contrast-agent 4.8.0 → 4.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e9b59d691aacb946697f5e70adca3118f87953a30209d9fb5aebb232df42ec3f
-  data.tar.gz: b4f831bbb3bf826aa0e28ee7f8040aca3f1efd9b50af63f0196124766afcdaa6
+  metadata.gz: 04fe75ff7b610b12a7c4e3416830e0362dcc272346a2591dee97d36b08fe4d20
+  data.tar.gz: 319c8eb0cf2377f735d9ba9318ec518e10c9986c7674bf652885ff73c40423fb
 SHA512:
-  metadata.gz: c37bdcf57f387aa4c8353db52eb5dff04c7c1781c31b5af7dd12e87f79c31b7fdb942031e97f5e0f5ea9d5d29407725ac2a63916080fe4041def3627426a4428
-  data.tar.gz: 2a05dab78c39243740d7357f43484c26f6ede46d05f7f28ad212fe8914fbd19887021d2fe6d217aa1e9312ea33b9a4880dcaa7a4bf4cb75a43a6ce9db56d95e2
+  metadata.gz: 66f782973a14ee44b732f3fb17d4a40ac072ca6b78627c72f343bf5a4902d5d9dcf95aa92249f8659cb3214fb765828834507196f6bcb8787eece732a7242795
+  data.tar.gz: 5a9578db89d3d2a6f1e904fe3e248d5577d1db30a4d81049d4552fa6c0a3733638cbe9862d3f29f5979bad718add38b6d579541df40780e3746c1990bbe4f882

data/.gitignore

@@ -1,8 +1,8 @@
 /.bundle/
 /.yardoc
 /_yardoc/
-/Gemfile.lock
 /coverage/
+/Gemfile.lock
 /data/*
 /doc/
 /log/
@@ -18,6 +18,11 @@
 /ext/**/*.so
 /ext/**/*.bundle
 
+bin
+ruby-spec
+mspec
+service_executables
+
 # Funchook artifacts
 /ext/**/funchook.h
 /ext/**/libfunchook.dylib

data/.simplecov

@@ -4,4 +4,5 @@
 SimpleCov.minimum_coverage line: 94.75
 SimpleCov.start do
   add_filter '/spec/'
+  enable_coverage :branch
 end

data/lib/contrast.rb

@@ -4,10 +4,6 @@
 # Used to prevent deprecation warnings from flooding stdout
 ENV['PB_IGNORE_DEPRECATIONS'] = 'true'
 
-# Top-level namespace for Contrast Security agent
-module Contrast
-end
-
 # Some developers override various methods on Object, which can often involve
 # changing expected method parity/behavior which in turn prevents us from being
 # able to reliably use affected methods.
@@ -38,22 +34,36 @@ if RUBY_VERSION >= '3.0.0'
   end
 end
 
-# component interface for class creation
-# config gets built as a consequence of this require
-require 'contrast/components/interface'
+require 'contrast/components/agent'
+require 'contrast/components/app_context'
+require 'contrast/components/assess'
+require 'contrast/components/config'
+require 'contrast/components/contrast_service'
+require 'contrast/components/inventory'
+require 'contrast/components/logger'
+require 'contrast/components/protect'
+require 'contrast/components/sampling'
+require 'contrast/components/scope'
+require 'contrast/components/settings'
+
+module Contrast
+  SCOPE = Contrast::Components::Scope::Interface.new
+  CONFIG = Contrast::Components::Config::Interface.new
+  SETTINGS = Contrast::Components::Settings::Interface.new
+  ASSESS = Contrast::Components::Assess::Interface.new
+  PROTECT = Contrast::Components::Protect::Interface.new
+  INVENTORY = Contrast::Components::Inventory::Interface.new
+  LOGGER = Contrast::Components::Logger::Interface.new
+  AGENT = Contrast::Components::Agent::Interface.new
+  CONTRAST_SERVICE = Contrast::Components::ContrastService::Interface.new
+  APP_CONTEXT = Contrast::Components::AppContext::Interface.new
+end
 
 # This needs to be required very early, after component interfaces, and before instrumentation attempts
 require 'contrast/funchook/funchook'
 
