contrast-agent 3.14.0 → 3.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c3ef67bfca5c3d772078af285e4b3fa1ab314b06af04355db1aa50cce0d284e8
-  data.tar.gz: 5eb0fe6b5dba8f64b5947c1c7cade90718b18224b62b5e02eed470613e6fbe6d
+  metadata.gz: ac8fc7d0e9c127859cf7bdb149c7ac519286c4329bd81ad28db4963128e0cd63
+  data.tar.gz: 784afc67ef269df8dfbaed392e8ad28e2e3b679113ed8679625f95033e324929
 SHA512:
-  metadata.gz: caf748a141fe652cbb1cb3e658969820b22ca4e58a11cdc46ee9bc94932c00e031b186b96e8c44b884d6f658951e8936a75444aa4d52cb9d0d5e563ab29ef26b
-  data.tar.gz: b3235852bb77977f244beed747b032bfa6e80eb86ebdcfab622a8dba7acc7a939f87e08022a07e795d2c455ec3d3107771e5cdae0d5b893a4c6019f09945db43
+  metadata.gz: c1a5563b34a4eba33fdf8094986362f70c88bda53102899bb01ad0096588d26883b5e7ad475e41afa15b95674b8c2810cfe6546c6779b8e3b2030bf7bb1e33d6
+  data.tar.gz: 1a1eb220719c1caf3f7153108bff4ac5132130d6879dc2b425e6dd31720e4c76bda9c27c0ac65fa00ccb846a31cb173e04dc7d3320ba3079ea9b785a62991f00

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.c

@@ -14,20 +14,19 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
     if (argc >= 1) {
         source_string = argv[0];
 
-        if (rb_respond_to(source_string, rb_sym_cs_tracked)) {
-            VALUE tracked = rb_funcall(source_string, rb_sym_cs_tracked, 0);
-
-            if (tracked == Qtrue) {
-                VALUE skip = rb_funcall(contrast_patcher(),
-                                        rb_sym_skip_assess_analysis, 0);
-
-                if (skip == Qfalse) {
-                    VALUE scope =
-                        rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
-                    rb_funcall(marshal_module, rb_sym_assess_load_trigger_check,
-                               2, source_string, result);
-                    rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
-                }
+        VALUE tracked =
+            rb_funcall(properties_hash, rb_sym_hash_tracked, 1, source_string);
+
+        if (tracked == Qtrue) {
+            VALUE skip =
+                rb_funcall(contrast_patcher(), rb_sym_skip_assess_analysis, 0);
+
+            if (skip == Qfalse) {
+                VALUE scope =
+                    rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0);
+                rb_funcall(marshal_module, rb_sym_assess_load_trigger_check, 2,
+                           source_string, result);
+                rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0);
             }
         }
     }
@@ -35,7 +34,11 @@ static VALUE contrast_assess_marshal_module_load(const int argc,
 }
 
 void Init_cs__assess_marshal_module(void) {
-    marshal_module = rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
+    // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+    VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
+    properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
+    marshal_module =
+        rb_define_class_under(core_assess, "MarshalPropagator", rb_cObject);
     rb_sym_assess_load_trigger_check = rb_intern("cs__load_trigger_check");
 
     contrast_register_singleton_prepend_patch(

data/ext/cs__assess_marshal_module/cs__assess_marshal_module.h

@@ -3,6 +3,7 @@
 static VALUE marshal_module;
 
 static VALUE rb_sym_assess_load_trigger_check;
+static VALUE properties_hash;
 
 /*
  * Rails is a jerk. In Rails 5, they decided to do away with the alias chaining

data/ext/cs__assess_string/cs__assess_string.c

@@ -5,44 +5,43 @@
 #include "../cs__common/cs__common.h"
 #include <ruby.h>
 
-static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
+static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
                                            const VALUE obj) {
-    VALUE dup, tracked;
     if (!OBJ_FROZEN(obj)) {
-        tracked = rb_funcall(obj, rb_sym_cs_tracked, 0);
-        if (RTEST(tracked)) {
-            /*
-             * If the object is not frozen and the object is tracked, we cheat.
-             * We dup and then freeze to replicate the behavior of str_uminus in
-             * string.c, but we ignore any other monkey patches on String#-@
-             */
-            dup = rb_funcall(obj, rb_sym_dup, 0);
-            rb_funcall(obj, rb_intern("cs__transfer_properties"), 1, dup);
-            rb_funcall(dup, rb_sym_freeze, 0);
-            return dup;
-        }
+        rb_funcall(properties_hash, rb_sym_pre_freeze, 1, obj);
     }
-    /* in all other cases, preserve monkey patching and c call */
-    return rb_funcall(obj, rb_sym_assess_string_uminus, 0);
+    return rb_funcall(obj, rb_sym_assess_string_freeze, 0);
 }
 
