 
 Jenkinsfile
-bitbucket-pipelines.yml
 docker-compose.yml
 .rubocop.yml
 .travis.yml

data/.gitignore

@@ -52,7 +52,7 @@ contrast-agent-*.gem
 service_executables/*-*
 
 # Generated Protobuf files
-/lib/contrast/api/*_pb.rb
+/lib/contrast/api/*.pb.rb
 
 # IDE stuff
 tags

data/.simplecov

@@ -1,7 +1,7 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-SimpleCov.minimum_coverage line: 92.30
+SimpleCov.minimum_coverage line: 94.75
 SimpleCov.start do
   add_filter '/spec/'
 end

data/Rakefile

@@ -1,9 +1,13 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+$stdout.sync = true
+
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rake/extensiontask'
+load 'protobuf/tasks/compile.rake'
+require 'fileutils'
 
 CLOBBER << 'shared_libraries/*'
 
@@ -13,3 +17,30 @@ Dir['ext/cs__*'].each do |extension|
     ext.lib_dir = "lib/#{ name }"
   end
 end
+
+task :contrast_pb_compile do
+  # do some stuff before compile
+
+  # Invoke the protobuf compile task with your sensible defaults
+  ::Rake::Task['protobuf:compile'].invoke('lib',
+                                          './agent-service-api/protobuf ./agent-service-api/protobuf/dtm.proto',
+                                          'lib/contrast/api',
+                                          nil)
+
+  ::Rake::Task['protobuf:compile'].reenable
+
+  ::Rake::Task['protobuf:compile'].invoke('lib',
+                                          './agent-service-api/protobuf ./agent-service-api/protobuf/settings.proto',
+                                          'lib/contrast/api',
+                                          nil)
+
+  ['dtm.pb.rb', 'settings.pb.rb'].each do |target_file|
+    target_path = File.absolute_path(File.join(__dir__, "./lib/contrast/api/#{ target_file }"))
+    unless File.exist?(target_path)
+      puts "File not found #{ target_path }"
+      exit 1
+    end
+  end
+
+  puts 'Protobuf copied successfully'
+end

data/ext/build_funchook.rb

@@ -62,5 +62,3 @@ unless find_header('funchook.h', ext_path)
     end
   end
 end
-
-have_header('funchook.h', ext_path)

data/ext/cs__assess_fiber_track/cs__assess_fiber_track.c

@@ -3,7 +3,6 @@
 
 #include "cs__assess_fiber_track.h"
 #include "../cs__common/cs__common.h"
-#include <funchook.h>
 #include <ruby.h>
 
 VALUE rb_fiber_new_hook(VALUE (*func)(ANYARGS), VALUE obj) {
@@ -64,17 +63,12 @@ VALUE rb_fiber_yield_hook(int argc, const VALUE *argv) {
 }
 
 int install_fiber_hooks() {
-    funchook_t *funchook = funchook_create();
-
     rb_fiber_new_original = rb_fiber_new;
-    funchook_prepare(funchook, (void **)&rb_fiber_new_original,
-                     rb_fiber_new_hook);
+    patch_via_funchook(&rb_fiber_new_original, &rb_fiber_new_hook);
 
     rb_fiber_yield_original = rb_fiber_yield;
-    funchook_prepare(funchook, (void **)&rb_fiber_yield_original,
-                     rb_fiber_yield_hook);
+    patch_via_funchook(&rb_fiber_yield_original, &rb_fiber_yield_hook);
 
-    funchook_install(funchook, 0);
     return 0;
 }
 

data/ext/cs__assess_fiber_track/cs__assess_fiber_track.h

@@ -1,4 +1,3 @@
-#include <funchook.h>
 #include <ruby.h>
 
 static VALUE rb_sym_next;

data/ext/cs__assess_string_interpolation26/cs__assess_string_interpolation26.c

@@ -3,7 +3,6 @@
 
 #include "cs__assess_string_interpolation26.h"
 #include "../cs__common/cs__common.h"
-#include <funchook.h>
 #include <ruby.h>
 
 static VALUE rb_str_concat_literals_hook(size_t num, VALUE *strary) {
@@ -14,13 +13,9 @@ static VALUE rb_str_concat_literals_hook(size_t num, VALUE *strary) {
 }
 
 static int install_hooks() {
-    funchook_t *funchook = funchook_create();
-
     rb_str_concat_literals_original = rb_str_concat_literals;
-    funchook_prepare(funchook, (void **)&rb_str_concat_literals_original,
-                     rb_str_concat_literals_hook);
+    patch_via_funchook(&rb_str_concat_literals_original, &rb_str_concat_literals_hook);
 