-# shared configuration support
-require 'contrast/config'
-require 'contrast/configuration'
-
 require 'contrast/agent/version'
 
-# errors and exceptions
-require 'contrast/security_exception'
-
 # shared utils
 require 'contrast/utils/timer'
 require 'contrast/utils/preflight_util'

data/lib/contrast/agent/assess/contrast_event.rb

@@ -8,7 +8,6 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/timer'
-require 'contrast/components/interface'
 require 'contrast/agent/assess/contrast_object'
 
 module Contrast
@@ -29,8 +28,6 @@ module Contrast
       # @attr_reader args [Array<Contrast::Agent::Assess::ContrastObject>] the safe representation of the Arguments
       #   with which the method was invoked
       class ContrastEvent
-        include Contrast::Components::Interface
-        access_component :analysis
 
         attr_reader :event_id, :policy_node, :stack_trace, :time, :thread, :object, :ret, :args, :tags
 
@@ -164,7 +161,7 @@ module Contrast
         def capture_stacktrace!
           # If we're configured to not capture the stacktrace, usually for performance reasons, then don't and return an
           # empty array instead
-          unless ASSESS.capture_stacktrace?(policy_node)
+          unless ::Contrast::ASSESS.capture_stacktrace?(policy_node)
             @stack_trace = Contrast::Utils::ObjectShare::EMPTY_ARRAY
             return
           end

data/lib/contrast/agent/assess/finalizers/hash.rb

@@ -10,13 +10,11 @@ module Contrast
         # An extension of Hash that doesn't impact GC of the object being stored by storing its ID as a Key to lookup
         # and registering a finalizer on the object to remove its entry from the Hash immediately after it's GC'd.
         class Hash < Hash
-          include Contrast::Components::Interface
-          access_component :agent, :analysis
 
           FROZEN_FINALIZED_IDS = Set.new
 
           def []= key, obj
-            return unless AGENT.enabled? && ASSESS.enabled?
+            return unless ::Contrast::AGENT.enabled? && ::Contrast::ASSESS.enabled?
 
             # We can't finalize frozen things, so only act on those that went through .pre_freeze
             if key.cs__frozen?
@@ -79,7 +77,7 @@ module Contrast
           #
           # @param key [Object] the Object on which we need to pre-define finalizers
           def pre_freeze key
-            return unless AGENT.enabled? && ASSESS.enabled?
+            return unless ::Contrast::AGENT.enabled? && ::Contrast::ASSESS.enabled?
             return if key.cs__frozen?
             return if FROZEN_FINALIZED_IDS.include?(key.__id__)
 

data/lib/contrast/agent/assess/policy/patcher.rb

@@ -5,7 +5,8 @@ require 'contrast/agent/assess/policy/policy'
 require 'contrast/agent/patching/policy/patcher'
 require 'contrast/agent/patching/policy/method_policy'
 require 'contrast/agent/patching/policy/module_policy'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 
 module Contrast
   module Agent
@@ -16,8 +17,9 @@ module Contrast
         # provides a map for which methods our renamed functions need to call
         # and how.
         module Patcher
-          include Contrast::Components::Interface
-          access_component :logging, :analysis, :agent, :scope
+          extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Components::Scope::InstanceMethods
+
 
           class << self
             def policy
@@ -34,7 +36,7 @@ module Contrast
             # called. This hook is provided so that patches to those methods can
             # pass us execution flow once a new method has been made available.
             def patch_assess_on_eval mod
-              return unless ASSESS.enabled?
+              return unless ::Contrast::ASSESS.enabled?
               return if in_contrast_scope?
 
               patcher.patch_specific_module(mod)

data/lib/contrast/agent/assess/policy/policy.rb

@@ -26,7 +26,7 @@ module Contrast
           # Indicates is this feature has been disabled by the configuration,
           # read at startup, and therefore can never be enabled.
           def disabled_globally?
-            ASSESS.forcibly_disabled?
+            ::Contrast::ASSESS.forcibly_disabled?
           end
 
           def node_type

data/lib/contrast/agent/assess/policy/policy_scanner.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -13,8 +12,7 @@ module Contrast
         # of a file vs data flow, such as the detection of Hardcoded Passwords
         # or Keys.
         module PolicyScanner
-          include Contrast::Components::Interface
-          access_component :analysis
+
 
           class << self
             # Use the given trace_point, built from an :end event, to determine
@@ -24,8 +22,8 @@ module Contrast
             # @param trace_point [TracePoint] the TracePoint generated by an
             #   :end event at the end of a Module definition.
             def scan trace_point
-              return unless ASSESS.enabled?
-              return unless ASSESS.require_scan?
+              return unless ::Contrast::ASSESS.enabled?
+              return unless ::Contrast::ASSESS.require_scan?
 