-static VALUE contrast_assess_string_freeze(const int argc, VALUE *argv,
+static VALUE contrast_assess_string_uminus(const int argc, VALUE *argv,
                                            const VALUE obj) {
     if (!OBJ_FROZEN(obj)) {
-        // Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH.pre_freeze(self)
-        rb_funcall(properties_hash, rb_intern("pre_freeze"), 1, obj);
+        /* We're doing something intentionally different here. Ruby, for -@,
+         * attempts to de-duplicate the String and use an "interned" copy of
+         * the String. We cannot allow that to happen for a couple reasons:
+         * - prior to Ruby 2.7, this would cause us to track ALL instances of
+         *   that interned copy.
+         * - 2.7 and later, this action is actually missed because of a change
+         *   to the str_uminus method in Ruby, which dups the String in a way
+         *   that we cannot see.
+         * B/c we cannot track this in 2.7, rather than having a version check
+         * and two approaches, we'll instead directly call the #freeze method,
+         * so the end result is that this String itself is frozen and never
+         * deduplicated.
+         */
+        return contrast_assess_string_freeze(argc, argv, obj);
     }
-    return rb_funcall(obj, rb_sym_assess_string_freeze, 0);
+    /* in all other cases, preserve monkey patching and c call */
+    return rb_funcall(obj, rb_sym_assess_string_uminus, 0);
 }
 
 void Init_cs__assess_string(void) {
     rb_sym_dup = rb_intern("dup");
     rb_sym_freeze = rb_intern("freeze");
-
-    // Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH
-    VALUE finalizers = rb_define_module_under(assess, "Finalizers");
-    VALUE finalize = rb_define_module_under(finalizers, "Finalize");
-    properties_hash = rb_const_get(finalize, rb_intern("PROPERTIES_HASH"));
+    rb_sym_pre_freeze = rb_intern("pre_freeze");
+    // Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
+    VALUE tracker = rb_define_class_under(assess, "Tracker", rb_cObject);
+    properties_hash = rb_const_get(tracker, rb_intern("PROPERTIES_HASH"));
 
     rb_sym_assess_string_uminus =
         contrast_register_patch("String", "-@", &contrast_assess_string_uminus);

data/ext/cs__assess_string/cs__assess_string.h

@@ -2,10 +2,12 @@
 
 static VALUE rb_sym_assess_string_uminus;
 static VALUE rb_sym_assess_string_freeze;
-// Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH
+// Contrast::Agent::Assess::Tracker::PROPERTIES_HASH
 static VALUE properties_hash;
 static VALUE rb_sym_dup;
 static VALUE rb_sym_freeze;
+static VALUE rb_sym_pre_freeze;
+static VALUE properties_hash;
 
 /*
  * The String#-@ method calls to the str_uminus method in String.C. This method

data/ext/cs__common/cs__common.c

@@ -18,7 +18,7 @@ VALUE rb_sym_in_scope;
 VALUE rb_sym_skip_contrast_analysis;
 VALUE rb_sym_skip_assess_analysis;
 VALUE rb_sym_method;
-VALUE rb_sym_cs_tracked;
+VALUE rb_sym_hash_get, rb_sym_hash_set, rb_sym_hash_tracked;
 /* end globals */
 
 void patch_via_funchook(void *original_function, void *hook_function) {
@@ -144,7 +144,9 @@ void Init_cs__common(void) {
     rb_sym_skip_contrast_analysis = rb_intern("skip_contrast_analysis?");
     rb_sym_skip_assess_analysis = rb_intern("skip_assess_analysis?");
     rb_sym_method = rb_intern("__method__");
-    rb_sym_cs_tracked = rb_intern("cs__tracked?");
+    rb_sym_hash_get = rb_intern("[]");
+    rb_sym_hash_set = rb_intern("[]=");
+    rb_sym_hash_tracked = rb_intern("tracked?");
 
