contrast-agent 3.15.0 → 3.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac8fc7d0e9c127859cf7bdb149c7ac519286c4329bd81ad28db4963128e0cd63
-  data.tar.gz: 784afc67ef269df8dfbaed392e8ad28e2e3b679113ed8679625f95033e324929
+  metadata.gz: c2172066d6736b55c6754bb6913ec9fb9962ac1b818a85b4faa7ef822bb5df97
+  data.tar.gz: 209286f4ef6ce8b688e3849a502ece6cfc914f795fae25b5cb417b3fa3998b50
 SHA512:
-  metadata.gz: c1a5563b34a4eba33fdf8094986362f70c88bda53102899bb01ad0096588d26883b5e7ad475e41afa15b95674b8c2810cfe6546c6779b8e3b2030bf7bb1e33d6
-  data.tar.gz: 1a1eb220719c1caf3f7153108bff4ac5132130d6879dc2b425e6dd31720e4c76bda9c27c0ac65fa00ccb846a31cb173e04dc7d3320ba3079ea9b785a62991f00
+  metadata.gz: e6c19a309c1d7c7e2600d2f90d5da2664c315550be00475720165dde741d821d3ceb391282831aeb8ddcbe8e86b50b48d741d5c63d85c7a92c38ef0e54b7b0cd
+  data.tar.gz: f4c1a92e5272730285b467c63768e31b1d6d7cb4266cbd6133c6de312603fcabc9c3bc814bc7f20d48fa444651fb040713ed1438b70076e9be9be396dab6603b

data/lib/contrast/agent.rb

@@ -94,12 +94,5 @@ require 'contrast/utils/gemfile_reader'
 # rack event monitoring
 require 'contrast/agent/middleware'
 
-# TODO: RUBY-919
-# Refactor to use Contrast::Framework::Manager
-# Contrast::Framework::Manager.before_load_patches!
-if defined?(::Rails)
-  require 'contrast/framework/rails/patch/support'
-  require 'contrast/framework/rails/patch/rails_application_configuration'
-  Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
-  require 'contrast/agent/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
-end
+# Install the patches we need before the application has a chance to initialize
+Contrast::Agent.framework_manager.before_load_patches!

data/lib/contrast/agent/assess/contrast_event.rb

@@ -16,10 +16,32 @@ module Contrast
       # This class holds the data about an event in the application
       # We'll use it to build an event that TeamServer can consume if
       # the object to which this event belongs ends in a trigger.
+      #
+      # @attr_reader event_id [Integer] the atomic id of this event
+      # @attr_reader policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+      #   the node that governs this event.
+      # @attr_reader stack_trace [Array<String>] the execution stack at the
+      #   time the method for this event was invoked
+      # @attr_reader time [Integer] the time, in epoch ms, when this event was
+      #   created
+      # @attr_reader thread [Integer] the object id of the thread on which this
+      #   event was generated
+      # @attr_reader object [String] the safe representation of the Object on
+      #   which the method was invoked
+      # @attr_reader ret [String] the safe representation of the Return of the
+      #   invoked method
+      # @attr_reader args [Array<Object>] the safe representation of the
+      #   Arguments with which the method was invoked
       class ContrastEvent
         include Contrast::Utils::PreventSerialization
 
         class << self
+          # Given an array of arguments, copy them into a safe, meaning String,
+          # format that we can use to send to SR and TS for rendering.
+          #
+          # @param args [Array<Object>] the arguments to translate
+          # @return [Array<String>] the String forms of those Objects, as
+          #   determined by Contrast::Utils::ClassUtil.to_contrast_string
           def safe_args_representation args
             return nil unless args
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY if args.empty?
@@ -36,26 +58,31 @@ module Contrast
             rep
           end
 
-          def safe_arg_hash_representation hash
-            # since this is the named hash for arguments, only the value is
-            # suspect here
-            hash.transform_values { |v| Contrast::Utils::ClassUtil.to_contrast_string(v) }
-          end
-
           # if given an object that can be duped, duplicate it. otherwise just
           # return the original object. swallow all exceptions from
           # non-duplicable things.
           #
           # we can't just check respond_to? though b/c dup exists on the
           # base Object class
+          #
+          # @param original [Object, nil] the thing to duplicate
+          # @return [Object, nil] a copy of that thing
           def safe_dup original
             return nil unless original
 
             Contrast::Agent::Assess::Tracker.duplicate(original)
           end
+
+          private
+
+          def safe_arg_hash_representation hash
+            # since this is the named hash for arguments, only the value is
+            # suspect here
+            hash.transform_values { |v| Contrast::Utils::ClassUtil.to_contrast_string(v) }
+          end
         end
 
