# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/extension/module' require 'contrast/utils/object_share' require 'contrast/utils/lru_cache' module Contrast module Utils # Utility methods for exploring the complete space of Objects class ClassUtil @lru_cache = LRUCache.new(300) @string_cache = LRUCache.new(300) class << self # some classes have had things prepended to them, like Marshal in Rails 5 and higher. Their # ActiveSupport::MarshalWithAutoloading will break our alias patching approach, as will any other prepend on # something that we touch. Prepend and Alias are inherently incompatible monkey patching approaches. As such, # we need to know if something has been prepended to. # # @param mod [Module] the Module to check to see if it has had something prepended # @param ancestors [Array] the array of ancestors for the mod # @return [Boolean] if the mod has been prepended or not def prepended? mod, ancestors = nil ancestors ||= mod.ancestors ancestors[0] != mod end # return true if the given method is overwritten by one of the ancestors in the ancestor change that comes # before the given module # # @param mod [Module] the Module to check to see if it has had something prepended # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that holds the method we # need to check # @return [Boolean] if this method specifically was prepended def prepended_method? mod, method_policy target_module = determine_target_class(mod, method_policy.instance_method) ancestors = target_module.ancestors return false unless prepended?(target_module, ancestors) ancestors.each do |ancestor| break if ancestor == target_module methods = ancestor.instance_methods(false) return true if methods.include?(method_policy.method_name) end false end # Return a String representing the object invoking this method in the form expected by our dataflow events. # After implementing the LRU Cache, we firstly need to check if already had that object cached and if we have # it - we can return it directly; otherwise we'll calculate and store the result before returning. # # Combining of the caches have close performance, but keeping the two with current implementation has # a slight advantage in performance. For now we can keep the things the way they are. # # @param object [Object, nil] the entity to convert to a String # @return [String, Object] the human readable form of the String, as defined by # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/capture-snapshot.md def to_contrast_string object # Only treat object like a string if it actually is a string+ some subclasses of String override string # methods we depend on if object.cs__class == String return @string_cache[object] if @string_cache.key?(object) @string_cache[object] = to_cached_string(object) || object.dup else return @lru_cache[object.__id__] if @lru_cache.key?(object.__id__) @lru_cache[object.__id__] = convert_object(object) end end def convert_object object if object.nil? Contrast::Utils::ObjectShare::NIL_STRING elsif object.cs__is_a?(Symbol) ":#{ object }" elsif object.cs__is_a?(Module) || object.cs__is_a?(Class) "#{ object.cs__name }@#{ object.__id__ }" elsif object.cs__is_a?(Regexp) object.source elsif use_to_s?(object) object.to_s else "#{ object.cs__class.cs__name }@#{ object.__id__ }" end end # The method Module.const_defined? can raise an exception if the constant is poorly named. As such, we need to # handle the case where that exception is raised. # # @param name [String] the name of the constant to look up # @return [Boolean] def truly_defined? name return false unless name Module.cs__const_defined?(name) rescue NameError # account for nonsense / poorly formatted constants false end private # Some objects have nice to_s that we can use to make them human readable. If they do, we should leverage them. # We used to do this by default, but this opened us up to danger, so we're instead using an allow list # approach. # # @param object [Object] something that may have a safe to_s method # @return [Boolean] if we should invoke to_s to represent the object def use_to_s? object return true if object.cs__is_a?(Numeric) return true if defined?(Arel::Nodes::SqlLiteral) && object.cs__is_a?(Arel::Nodes::SqlLiteral) false end # Find the target class based on the instance, or module, provided. If a module, return it. # # @param mod [Module] the Module, or instance of a Module, that we need to check # @param is_instance [Boolean] is the object provided an instance of a class, requiring lookup by class # @return [Module] def determine_target_class mod, is_instance return mod if mod.singleton_class? return mod.cs__singleton_class unless is_instance mod end # If the String matches a common String in our ObjectShare, return that rather that for use as the # representation of the String rather than forcing a duplication of the String. # # @param string [String] some string of which we want a Contrast representation. # @return [String, nil] the ObjectShare version of the String or nil def to_cached_string string return Contrast::Utils::ObjectShare::EMPTY_STRING if string.empty? return Contrast::Utils::ObjectShare::SLASH if string == Contrast::Utils::ObjectShare::SLASH return Contrast::Utils::ObjectShare::EQUALS if string == Contrast::Utils::ObjectShare::EQUALS nil end end end end end