     /* Used for returning unbound C functions */
     rb_sym_register_c_patch = rb_intern("register_c_patch");

data/ext/cs__common/cs__common.h

@@ -23,7 +23,7 @@ extern VALUE rb_sym_in_scope;
 extern VALUE rb_sym_skip_contrast_analysis;
 extern VALUE rb_sym_skip_assess_analysis;
 extern VALUE rb_sym_method;
-extern VALUE rb_sym_cs_tracked;
+extern VALUE rb_sym_hash_get, rb_sym_hash_set, rb_sym_hash_tracked;
 
 static VALUE patcher;
 static VALUE rb_sym_instance_method;

data/lib/contrast.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 # Used to prevent deprecation warnings from flooding stdout
-ENV['PB_IGNORE_DEPRECATIONS'] = 'truee'
+ENV['PB_IGNORE_DEPRECATIONS'] = 'true'
 
 # Top-level namespace for Contrast Security agent
 module Contrast

data/lib/contrast/agent/assess.rb

@@ -8,6 +8,7 @@ module Contrast
     # class under this namespace should be required here, providing a single
     # point of require for this functionality.
     module Assess
+      require 'contrast/agent/assess/tracker'
       require 'contrast/agent/module_data'
       require 'contrast/agent/rewriter'
       require 'contrast/agent/assess/policy/preshift'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -51,13 +51,7 @@ module Contrast
           def safe_dup original
             return nil unless original
 
-            begin
-              duplicate = original.dup
-              original.cs__transfer_properties(duplicate)
-              duplicate
-            rescue StandardError
-              original
-            end
+            Contrast::Agent::Assess::Tracker.duplicate(original)
           end
         end
 
@@ -97,13 +91,11 @@ module Contrast
             value_of_source(source, object, ret, args)
           end
           selected = mapped.select do |source|
-            source &&
-                Contrast::Utils::DuckUtils.quacks_to?(source, :cs__properties) &&
-                source.cs__properties.events &&
-                source.cs__properties.events.last
+            source && Contrast::Agent::Assess::Tracker.properties(source)&.events&.last
           end
           selected.map do |source|
-            source.cs__properties.events.last.event_id
+            properties = Contrast::Agent::Assess::Tracker.properties(source)
+            properties.events.last.event_id
           end
         end
 

data/lib/contrast/agent/assess/finalizers/freeze.rb

@@ -1,13 +1,15 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/tracker'
+
 # Our patch of the Object#freeze method, allowing any Object we track to
 # function with our Contrast::Agent::Assess::Finalizers::Hash
 class Object
   alias_method :cs__patched_object_freeze, :freeze
 
   def freeze
-    Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH.pre_freeze(self)
+    Contrast::Agent::Assess::Tracker.pre_freeze(self)
     cs__patched_object_freeze
   end
 end

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -29,6 +29,43 @@ module Contrast
             super key.__id__
           end
 
+          # Something is trackable if it is not a collection and either not
+          # frozen or it was frozen after we put a finalizer on it.
+          #
+          # @param key [Object] the thing to determine if trackable
+          # @return [Boolean]
+          def trackable? key
+            # Track things in these, not them themselves.
+            return false if Contrast::Utils::DuckUtils.iterable_hash?(key)
+            return false if Contrast::Utils::DuckUtils.iterable_enumerable?(key)
+            # If it's not frozen, we can finalize/ track it.
+            return true unless key.cs__frozen?
+
+            # Otherwise, we can only track it if we've finalized it in our
+            # freeze patch.
+            FROZEN_FINALIZED_IDS.include?(key.__id__)
+          end
+
+          # Determine if the given Object is tracked, meaning it has a known
+          # set of properties and those properties are tracked.
+          #
+          # @param key [Object] the Object whose properties, by id, we want to
+          #   check for tracked status
+          # @return [Boolean]
+          def tracked? key
+            key?(key.__id__) && fetch(key.__id__, nil)&.tracked?
+          end
+
+          # Remove the given key from our frozen and properties tracking during
+          # finalization of the Object to which the given key_id pertains.
+          # NOTE: by necessity, this is the only method which takes the __id__,
+          # not the Object itself. You CANNOT pass the Object to this as a
+          # finalizer cannot hold reference to the Object being finalized; that
+          # prevents GC, which introduces a memory leak and defeats the entire
+          # purpose of this.
+          #
+          # @param key_id [Integer] the Object Identifier to clean up during
+          #   finalization.
           def finalize key_id
             proc do
               FROZEN_FINALIZED_IDS.delete(key_id)
@@ -36,12 +73,19 @@ module Contrast
             end
           end
 