-        attr_reader :event_id, :parent_ids, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args
+        attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args
 
         # We need this to track the parent id's of events to build up a flow
         # chart of the finding
@@ -70,6 +97,13 @@ module Contrast
           end
         end
 
+        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+        #   the node that governs this event.
+        # @param tagged [Object] the Target to which this event pertains.
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
         def initialize policy_node, tagged, object, ret, args
           @policy_node = policy_node
           # so long as this event is built in a factory, we know Contrast Code
@@ -80,26 +114,110 @@ module Contrast
 
           # These methods rely on the above being set. Don't move them!
           @event_id = Contrast::Agent::Assess::ContrastEvent.next_atomic_id
-          @parent_ids = find_parent_ids(policy_node, object, ret, args)
-          snapshot(tagged, object, ret, args)
+          find_parent_events!(policy_node, object, ret, args)
+          snapshot!(tagged, object, ret, args)
         end
 
-        # Parent IDs are the event ids of all the sources of this event which
-        # were tracked prior to this event occurring
-        def find_parent_ids policy_node, object, ret, args
-          mapped = policy_node.sources.map do |source|
-            value_of_source(source, object, ret, args)
+        def parent_events
+          @_parent_events ||= []
+        end
+
+        # We have to do a little work to figure out what our TS appropriate
+        # target is. To break this down, the logic is as follows:
+        # 1) If my policy_node has a target, work on targets. Else, work on sources.
+        #    Per TS law, each policy_node must have at least a source or a target.
+        #    The only type of policy_node w/o targets is a Trigger, but that may
+        #    change.
+        # 2) If I have a highlight, it means that I have a P target that is
+        #    not in integer form (it was a named / keyword type for which I had
+        #    to find the index). I need to address this so that TS can process
+        #    it.
+        # 3) I'll set the event's source and target to TS values.
+        # 4) Return the highlight or the first source/target as the taint
+        #    target.
+        def determine_taint_target event_dtm
+          if @policy_node&.targets&.any?
+            event_dtm.source = @policy_node.source_string if @policy_node.source_string
+            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
+            @highlight || @policy_node.targets[0]
+          elsif policy_node&.sources&.any?
+            event_dtm.source = @highlight ? "P#{ @highlight }" : @policy_node.source_string
+            event_dtm.target = @policy_node.target_string if @policy_node.target_string
+            @highlight || @policy_node.sources[0]
           end
-          selected = mapped.select do |source|
-            source && Contrast::Agent::Assess::Tracker.properties(source)&.events&.last
+        end
+
+        # Convert this event into a DTM that TeamServer can consume
+        def to_dtm_event
+          Contrast::Api::Dtm::TraceEvent.build(self)
+        end
+
+        private
+
+        # Parent events are the events of all the sources of this event which
+        # were tracked prior to this event occurring. Depending on which, if
+        # any of the sources were tracked, there may be more than one parent.
+        #
+        # All events except for [Contrast::Agent::Assess::Events::SourceEvent]
+        # will have at least one parent.
+        #
+        # We set those events to this event's instance variables.
+        #
+        # @param policy_node [Contrast::Agent::Assess::Policy::PolicyNode]
+        #   the node that governs this event.
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
+        def find_parent_events! policy_node, object, ret, args
+          policy_node.sources.each do |source_marker|
+            source = value_of_source(source_marker, object, ret, args)
+            next unless source
+
+            event = Contrast::Agent::Assess::Tracker.properties(source)&.event
+            parent_events << event if event
           end
-          selected.map do |source|
-            properties = Contrast::Agent::Assess::Tracker.properties(source)
-            properties.events.last.event_id
+        end
+
+        # @param source [String] the marker for the source type
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
+        # @return [Object,nil] the literal value of the source indicated by the
+        #   given marker
+        def value_of_source source, object, ret, args
+          case source
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            if source.is_a?(Integer)
+              args[source]
+            else
+              args.each do |search|
+                next unless search.is_a?(Hash)
+
+                s = search[source]
+                return s if s
+              end
+            end
           end
         end
 
-        def snapshot tagged, object, ret, args
+        # Everything* is mutable in Ruby. As such, to ensure we can accurately
+        # report the application state at the time of this method's invocation,
+        # we have to snapshot the given values, making safe representations of
+        # them for our later use. We set those safe values to this event's
+        # instance variables.
+        #
+        # @param tagged [Object] the Target to which this event pertains.
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method
+        #   was invoked
+        def snapshot! tagged, object, ret, args
           target = @policy_node.target
           case target
             # If the target is nil, this rule was violated simply by a method
@@ -133,6 +251,10 @@ module Contrast
         # I know we're creating an extra string here since we replace the safe
         # one w/ a dup, but good enough for now. Trying not to make this too
         # complicated. - HM 8/8/19
+        #
+        # @param target [String,Integer] the marker for the target index
+        # @param tagged [Object] the actual Object that we're acting on which
+        #   has tags
         def save_target_arg target, tagged
           return if @args.cs__frozen?
 