-    funchook_install(funchook, 0);
     return 0;
 }
 

data/ext/cs__assess_yield_track/cs__assess_yield_track.c

@@ -3,7 +3,6 @@
 
 #include "cs__assess_yield_track.h"
 #include "../cs__common/cs__common.h"
-#include <funchook.h>
 #include <ruby.h>
 
 static VALUE rb_yield_hook(VALUE val, const VALUE self) {
@@ -17,11 +16,8 @@ static VALUE rb_yield_hook(VALUE val, const VALUE self) {
 }
 
 static int install_yield_hooks() {
-    funchook_t *funchook = funchook_create();
     rb_yield_original = rb_yield;
-    funchook_prepare(funchook, (void **)&rb_yield_original,
-                     rb_yield_hook);
-    funchook_install(funchook, 0);
+    patch_via_funchook(&rb_yield_original, &rb_yield_hook);
     return 0;
 }
 

data/ext/cs__assess_yield_track/cs__assess_yield_track.h

@@ -1,4 +1,3 @@
-#include <funchook.h>
 #include <ruby.h>
 
 static VALUE split_class;

data/ext/cs__common/cs__common.c

@@ -3,12 +3,14 @@
 
 #include "cs__common.h"
 #include <ruby.h>
+#include <dlfcn.h>
 
 /* Globals */
 /* These are defined w/ `extern` in the header */
 VALUE contrast, agent, patching, policy, assess;
 VALUE core_extensions, core_assess;
 VALUE assess_policy, assess_propagator;
+VALUE funchook_path;
 
 VALUE rb_sym_enter_scope;
 VALUE rb_sym_exit_scope;
@@ -19,6 +21,28 @@ VALUE rb_sym_method;
 VALUE rb_sym_cs_tracked;
 /* end globals */
 
+void patch_via_funchook(void *original_function, void *hook_function) {
+    VALUE funchook_module_wrapper = rb_define_module("Funchook");
+    funchook_path = rb_iv_get(funchook_module_wrapper, "@path");
+
+    void *funchook_lib_handle;
+    void *funchook_reference, *(*funchook_create)(void);
+    int prepareResult, (*funchook_prepare)(void*, void**, void*);
+    int installResult, (*funchook_install)(void*, int);
+
+    funchook_lib_handle = dlopen(StringValueCStr(funchook_path), RTLD_NOW | RTLD_GLOBAL);
+
+    /* Load the funchook methods we need */
+    funchook_create  = (void* (*)(void))dlsym(funchook_lib_handle, "funchook_create");
+    funchook_prepare = (int (*)(void*, void**, void*))dlsym(funchook_lib_handle, "funchook_prepare");
+    funchook_install = (int (*)(void*, int))dlsym(funchook_lib_handle, "funchook_install");
+
+    funchook_reference = (void*)(*funchook_create)();
+
+    prepareResult = (*funchook_prepare)(funchook_reference, (void**)original_function, hook_function);
+    installResult = (*funchook_install)(funchook_reference, 0);
+}
+
 void contrast_alias_method(const VALUE target, const char *to,
                            const char *from) {
     rb_funcall(target, cs__send_method, 3, cs__alias_method_sym,

data/ext/cs__common/cs__common.h

@@ -16,6 +16,7 @@ static VALUE cs__alias_method_sym;
 extern VALUE contrast, agent, patching, policy, assess;
 extern VALUE core_extensions, core_assess;
 extern VALUE assess_policy, assess_propagator;
+extern VALUE funchook_path;
 
 extern VALUE rb_sym_enter_scope;
 extern VALUE rb_sym_exit_scope;
@@ -32,6 +33,8 @@ static VALUE rb_sym_alias_instance;
 static VALUE rb_sym_alias_singleton;
 static VALUE rb_sym_prepend;
 
+void patch_via_funchook(void *original_function, void *hook_function);
+
 void contrast_alias_method(const VALUE target, const char *to,
                            const char *from);
 

data/ext/cs__common/extconf.rb

@@ -4,18 +4,4 @@
 require 'mkmf'
 require_relative '../../lib/contrast/agent/version'
 