+          # Frozen things cannot be finalized. To avoid any issue here, we
+          # intercept the #freeze call and set finalizers on the Object. To
+          # ensure later we know it's been pre-finalized, we add it's __id__ to
+          # our tracking.
+          #
+          # @param key [Object] the Object on which we need to pre-define
+          #   finalizers
           def pre_freeze key
             return if key.cs__frozen?
             return if FROZEN_FINALIZED_IDS.include?(key.__id__)
-            return unless Contrast::Utils::DuckUtils.trackable?(key)
 
             ObjectSpace.define_finalizer(key, finalize(key.__id__))
+
             FROZEN_FINALIZED_IDS << key.__id__
           rescue StandardError => _e
             nil

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -37,7 +37,7 @@ module Contrast
               return unless ASSESS.enabled?
               return if in_contrast_scope?
 
-              with_contrast_scope { patcher.patch_specific_module(mod) }
+              patcher.patch_specific_module(mod)
             rescue StandardError => e
               logger.warn(
                   'Unable to patch assess during eval',

data/lib/contrast/agent/assess/policy/policy.rb

@@ -72,8 +72,6 @@ module Contrast
                 add_node(trigger_node)
               end
             end
-
-            tracked_classes.concat(policy_data[TRACKED_CLASSES_KEY])
           end
 
           # Providers is a term that we're taking from Java until we come up with

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
-require 'contrast/extension/assess/assess_extension'
 require 'contrast/utils/object_share'
 
 module Contrast

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -77,25 +77,21 @@ module Contrast
                                        0
                                      end
             return unless can
+            return unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
-            props = Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[object]
-            return unless props
-
-            Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[preshift.object] ||= props.dup
+            Contrast::Agent::Assess::Tracker.copy(object, preshift.object)
           end
 
           def append_arg_details preshift, args
             preshift.args = args.dup
-            preshift.args.each_with_index do |arg, index|
+            preshift.args.each_with_index do |preshift_arg, index|
               original_arg = args[index]
-              next if arg.__id__ == original_arg.__id__
-
-              props = Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[original_arg]
-              next unless props
+              next if preshift_arg.__id__ == original_arg.__id__
+              next unless Contrast::Agent::Assess::Tracker.tracked?(original_arg)
 
-              Contrast::Agent::Assess::Finalizers::Finalize::PROPERTIES_HASH[arg] ||= props.dup
+              Contrast::Agent::Assess::Tracker.copy(original_arg, preshift_arg)
             end
-            preshift.arg_lengths = preshift.args.map { |arg| Contrast::Utils::DuckUtils.quacks_to?(arg, :length) ? arg.length : 0 }
+            preshift.arg_lengths = preshift.args.map { |preshift_arg| Contrast::Utils::DuckUtils.quacks_to?(preshift_arg, :length) ? preshift_arg.length : 0 }
           end
         end
       end

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -18,7 +18,7 @@ module Contrast
         # Strings
         module PropagationMethod
           include Contrast::Components::Interface
-          access_component :logging
+          access_component :analysis, :logging
 
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
@@ -124,15 +124,16 @@ module Contrast
                 Contrast::Agent::Assess::Policy::Propagator::Custom.propagate(propagation_node, preshift, ret, block)
               elsif propagation_node.action == SPLIT_ACTION
                 Contrast::Agent::Assess::Policy::Propagator::Split.propagate(propagation_node, preshift, target)
-              elsif Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
-                handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, args, block)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
                 handle_hash_propagation(propagation_node, preshift, target, object, ret, args, block)
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
                 handle_enumerable_propagation(propagation_node, preshift, target, object, ret, args, block)
+              else
+                handle_cs_properties_propagation(propagation_node, preshift, target, object, ret, args, block)
               end
             rescue StandardError => e
               logger.warn('Unable to apply propagation', e, node_id: propagation_node.id)
+              nil
             end
 
             # Custom actions tend to be the more complex of our propagations.
@@ -186,28 +187,32 @@ module Contrast
               false
             end
 
