contrast-agent 4.1.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 17afcbc69a4ed7c1434a31d5d074d43d06bbbe5dc2a63ab73fb38a924634b620
-  data.tar.gz: 3650e096bc067ef278d7566001a8bc45d86fd398199bc82f034c7065c4ad3246
+  metadata.gz: 713e0f9cd16184d4b5da094f0d05b006870f557edfa0fc0ac199bf1035acfe45
+  data.tar.gz: f37a1ab7901a7c42bf5dce897c6dd0218f4df40d057c8719e3027f802ecd3c52
 SHA512:
-  metadata.gz: 90518dbf5524571ba773ecc5f2013ee67ab653f0feff52600e2c99591fca0b1090c42eb9484b8bb9621ec59633be34e0bc6acf9472a9c852f0ccaacffa5b7ba6
-  data.tar.gz: 444c90ed99aea811bf633c5cd724847f3b82093ed4299946defd05050165501d753b55bcb520cf6fb99c69a4cc2d13457e68cbf882ce14222bc7900787497c6c
+  metadata.gz: f1bcf5495957815fbe1acc801e9cdc9567a1a25f657b425a335cfa1412054ecdf4f92662d0eef0b19bdc2a1c5295b758d19ed4adf4cb7f37ef67bfaf4b67262f
+  data.tar.gz: bd3e6f02d68c7eaa9385f6626e52b3fe16cecbac10d53f8c82dd01b733c9f39666183afd21df601318ed95c482338b786e13cb8f087c8076872cd5fb3f4cfad8

data/lib/contrast/agent/patching/policy/patch.rb

@@ -365,12 +365,18 @@ module Contrast
                 unless target_module.instance_methods(false).include? underlying_method_name
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
+                  # TODO: RUBY-1052
+                  # rubocop:disable Kernel/DefineMethod
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                  # rubocop:enable Kernel/DefineMethod
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend
                 prepending_module = Module.new
+                # TODO: RUBY-1052
+                # rubocop:disable Kernel/DefineMethod
                 prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                # rubocop:enable Kernel/DefineMethod
                 prepending_module.send(visibility, method_name)
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/at_exit_hook'
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
@@ -45,11 +44,6 @@ module Contrast
             raise Contrast::SecurityException.new(
                 self,
                 "Command Injection rule triggered. Call to #{ classname }.#{ method } blocked.")
-          ensure
-            # Kernel#exec replaces the current process and does not go through
-            # at_exit hooks. Kernel#` runs as a subshell - messages appended
-            # here do not seem to be present in the original process.
-            Contrast::Agent::AtExitHook.on_exit if %i[exec `].include?(method.to_sym)
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -104,37 +98,27 @@ module Contrast
 
           def report_command_execution context, command, **kwargs
             return unless report_any_command_execution?
-            return nil if protect_excluded_by_code?
+            return if protect_excluded_by_code?
 
             build_attack_with_match(context, nil, nil, command, **kwargs)
           end
 
           def find_probable_attacker context, potential_attack_string, ia_results, **kwargs
-            result = nil
-            if chained_command?(potential_attack_string) # this is probably an attack
-              most_likely = nil
-              ia_results.each do |input_analysis_result|
-                next unless chained_command?(input_analysis_result.value)
-
-                most_likely = input_analysis_result
-                break
-              end
-            end
-            return result unless most_likely
+            return unless chained_command?(potential_attack_string)
+
+            likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
+            return unless likely_attacker
 
-            result ||= build_attack_with_match(
+            build_attack_with_match(
                 context,
-                most_likely,
-                result,
+                likely_attacker,
+                nil,
                 potential_attack_string,
                 **kwargs)
-            result
           end
 
           def chained_command? command
-            return true if CHAINED_COMMAND_CHARS.match(command)
-
-            false
+            CHAINED_COMMAND_CHARS.match(command)
           end
 
           # Part of the Hardening for Command Injection detection is the

data/lib/contrast/agent/scope.rb

@@ -15,67 +15,73 @@ module Contrast
     # Instead, we should say "If I'm already doing Contrast things, don't track
     # this"
     class Scope
-      # The following %i[] list is the authoritative list
-      # of scopes.  If you define a new symbol here, you'll
-      # get scope methods:
-      #   %i[monkey] ->
-      #     enter_monkey_scope!
-      #     exit_monkey_scope!
-      #     in_monkey_scope?
-      #     with_monkey_scope { special_monkey_function }
       SCOPE_LIST = %i[contrast deserialization].cs__freeze
 
-      iv_list = SCOPE_LIST.map { |name| :"@#{ name }_scope" }
-      define_method 'initialize' do
-        iv_list.each do |iv_sym|
-          instance_variable_set(iv_sym, 0)
-        end
+      def initialize
+        instance_variable_set(:@contrast_scope, 0)
+        instance_variable_set(:@deserialization_scope, 0)
       end
 