-installed_path = __dir__
-
-origin =  if !(/darwin/ =~ RUBY_PLATFORM).nil?
-            '@loader_path'
-          else
-            '\$${ORIGIN}'
-          end
-
-options = " -Wl,-rpath,#{ origin }/../../shared_libraries"
-
-$LDFLAGS << options if try_link('int main() {return 0;}', options)
-
-$LIBPATH << installed_path
-
 create_makefile 'cs__common/cs__common'

data/ext/extconf_common.rb

@@ -18,34 +18,6 @@ def ext_path
   __dir__
 end
 
-def rpath_root
-  if (/darwin/ =~ RUBY_PLATFORM).nil?
-    '\$${ORIGIN}'
-  else
-    '@loader_path'
-  end
-end
-
-def funchook_rpath!
-  options = " -Wl,-rpath,#{ rpath_root }/../../shared_libraries"
-  raise unless try_link('int main() {return 0;}', options)
-
-  $LDFLAGS << options
-  $LDFLAGS << " -L#{ __dir__ }/../shared_libraries"
-
-  find_header('funchook.h', ext_path)
-  have_header('funchook.h')
-
-  find_library('funchook', 'funchook_create', '../shared_libraries')
-  find_library('funchook', 'funchook_install')
-  find_library('funchook', 'funchook_prepare')
-  have_library('funchook', 'funchook_create')
-  have_library('funchook', 'funchook_install')
-  have_library('funchook', 'funchook_prepare')
-end
-
 require_relative './build_funchook'
 
-# default make pathway, here for convenience
-funchook_rpath!
 make!

data/lib/contrast.rb

@@ -39,6 +39,9 @@ end
 # config gets built as a consequence of this require
 cs__scoped_require 'contrast/components/interface'
 
+# This needs to be required very early, after component interfaces, and before instrumentation attempts
+cs__scoped_require 'contrast/funchook/funchook'
+
 # shared configuration support
 cs__scoped_require 'contrast/config'
 cs__scoped_require 'contrast/configuration'
@@ -47,7 +50,6 @@ cs__scoped_require 'contrast/agent/version'
 
 # errors and exceptions
 cs__scoped_require 'contrast/security_exception'
-cs__scoped_require 'contrast/internal_exception'
 
 # shared utils
 cs__scoped_require 'contrast/utils/timer'

data/lib/contrast/agent.rb

@@ -41,6 +41,11 @@ cs__scoped_require 'contrast/utils/thread_tracker'
 # Framework support
 cs__scoped_require 'contrast/framework/manager'
 
+# Communication to SR
+cs__scoped_require 'contrast/api/communication'
+
+cs__scoped_require 'contrast/agent/thread_watcher'
+
 module Contrast
   # Top namespace of the Agent section. Holds tracking contexts that will be
   # accessed throughout the Agent.
@@ -51,6 +56,14 @@ module Contrast
     def self.framework_manager
       @_framework_manager ||= Contrast::Framework::Manager.new
     end
+
+    def self.messaging_queue
+      @_messaging_queue ||= Contrast::Api::Communication::MessagingQueue.new
+    end
+
+    def self.thread_watcher
+      @_thread_watcher ||= Contrast::Agent::ThreadWatcher.new
+    end
   end
 end
 
@@ -63,7 +76,6 @@ cs__scoped_require 'contrast/agent/at_exit_hook'
 
 # communication with contrast service
 cs__scoped_require 'contrast/agent/exclusion_matcher'
-cs__scoped_require 'contrast/agent/socket_client'
 
 # threads that handle contrast scope
 cs__scoped_require 'contrast/agent/thread'
@@ -76,7 +88,7 @@ cs__scoped_require 'contrast/agent/assess'
 # protect rules
 cs__scoped_require 'contrast/agent/protect/rule'
 
-# application libraries and technologies
+# application libraries
 cs__scoped_require 'contrast/utils/gemfile_reader'
 
 # rack event monitoring

data/lib/contrast/agent/assess/contrast_event.rb

@@ -59,7 +59,7 @@ module Contrast
           end
         end
 
-        attr_reader :event_id, :parent_ids
+        attr_reader :event_id, :parent_ids, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args
 