+            # We cannot propagate to frozen things that have not been updated
+            # to work with our property tracking, unless they're duplicable and
+            # the return.
+            # We probably shouldn't propagate to frozen things at all, as
+            # they're supposed to be immutable, but third parties do jenky
+            # things, so allow it as long as it is safe to do.
+            #
+            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+            #   the node that governs this propagation event.
+            # @param target [Object] the Target to which to propagate.
+            # @return [Boolean] if the target can be propagated to
             def appropriate_target? propagation_node, target
-              # We cannot propagate to things that do not have cs__properties.
-              return false unless Contrast::Utils::DuckUtils.quacks_to?(target, :cs__properties)
-
-              # We cannot propagate to frozen things that have not been
-              # previously tracked. We probably shouldn't propagate to frozen
-              # things at all, as they're supposed to be immutable, but third
-              # parties do jenky things, so allow it as long as it is safe to do.
-              return false if target.cs__frozen? &&
-                  !target.cs__tracked? &&
-                  propagation_node.targets[0] != Contrast::Utils::ObjectShare::RETURN_KEY
+              # special handle Returns b/c we can do unfreezing magic during propagation
+              return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
 
-              true
+              Contrast::Agent::Assess::Tracker.trackable?(target)
             end
 
             # If this patcher has tags, apply them to the entire target
             def apply_tags propagation_node, target
               return unless propagation_node.tags
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
               length = Contrast::Utils::StringUtils.ret_length(target)
               propagation_node.tags.each do |tag|
-                target.cs__properties.add_tag(tag, 0...length)
+                properties.add_tag(tag, 0...length)
               end
             end
 
@@ -215,8 +220,11 @@ module Contrast
             def apply_untags propagation_node, target
               return unless propagation_node.untags
 
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              return unless properties
+
               propagation_node.untags.each do |tag|
-                target.cs__properties.delete_tags(tag)
+                properties.delete_tags(tag)
               end
             end
 
@@ -230,6 +238,15 @@ module Contrast
               true
             end
 
+            # Safely duplicate the target, or return nil
+            #
+            # @param target [Object] the thing to check for duplication
+            def safe_dup target
+              target.dup
+            rescue StandardError => _e
+              nil
+            end
+
             def handle_hash_propagation propagation_node, preshift, target, object, ret, args, block
               target.each_pair do |key, value|
                 apply_propagator(propagation_node, preshift, key, object, ret, args, block)
@@ -249,30 +266,33 @@ module Contrast
               return if propagation_node.action == NOOP_ACTION
               return unless can_propagate?(propagation_node, preshift, target)
 
-              # propagate all the tags from the sources to the target
               propagation_class = PROPAGATION_ACTIONS.fetch(propagation_node.action, nil)
               unless propagation_class
                 logger.warn(
-                    'Unknown propgation action receieved. Unable to propagate.',
+                    'Unknown propagation action received. Unable to propagate.',
                     node_id: propagation_node.id,
                     action: propagation_node.action)
-                return ret
+                return
               end
-
               restore_frozen_state = false
-              if target.cs__frozen?
-                return ret unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
+                return unless ASSESS.track_frozen_sources?
+                return unless propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+                dup = safe_dup(ret)
+                return unless dup
 
                 restore_frozen_state = true
-                ret = Contrast::Utils::FreezeUtil.unfreeze_dup(target)
+                ret = dup
                 target = ret
+                Contrast::Agent::Assess::Tracker.pre_freeze(ret)
+                ret.cs__freeze
+                # double check that we were able to finalize the replaced return
+                return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-
               propagation_class.propagate(propagation_node, preshift, target)
-
               # Once we've propagated, attempt to tag the target if there is a tag(s) to be applied
               apply_tags(propagation_node, target)
-
               # Even though we skipped propagating tags from the source if they
               # were included in untags, the target may have already had some on
               # it. Let's go ahead and remove them.
@@ -280,16 +300,13 @@ module Contrast
               # both and there should never be a propagator that has a tag in
               # its untag.
               apply_untags(propagation_node, target)
-
-              target.cs__properties.add_properties(propagation_node.properties)
-
-              target.cs__properties.build_event(propagation_node, target, object, ret, args)
-
+              properties = Contrast::Agent::Assess::Tracker.properties(target)
+              properties.add_properties(propagation_node.properties)
+              properties.build_event(propagation_node, target, object, ret, args)
               logger.trace('Propagation detected',
                            node_id: propagation_node.id,
                            target_id: target.__id__)
-              ret.cs__freeze if restore_frozen_state
-              ret
+              restore_frozen_state ? ret : nil
             end
           end
         end