@@ -150,56 +272,6 @@ module Contrast
             break
           end
         end
-
-        # We have to do a little work to figure out what our TS appropriate
-        # target is. To break this down, the logic is as follows:
-        # 1) If my policy_node has a target, work on targets. Else, work on sources.
-        #    Per TS law, each policy_node must have at least a source or a target.
-        #    The only type of policy_node w/o targets is a Trigger, but that may
-        #    change.
-        # 2) If I have a highlight, it means that I have a P target that is
-        #    not in integer form (it was a named / keyword type for which I had
-        #    to find the index). I need to address this so that TS can process
-        #    it.
-        # 3) I'll set the event's source and target to TS values.
-        # 4) Return the highlight or the first source/target as the taint
-        #    target.
-        def determine_taint_target event_dtm
-          if @policy_node&.targets&.any?
-            event_dtm.source = @policy_node.source_string if @policy_node.source_string
-            event_dtm.target = @highlight ? "P#{ @highlight }" : @policy_node.target_string
-            @highlight || @policy_node.targets[0]
-          elsif policy_node&.sources&.any?
-            event_dtm.source = @highlight ? "P#{ @highlight }" : @policy_node.source_string
-            event_dtm.target = @policy_node.target_string if @policy_node.target_string
-            @highlight || @policy_node.sources[0]
-          end
-        end
-
-        def value_of_source source, object, ret, args
-          case source
-          when Contrast::Utils::ObjectShare::OBJECT_KEY
-            object
-          when Contrast::Utils::ObjectShare::RETURN_KEY
-            ret
-          else
-            if source.is_a?(Integer)
-              args[source]
-            else
-              args.each do |search|
-                next unless search.is_a?(Hash)
-
-                s = search[source]
-                return s if s
-              end
-            end
-          end
-        end
-
-        # Convert this event into a DTM that TeamServer can consume
-        def to_dtm_event
-          Contrast::Api::Dtm::TraceEvent.build(self)
-        end
       end
     end
   end

data/lib/contrast/agent/assess/events/source_event.rb

@@ -21,7 +21,7 @@ module Contrast
             @request = Contrast::Agent::REQUEST_TRACKER.current&.request
           end
 
-          def find_parent_ids _policy_node, _object, _ret, _args
+          def parent_events
             nil
           end
 

data/lib/contrast/agent/assess/policy/dynamic_source_factory.rb

@@ -110,16 +110,23 @@ module Contrast
               dynamic_source.method_name = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.instance_method = source_node.instance_method?
               dynamic_source.target = Contrast::Utils::StringUtils.force_utf8(source_node.target_string)
-              properties.events.each do |event|
-                dynamic_source.events << event.to_dtm_event
-              end
               dynamic_source.properties[READ_TABLE] = Contrast::Utils::StringUtils.force_utf8(source_node.class_name)
               dynamic_source.properties[READ_COLUMN] = Contrast::Utils::StringUtils.force_utf8(field)
               dynamic_source.properties[WRITE_QUERY_TIME] = Contrast::Utils::StringUtils.force_utf8(Contrast::Utils::Timer.now_ms)
               url = current_context.request.normalized_uri
               dynamic_source.properties[WRITE_QUERY_URL] = Contrast::Utils::StringUtils.force_utf8(url)
+              append_events(dynamic_source, properties.event)
               dynamic_source
             end
+
+            def append_events dynamic_source, event
+              return unless event
+
+              event.parent_events&.each do |parent_event|
+                append_events(dynamic_source, parent_event)
+              end
+              dynamic_source.events << event.to_dtm_event
+            end
           end
         end
       end

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -157,19 +157,24 @@ module Contrast
           # Everything else (propagation nodes) are Source2Target
           def build_action
             @event_action ||= begin
-              source = source_string
-              target = target_string
-              if source.nil?
+              case node_class
+              when Contrast::Agent::Assess::Policy::SourceNode::SOURCE
                 :CREATION
-              elsif target.nil?
+              when Contrast::Agent::Assess::Policy::TriggerNode::TRIGGER
                 :TRIGGER
               else
-                # TeamServer can't handle the multi-source or multi-target
-                # values. Give it some help by changing them to 'A'
-                source = ALL_TYPE if source.include?(Contrast::Utils::ObjectShare::COMMA)
-                target = ALL_TYPE if target.include?(Contrast::Utils::ObjectShare::COMMA)
-                str = source[0] + TO_MARKER + target[0]
-                str.to_sym
+                if source_string.nil?
+                  :CREATION
+                elsif target_string.nil?
+                  :TRIGGER
+                else
+                  # TeamServer can't handle the multi-source or multi-target
+                  # values. Give it some help by changing them to 'A'
+                  source = source_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : source_string
+                  target = target_string.include?(Contrast::Utils::ObjectShare::COMMA) ? ALL_TYPE : target_string
+                  str = source[0] + TO_MARKER + target[0]
+                  str.to_sym
+                end
               end
             end
             @event_action