         # We need this to track the parent id's of events to build up a flow
         # chart of the finding
@@ -78,7 +78,7 @@ module Contrast
           @policy_node = policy_node
           # so long as this event is built in a factory, we know Contrast Code
           # will be the first three events
-          @caller = caller(3, 20)
+          @stack_trace = caller(3, 20)
           @time = Contrast::Utils::Timer.now_ms
           @thread = Thread.current.object_id
 
@@ -157,6 +157,31 @@ module Contrast
           end
         end
 
+        # We have to do a little work to figure out what our TS appropriate
+        # target is. To break this down, the logic is as follows:
+        # 1) If my policy_node has a target, work on targets. Else, work on sources.
+        #    Per TS law, each policy_node must have at least a source or a target.
+        #    The only type of policy_node w/o targets is a Trigger, but that may
+        #    change.
+        # 2) If I have a highlight, it means that I have a P target that is
+        #    not in integer form (it was a named / keyword type for which I had
+        #    to find the index). I need to address this so that TS can process
+        #    it.
+        # 3) I'll set the event's source and target to TS values.
+        # 4) Return the highlight or the first source/target as the taint
+        #    target.
+        def determine_taint_target event_dtm
+          if @policy_node&.targets&.any?
+            event_dtm.source = @policy_node.source_string if @policy_node.source_string
+            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
+            @highlight || @policy_node.targets[0]
+          elsif policy_node&.sources&.any?
+            event_dtm.source = @highlight ? "P#{ @highlight }" : @policy_node.source_string
+            event_dtm.target = @policy_node.target_string if @policy_node.target_string
+            @highlight || @policy_node.sources[0]
+          end
+        end
+
         def value_of_source source, object, ret, args
           case source
           when Contrast::Utils::ObjectShare::OBJECT_KEY
@@ -179,171 +204,7 @@ module Contrast
 