               provider_values = policy.providers.values
               return if provider_values.all?(&:disabled?)

data/lib/contrast/agent/assess/policy/preshift.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -9,8 +9,8 @@ module Contrast
       # In order to properly shift tags to account for the changes this method
       # caused, we'll need to store the state before the change occurred.
       class PreShift
-        include Contrast::Components::Interface
-        access_component :analysis, :logging
+        include Contrast::Components::Logger::InstanceMethods
+
 
         UNDUPLICABLE_MODULES = [
           Enumerator # dup'ing results in 'can't copy execution context'
@@ -37,7 +37,7 @@ module Contrast
           #   being called or nil if one is not required.
           def build_preshift propagation_node, object, args
             return unless propagation_node
-            return unless ASSESS.enabled?
+            return unless ::Contrast::ASSESS.enabled?
 
             initializing = propagation_node.method_name == :initialize
             return if unsafe_io_object?(object, initializing)

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -4,7 +4,7 @@
 require 'set'
 
 require 'contrast/agent/assess/policy/propagator'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 
@@ -17,8 +17,8 @@ module Contrast
         # general, these methods work on the String class or a holder of
         # Strings
         module PropagationMethod
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
+
 
           APPEND_ACTION = 'APPEND'
           CENTER_ACTION = 'CENTER'
@@ -302,7 +302,7 @@ module Contrast
             #   propagation event.
             # @return [Boolean]
             def can_handle_frozen? propagation_node
-              ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+              ::Contrast::ASSESS.track_frozen_sources? && propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
             end
           end
         end

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
-
 module Contrast
   module Agent
     module Assess
@@ -13,8 +11,7 @@ module Contrast
           # results in new source nodes to track which columns in the database
           # have been tainted.
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
-            include Contrast::Components::Interface
-            access_component :analysis
+
 
             class << self
               def propagate propagation_node, preshift, target
@@ -22,7 +19,7 @@ module Contrast
                 class_name = class_type.cs__name
                 tainted_columns = {}
 
-                known_tainted = ASSESS.tainted_columns[class_name]
+                known_tainted = ::Contrast::ASSESS.tainted_columns[class_name]
                 propagation_node.sources.each do |source|
                   handle_write(propagation_node, source, preshift, target, known_tainted, tainted_columns)
                 end
@@ -31,7 +28,7 @@ module Contrast
                 if known_tainted
                   known_tainted.concat(tainted_columns.keys)
                 else
-                  ASSESS.tainted_columns[class_name] = tainted_columns.keys
+                  ::Contrast::ASSESS.tainted_columns[class_name] = tainted_columns.keys
                 end
 
                 Contrast::Agent::Assess::Policy::DynamicSourceFactory.create_sources class_type, tainted_columns

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -2,7 +2,9 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/preshift'
-require 'contrast/components/interface'
+require 'contrast/components/agent'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
 require 'contrast/utils/thread_tracker'
 
 module Contrast
@@ -13,9 +15,9 @@ module Contrast
           # This class is specifically for String#split & String#grapheme_clusters propagation
           # it propagates tag ranges from a string to elements within an untracked array
           class Split < Contrast::Agent::Assess::Policy::Propagator::Base
-            include Contrast::Components::Interface
-
-            access_component :agent, :logging, :scope
+            extend Contrast::Components::Scope::InstanceMethods
+            extend Contrast::Components::Logger::InstanceMethods
+            #cs__const_set('AGENT', Contrast::AGENT)
 
             SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
 
@@ -29,8 +31,9 @@ module Contrast
               #   patched method.
               # @param target [Array, String] the target to which to propagate.
               # @return [nil] so as not to risk changing the result of the propagation.
-
               def propagate propagation_node, preshift, target
+                return unless target.is_a?(Array) # apply_post_patch is called, but split with block returns a string.
+
                 logger.trace('Propagation detected', node_id: propagation_node.id, target_id: target.__id__)
 
                 source = find_source(propagation_node.sources[0], preshift)
@@ -108,7 +111,7 @@ module Contrast
               # Load patch.
               def instrument_string_split
                 @_instrument_string_split ||= begin
-                  require 'cs__assess_yield_track/cs__assess_yield_track' if AGENT.patch_yield? && Funchook.available?
+                  require 'cs__assess_yield_track/cs__assess_yield_track' if ::Contrast::AGENT.patch_yield? && Funchook.available?
                   true
                 rescue StandardError => e
                   logger.error('Error loading split rb_yield patch', e)

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/duck_utils'
 
 module Contrast
@@ -15,8 +15,7 @@ module Contrast
           # in a 'get it work' state. hopefully, we'll be in
           # a 'get it right' state soon.
           class Substitution
-            include Contrast::Components::Interface
-            access_component :logging
+            include Contrast::Components::Logger::InstanceMethods
 
             CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
             CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -6,7 +6,7 @@ return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
 require 'contrast/agent/patching/policy/patch_status'
 require 'contrast/agent/module_data'
 require 'contrast/agent/rewriter'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -20,8 +20,8 @@ module Contrast
         # @deprecated Changes to this class are discouraged as this approach is
         #   being phased out with support for those language versions.
         module RewriterPatch
-          include Contrast::Components::Interface
-          access_component :agent, :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
+
 
           class << self
             def rewrite_interpolations
@@ -72,16 +72,16 @@ module Contrast
             end
 
             def agent_should_rewrite?
-              return false unless ASSESS.enabled?
-              return false unless AGENT.rewrite_interpolation?
-              return false unless AGENT.interpolation_enabled?
+              return false unless ::Contrast::ASSESS.enabled?
+              return false unless ::Contrast::AGENT.rewrite_interpolation?
+              return false unless ::Contrast::AGENT.interpolation_enabled?
 
               true
             end
 
             def should_rewrite? mod
               return false unless agent_should_rewrite?
-              return false if AGENT.skip_instrumentation? mod.cs__name
+              return false if ::Contrast::AGENT.skip_instrumentation? mod.cs__name
               return false if mod.cs__frozen?
               return false if mod.singleton_class?
               return false if mid_defining?(mod)

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -3,7 +3,7 @@
 
 require 'set'
 require 'contrast/agent/assess/policy/source_validation/source_validation'
-require 'contrast/components/interface'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
 
@@ -15,8 +15,8 @@ module Contrast
         # actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows
         # used in Assess vulnerability detection.
         module SourceMethod
-          include Contrast::Components::Interface
-          access_component :analysis, :logging
+          extend Contrast::Components::Logger::InstanceMethods
+
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -42,7 +42,7 @@ module Contrast
               target = determine_target(source_node, object, ret, args)
               restore_frozen_state = false
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
-                return unless ASSESS.track_frozen_sources?
+                return unless ::Contrast::ASSESS.track_frozen_sources?
                 return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
 
                 dup = safe_dup(ret)
@@ -131,7 +131,7 @@ module Contrast
             # @param hash [Hash] the hash to which the key belongs.
             # @return [Boolean] whether replace the key in the hash or not.
             def replace_hash_key? key, hash
-              ASSESS.track_frozen_sources? &&
+              ::Contrast::ASSESS.track_frozen_sources? &&
                   !hash.cs__frozen? &&
                   key.is_a?(String) &&
                   !Contrast::Agent::Assess::Tracker.trackable?(key)
@@ -215,7 +215,7 @@ module Contrast
             # @return [boolean] if the invocation of this method should be analyzed
             def analyze? method_policy, object, ret, args
               return false unless method_policy&.source_node
-              return false unless ASSESS.enabled?
+              return false unless ::Contrast::ASSESS.enabled?
               return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
 
               !safe_invocation?(method_policy.source_node, object, ret, args)