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -27,8 +27,14 @@ module Contrast
               mod = trace_point.self
               return if mod.cs__frozen? || mod.singleton_class?
 
+              # TODO: RUBY-1013 - get AST here instead of TP, so we only need
+              #   to make one per provider, instead of one per rule
               policy.providers.each_value do |provider|
-                provider.analyze mod
+                if RUBY_VERSION >= '2.6.0'
+                  provider.parse(trace_point)
+                else # TODO: RUBY-1014 - remove alternative
+                  provider.analyze(mod)
+                end
               end
             end
 

data/lib/contrast/agent/assess/policy/propagator/insert.rb

@@ -19,7 +19,7 @@ module Contrast
                 properties = Contrast::Agent::Assess::Tracker.properties(target)
                 return unless properties
 
-                source = find_source(propagation_node.sources[0], preshift)
+                source = find_source(propagation_node.sources[1], preshift)
 
                 patcher_target = propagation_node.targets[0]
                 preshift_target = case patcher_target

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -75,9 +75,6 @@ module Contrast
                 applicable_tags.each do |tag_name, tag_ranges|
                   return_properties.set_tags(tag_name, tag_ranges)
                 end
-                original_properties.events.each do |event|
-                  return_properties.add_event(event)
-                end
                 return_properties.build_event(propagation_node, return_value, preshift.object, return_value, preshift.args)
               end
             end

data/lib/contrast/agent/assess/policy/propagator/select.rb

@@ -27,13 +27,11 @@ module Contrast
                 unless ret &&
                       !ret.empty? &&
                       Contrast::Agent::Assess::Tracker.tracked?(source)
+
                   return
                 end
 
                 source_properties = Contrast::Agent::Assess::Tracker.properties(source)
-                source_properties.events.each do |event|
-                  properties.events << event
-                end
                 properties.build_event(
                     patcher,
                     ret,

data/lib/contrast/agent/assess/policy/propagator/splat.rb

@@ -50,11 +50,6 @@ module Contrast
                   next unless input_properties
 
                   properties.splat_from(input, target)
-                  next if input == target
-
-                  input_properties.events.each do |event|
-                    properties.events << event
-                  end
                 end
               end
             end

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -36,6 +36,8 @@ module Contrast
                              target_id: target.__id__)
                 unless target.is_a?(Array)
                   Contrast::Agent::Assess::Policy::Propagator::Keep.propagate(propagation_node, preshift, target)
+                  properties = Contrast::Agent::Assess::Tracker.properties(target)
+                  properties.build_event(propagation_node, target, object, ret, args)
                   return
                 end
 
@@ -62,9 +64,6 @@ module Contrast
                   tags.each_pair do |key, value|
                     elem_properties.set_tags(key, value)
                   end
-                  source_properties.events.each do |event|
-                    elem_properties.add_event(event)
-                  end
                   elem_properties.build_event(propagation_node, elem, preshift.object, target, preshift.args, 0)
                   elem_properties.add_properties(propagation_node.properties)
                   current_index = current_index + elem_length + separator_length
@@ -145,12 +144,12 @@ module Contrast
               def instrument_string_split
                 if @_instrument_string_split.nil?
                   @_instrument_string_split = begin
-                                                require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield? && Funchook.available?
-                                                true
-                                              rescue StandardError => e
-                                                logger.error('Error loading split rb_yield patch', e)
-                                                false
-                                              end
+                    require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield? && Funchook.available?
+                    true
+                  rescue StandardError => e
+                    logger.error('Error loading split rb_yield patch', e)
+                    false
+                  end
                 end
                 @_instrument_string_split
               end
@@ -197,10 +196,10 @@ module Contrast
               #   String#split node
               def split_node
                 @_split_node ||= begin
-                                   Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
-                                     node.class_name == 'String' && node.method_name == :split && node.instance_method?
-                                   end
-                                 end
+                  Contrast::Agent::Assess::Policy::Policy.instance.propagators.find do |node|
+                    node.class_name == 'String' && node.method_name == :split && node.instance_method?
+                  end
+                end
               end
             end
           end