         # Convert this event into a DTM that TeamServer can consume
         def to_dtm_event
-          event = Contrast::Api::Dtm::TraceEvent.new
-
-          # Figure out what the target of this event was. It's a little
-          # annoying for us since P can be named (thanks, Ruby) where
-          # as for everyone else it is idx based.
-          taint_target = determine_taint_target(event)
-
-          event.type = @policy_node.node_type
-          event.action = @policy_node.build_action
-          event.timestamp_ms = @time.to_i
-          event.thread = Contrast::Utils::StringUtils.force_utf8(@thread)
-          truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
-          event.object = build_event_object(@object, truncate_obj)
-          truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
-          event.ret = build_event_object(@ret, truncate_ret)
-          built_args = build_event_args(taint_target)
-          built_args.each do |arg|
-            event.args << arg
-          end
-          taint_ranges = find_taint_ranges(@object, @args, @ret, taint_target)
-          taint_ranges.each do |range|
-            event.taint_ranges << range
-          end
-
-          # We delayed doing this as long as possible b/c it's expensive
-          stack = Contrast::Utils::StackTraceUtils.build_assess_stack_array(@caller)
-          event.stack += stack
-
-          event.object_id = event_id.to_i
-          parent_ids&.each do |id|
-            parent = Contrast::Api::Dtm::ParentObjectId.new
-            parent.id = id.to_i
-            event.parent_object_ids << parent
-          end
-
-          # not to be confused w/ the partial signature
-          build_complete_signature(event)
-
-          event
-        end
-
-        # We're not going to build the signature string here, b/c we have all
-        # the composite pieces of it. Instead, we're going to let TeamServer
-        # render this for us.
-        def build_complete_signature event
-          signature = Contrast::Api::Dtm::TraceEventSignature.new
-          event.signature = signature
-          return_type = @ret ? @ret.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
-          signature.return_type = Contrast::Utils::StringUtils.force_utf8(return_type)
-          signature.class_name = Contrast::Utils::StringUtils.force_utf8(@policy_node.class_name)
-          signature.method_name = Contrast::Utils::StringUtils.force_utf8(@policy_node.method_name)
-          if @args
-            @args&.each do |arg|
-              arg_type = arg ? arg.cs__class.name : Contrast::Utils::ObjectShare::NIL_STRING
-              signature.arg_types << Contrast::Utils::StringUtils.force_utf8(arg_type)
-            end
-          end
-          signature.constructor = @policy_node.method_name == :new
-          # if there's a ret, then this method isn't nil. not 100% full proof since you can
-          # return nil, but this is the best we've got currently.
-          signature.void_method = @ret.nil?
-          # 8 is STATIC in Java... we have to placate them for now
-          # it has been requested that flags be removed since it isn't used
-          signature.flags = 8 unless @policy_node.instance_method?
-        end
-
-        # Wrapper around build_event_object for the args array. Handles
-        # tainting the correct argument.
-        def build_event_args taint_target
-          event_args = []
-          @args.each_index do |idx|
-            truncate_arg = taint_target != idx
-            event_arg = build_event_object(@args[idx], truncate_arg)
-            event_args << event_arg
-          end
-          event_args
-        end
-
-        # Build the event object. We were originally going to include taint on
-        # each one, but TS doesn't accept / use that, so it is a waste of time.
-        #
-        # We'll truncate any object that isn't important to the taint ranges of
-        # this event, so that we don't murder TeamServer by, for instance,
-        # hypothetically sending the entire rendered HTML page >_>  <_<  >_>
-        ELLIPSIS = '...'
-        UNTRUNCATED_PORTION_LENGTH = 25
-        TRUNCATION_LENGTH = (UNTRUNCATED_PORTION_LENGTH * 2) + 3 # ELLIPSIS length
-        def build_event_object object, truncate
-          event_object = Contrast::Api::Dtm::TraceEventObject.new
-          obj_string = Contrast::Utils::StringUtils.force_utf8(object)
-          if truncate && Contrast::Utils::StringUtils.ret_length(obj_string) > TRUNCATION_LENGTH
-            tmp = []
-            tmp << obj_string[0, UNTRUNCATED_PORTION_LENGTH]
-            tmp << ELLIPSIS
-            tmp << obj_string[
-                obj_string.length - UNTRUNCATED_PORTION_LENGTH,
-                UNTRUNCATED_PORTION_LENGTH]
-            obj_string = tmp.join
-          end
-          event_object.value = Base64.encode64(obj_string)
-          event_object.tracked = Contrast::Utils::Assess::TrackingUtil.tracked?(object)
-          event_object
-        end
-
-        # We have to do a little work to figure out what our TS appropriate
-        # target is. To break this down, the logic is as follows:
-        # 1) If my policy_node has a target, work on targets. Else, work on sources.
-        #    Per TS law, each policy_node must have at least a source or a target.
-        #    The only type of policy_node w/o targets is a Trigger, but that may
-        #    change.
-        # 2) If I have a highlight, it means that I have a P target that is
-        #    not in integer form (it was a named / keyword type for which I had
-        #    to find the index). I need to address this so that TS can process
-        #    it.
-        # 3) I'll set the event's source and target to TS values.
-        # 4) Return the highlight or the first source/target as the taint
-        #    target.
-        def determine_taint_target event
-          if @policy_node&.targets&.any?
-            event.source = @policy_node.source_string if @policy_node.source_string
-            event.target = if @highlight
-                             "P#{ @highlight }"
-                           else
-                             @policy_node.target_string
-                           end
-            @highlight || @policy_node.targets[0]
-          elsif @policy_node&.sources&.any?
-            event.source = if @highlight
-                             "P#{ @highlight }"
-                           else
-                             @policy_node.source_string
-                           end
-            event.target = @policy_node.target_string if @policy_node.target_string
-            @highlight || @policy_node.sources[0]
-          end
-        end
-
-        # TeamServer only supports one object's taint ranges at a time.
-        # We'll find the taint ranges for the target and return those
-        def find_taint_ranges object, args, ret, taint_target
-          # If there's no taint_target, this isn't a dataflow trace, but a
-          # trigger one
-          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless taint_target
-
-          properties = case taint_target
-                       when Contrast::Utils::ObjectShare::OBJECT_KEY
-                         object.cs__properties
-                       when Contrast::Utils::ObjectShare::RETURN_KEY
-                         ret.cs__properties
-                       else
-                         target = args[taint_target]
-                         if target.is_a?(Hash)
-                           if @policy_node&.targets&.any?
-                             target[@policy_node.targets[0]].cs__properties
-                           else
-                             target[@policy_node.sources[0]].cs__properties
-                           end
-                         else
-                           target.cs__properties
-                         end
-                       end
-
-          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless properties.tracked?
-
-          properties.tags_to_dtm
+          Contrast::Api::Dtm::TraceEvent.build(self)
         end
       end
     end