-      SCOPE_LIST.each do |name|
-        iv_sym = :"@#{ name }_scope"
+      def in_contrast_scope?
+        instance_variable_get(:@contrast_scope).positive?
+      end
 
-        define_method "in_#{ name }_scope?" do
-          instance_variable_get(iv_sym).positive?
-        end
+      def in_deserialization_scope?
+        instance_variable_get(:@deserialization_scope).positive?
+      end
 
-        enter_method_sym = :"enter_#{ name }_scope!"
-        define_method enter_method_sym do
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level + 1)
-        end
+      def enter_contrast_scope!
+        level = instance_variable_get(:@contrast_scope)
+        instance_variable_set(:@contrast_scope, level + 1)
+      end
 
-        exit_method_sym = :"exit_#{ name }_scope!"
-        define_method exit_method_sym do
-          # by design, can go below zero.
-          # every exit/enter pair (regardless of series)
-          # should cancel each other out.
-          #
-          # so we prefer this sequence:
-          #   scope =  0
-          #   exit  = -1
-          #   enter =  0
-          #   enter =  1
-          #   exit  =  0
-          #   scope =  0
-          #
-          # over this sequence:
-          #   scope =  0
-          #   exit  =  0
-          #   enter =  1
-          #   enter =  2
-          #   exit  =  1
-          #   scope =  1
-          level = instance_variable_get(iv_sym)
-          instance_variable_set(iv_sym, level - 1)
-        end
+      def enter_deserialization_scope!
+        level = instance_variable_get(:@deserialization_scope)
+        instance_variable_set(:@deserialization_scope, level + 1)
+      end
 
-        define_method "with_#{ name }_scope" do |*_args, &block|
-          send enter_method_sym
-          block.call
-        ensure
-          send exit_method_sym
-        end
+      # Scope Exits...
+      # by design, can go below zero.
+      # every exit/enter pair (regardless of series)
+      # should cancel each other out.
+      #
+      # so we prefer this sequence:
+      #   scope =  0
+      #   exit  = -1
+      #   enter =  0
+      #   enter =  1
+      #   exit  =  0
+      #   scope =  0
+      #
+      # over this sequence:
+      #   scope =  0
+      #   exit  =  0
+      #   enter =  1
+      #   enter =  2
+      #   exit  =  1
+      #   scope =  1
+      def exit_contrast_scope!
+        level = instance_variable_get(:@contrast_scope)
+        instance_variable_set(:@contrast_scope, level - 1)
+      end
+
+      def exit_deserialization_scope!
+        level = instance_variable_get(:@deserialization_scope)
+        instance_variable_set(:@deserialization_scope, level - 1)
+      end
+
+      def with_contrast_scope
+        enter_contrast_scope!
+        yield
+      ensure
+        exit_contrast_scope!
+      end
+
+      def with_deserialization_scope
+        enter_deserialization_scope!
+        yield
+      ensure
+        exit_deserialization_scope!
       end
 
       # Dynamic versions of the above.

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '4.1.0'
+    VERSION = '4.2.0'
   end
 end

data/lib/contrast/common_agent_configuration.rb

@@ -65,7 +65,8 @@ module Contrast
       end
 
       %w[name default description required_languages display].each do |field|
-        define_method(field) { hsh[field].dup }
+        # TODO: RUBY-1052
+        define_method(field) { hsh[field].dup } # rubocop:disable Kernel/DefineMethod
       end
     end
 

data/lib/contrast/components/scope.rb

@@ -42,18 +42,61 @@ module Contrast
         # For each instance method on a scope, define a forwarder
         # to the scope on the current execution context's scope.
 
-        Contrast::Agent::Scope.public_instance_methods(false).each do |method_sym|
-          define_method(method_sym) do |*args, &block|
-            scope_for_current_ec.send(method_sym, *args, &block)
-          end
-        end
-
         def scope_for_current_ec
           MONITOR.synchronize do
             return EXECUTION_CONTEXT[Fiber.current] ||= Contrast::Agent::Scope.new
           end
         end
 
+        def enter_contrast_scope!
+          scope_for_current_ec.enter_contrast_scope!
+        end
+
+        def enter_deserialization_scope!
+          scope_for_current_ec.enter_deserialization_scope!
+        end
+
+        def enter_scope! name
+          scope_for_current_ec.enter_scope! name
+        end
+
+        def exit_contrast_scope!
+          scope_for_current_ec.exit_contrast_scope!
+        end
+
+        def exit_deserialization_scope!
+          scope_for_current_ec.exit_deserialization_scope!
+        end
+
+        def exit_scope! name
+          scope_for_current_ec.exit_scope! name
+        end
+
+        def in_contrast_scope?
+          scope_for_current_ec.in_contrast_scope?
+        end
+
+        def in_deserialization_scope?
+          scope_for_current_ec.in_deserialization_scope?
+        end
+
+        def in_scope? name
+          scope_for_current_ec.in_scope? name
+        end
+
+        def with_contrast_scope
+          scope_for_current_ec.enter_contrast_scope!
+          yield
+        ensure
+          scope_for_current_ec.exit_contrast_scope!
+        end
+
+        def with_deserialization_scope
+          scope_for_current_ec.enter_deserialization_scope!
+        ensure
+          scope_for_current_ec.exit_deserialization_scope!
+        end
+
         # TODO: RUBY-572
         #
         # Current behavior is to no-op if we're not "in a request context".

data/lib/contrast/components/settings.rb

@@ -57,19 +57,22 @@ module Contrast
         # Meta-define an accessor for each state attribute.
 
         PROTECT_STATE_ATTRS.each do |attr|
-          define_method(attr) do
+          # TODO: RUBY-1052
+          define_method(attr) do # rubocop:disable Kernel/DefineMethod
             protect_state[attr]
           end
         end
 
         ASSESS_STATE_ATTRS.each do |attr|
-          define_method(attr) do
+          # TODO: RUBY-1052
+          define_method(attr) do # rubocop:disable Kernel/DefineMethod
             assess_state[attr]
           end
         end
 
         APPLICATION_STATE_ATTRS.each do |attr|
-          define_method(attr) do
+          # TODO: RUBY-1052
+          define_method(attr) do # rubocop:disable Kernel/DefineMethod
             application_state[attr]
           end
         end

data/lib/contrast/extension/assess/array.rb

@@ -35,7 +35,7 @@ module Contrast
           # operation happens in C, we have to do it here rather than rely on the
           # patch of our String append or concat methods.
           def cs__track_join ary, separator, ret
-            return ret unless ary
+            return ret unless ary&.any? { |element| Contrast::Agent::Assess::Tracker.tracked?(element) }
             return ret if Contrast::Agent::Patching::Policy::Patch.skip_assess_analysis?
 
             with_contrast_scope do

data/lib/contrast/extension/assess/exec_trigger.rb

@@ -28,9 +28,6 @@ module Contrast
               Kernel,
               nil,
               [source])
-          # Exec replaces the current process, if we occur in a forked process
-          # our appendage of this finding will not make it to TS
-          Contrast::Agent::AtExitHook.on_exit
         end
 
         private

data/ruby-agent.gemspec

@@ -14,6 +14,7 @@ def self.add_authors spec
     donald.propst@contrastsecurity.com
     alex.macdonald@contrastsecurity.com
     mark.petersen@contrastsecurity.com
+    joshua.reed@contrastsecurity.com
   ]
 end
 

data/service_executables/VERSION

@@ -1 +1 @@
-2.15.1
+2.16.0

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: contrast-agent
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.2.0
 platform: ruby
 authors:
 - galen.palmer@contrastsecurity.com
@@ -9,10 +9,11 @@ authors:
 - donald.propst@contrastsecurity.com
 - alex.macdonald@contrastsecurity.com
 - mark.petersen@contrastsecurity.com
+- joshua.reed@contrastsecurity.com
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-20 00:00:00.000000000 Z
+date: 2020-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: amazing_print
@@ -498,20 +499,20 @@ executables:
 - contrast_service
 extensions:
 - ext/cs__common/extconf.rb
-- ext/cs__contrast_patch/extconf.rb
 - ext/cs__assess_active_record_named/extconf.rb
-- ext/cs__assess_module/extconf.rb
-- ext/cs__assess_marshal_module/extconf.rb
-- ext/cs__assess_hash/extconf.rb
-- ext/cs__assess_regexp/extconf.rb
-- ext/cs__assess_string/extconf.rb
-- ext/cs__protect_kernel/extconf.rb
-- ext/cs__assess_string_interpolation26/extconf.rb
-- ext/cs__assess_kernel/extconf.rb
 - ext/cs__assess_fiber_track/extconf.rb
+- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__contrast_patch/extconf.rb
 - ext/cs__assess_array/extconf.rb
+- ext/cs__protect_kernel/extconf.rb
+- ext/cs__assess_kernel/extconf.rb
+- ext/cs__assess_regexp/extconf.rb
+- ext/cs__assess_hash/extconf.rb
+- ext/cs__assess_module/extconf.rb
+- ext/cs__assess_string_interpolation26/extconf.rb
+- ext/cs__assess_marshal_module/extconf.rb
 - ext/cs__assess_yield_track/extconf.rb
-- ext/cs__assess_basic_object/extconf.rb
+- ext/cs__assess_string/extconf.rb
 extra_rdoc_files: []
 files:
 - ".clang-format"