/* Copyright (c) 2021 Contrast Security, Inc. See * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */ #include "cs__contrast_patch.h" #include "../cs__common/cs__common.h" #include VALUE build_preshift(const VALUE method_policy, const VALUE object, const int argc, const VALUE *params) { if (method_policy == Qnil) { return Qnil; } VALUE propagation_node, send, ret; propagation_node = rb_funcall(method_policy, rb_sym_propagation_node, 0); /* if there isn't a propagation node that applies to this method * we don't need to build a preshift */ if (propagation_node == Qnil) { return Qnil; } send = rb_ary_new_from_values(argc, params); ret = rb_funcall(preshift_class, rb_sym_build_preshift, 3, propagation_node, object, send); return ret; } VALUE contrast_patch_call_original(const VALUE *args) { int argc; VALUE method, method_id, object; VALUE *params; argc = NUM2INT(args[0]); params = (VALUE *)args[1]; object = args[2]; method = args[3]; method_id = SYM2ID(method); /* It looks like we can find the last Ruby block given so long as we don't * change Ruby method scope (always call this function from C, not Ruby), * which is the point of this C call. */ /* Ruby >= 2.7 */ #ifdef RB_PASS_CALLED_KEYWORDS if (rb_block_given_p()) { return rb_funcall_with_block_kw(object, method_id, argc, params, rb_block_proc(), RB_PASS_CALLED_KEYWORDS); } else { return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS); } /* Ruby < 2.7 */ #else if (rb_block_given_p()) { return rb_funcall_with_block(object, method_id, argc, params, rb_block_proc()); } else { return rb_funcall2(object, method_id, argc, params); } #endif } VALUE contrast_call_pre_patch(const VALUE method_policy, const VALUE method, const VALUE object, const int count, const VALUE *params, const VALUE exception) { /* For simplicity's sake, this Ruby method is responsible for * exiting scope if it throws a SecurityException. * When we start to macro rescues, we can change this. */ VALUE send; send = rb_ary_new_from_values(count, params); return rb_funcall(contrast_patcher(), rb_sym_contrast_apply_pre_patch, 5, method_policy, method, exception, object, send); } VALUE contrast_call_post_patch(const VALUE method_policy, const VALUE preshift, const VALUE object, const VALUE ret, const int count, const VALUE *params) { VALUE send; send = rb_ary_new_from_values(count, params); VALUE block; if (rb_block_given_p()) { block = rb_block_proc(); } else { block = Qnil; } return rb_funcall(contrast_patcher(), rb_sym_contrast_apply_post_patch, 6, method_policy, preshift, object, ret, send, block); } VALUE contrast_patch_call_rescue(const VALUE *args) { int argc; VALUE exception, object, preshift, method_policy, method; VALUE *argv; /* rb_errinfo() gives the value of $!, the exception that * triggered a rescue block. */ exception = rb_errinfo(); object = args[0]; method = args[1]; argc = NUM2INT(args[2]); argv = (VALUE *)args[3]; method_policy = args[4]; preshift = args[5]; contrast_call_post_patch(method_policy, preshift, object, Qnil, argc, argv); /* reraise the exception that got us here */ rb_exc_raise(exception); return Qnil; } VALUE contrast_call_super(const VALUE *args) { int argc; VALUE *argv; argc = NUM2INT(args[0]); argv = (VALUE *)args[1]; return rb_call_super(argc, argv); } VALUE contrast_run_patches(const VALUE *wrapped_args) { VALUE impl, method, method_policy, object, original_args, original_ret, preshift, transformed_ret; int argc; VALUE *argv; VALUE rescue_args[6]; impl = wrapped_args[0]; original_args = wrapped_args[1]; method = wrapped_args[2]; method_policy = wrapped_args[3]; object = wrapped_args[4]; argc = NUM2INT(wrapped_args[5]); argv = (VALUE *)wrapped_args[6]; rescue_args[0] = object; rescue_args[1] = method; rescue_args[2] = INT2NUM(argc); rescue_args[3] = (VALUE)argv; rescue_args[4] = method_policy; /* Tracking, triggering, and propagation here. */ contrast_call_pre_patch(method_policy, method, object, argc, argv, Qnil); /* Capture pre-call state */ preshift = build_preshift(method_policy, object, argc, argv); rescue_args[5] = preshift; /* We wrap a call to the original method with a rescue block, and we use * rb_rescue2 to capture all Exception-inheriting exceptions (and if your * software is well-behaved, all exceptions should inherit from Exception.) * * The rescue block is responsible for doing Contrast post-call analysis * in the event the original method has thrown an exception. * * EDGE CASES: * Given how extensively we patch and instrument, this code is * prone to some esoteric edge cases that are not well-documented or * easy to research. * * There is an esoteric edge case in core Ruby, upon Thread#kill, where * it raises Fixnum 8 (Qnil==8). This is an intentional choice on the * part of the core Ruby devs, as blindly rescuing Thread#kill would be * disastrous. * A consequence of this is that Thread#kill will leak scope, if you * happen to ever instrument it. * * If you are within a catch block, and the original function results * in a throw, you will leak scope. We handle this by not instrumenting * methods that do that. (Tracked in RUBY-552.) * * If you're thinking of cleaning this up by using rb_protect, * you will catch ALL exceptions, as well as ANYTHING * else that unwinds the stack. This includes fiber context switches * (which are used to implement Enumerator#next) and catch/throw blocks. * I spent a week debugging that so you don't have to. -ajm */ switch (impl) { case IMPL_ALIAS_INSTANCE: case IMPL_ALIAS_SINGLETON: original_ret = rb_rescue2(contrast_patch_call_original, original_args, contrast_patch_call_rescue, (VALUE)rescue_args, rb_eException, 0); break; case IMPL_PREPEND_INSTANCE: case IMPL_PREPEND_SINGLETON: original_ret = rb_rescue2(contrast_call_super, original_args, contrast_patch_call_rescue, (VALUE)rescue_args, rb_eException, 0); break; }; /* If you're here, the original method did not throw an exception * (or unwind the stack otherwise). * If the original method threw an exception, contrast_patch_call_rescue * re-raises the original exception, which unwinds the stack back to the * call site. This means the rest of this function is not executed. */ /* Invoke Contrast post-call patching. * Post-call patching may transform the return value, * hence the assignment. */ transformed_ret = contrast_call_post_patch(method_policy, preshift, object, original_ret, argc, argv); /* Special case for tracking frozen sources */ if (transformed_ret != Qnil) { return transformed_ret; } else { return original_ret; } } VALUE contrast_ensure_function(const VALUE method_policy) { /* exit scope */ rb_funcall(contrast_patcher(), rb_sym_exit_method_scope, 1, method_policy); rb_funcall(contrast_patcher(), rb_sym_exit_scope, 0); return Qnil; } VALUE contrast_patch_dispatch(const int argc, const VALUE *argv, const patch_impl impl, const VALUE object) { VALUE cs__method, known, method, method_policy; VALUE original_args[4]; int do_contrast, nested_scope; /* Do Contrast analysis, unless our subsequent checks tell us no. */ do_contrast = 1; /* Before we enter scope, see if we're already in scope. * We only want to Contrast methods called out of all scope. * Otherwise, we do things like propagate within propagators, * which is unnecessary, or run Contrast analysis on Contrast code, * which will never terminate. */ nested_scope = RTEST(rb_funcall(contrast_patcher(), rb_sym_in_scope, 0)); /* enter scope */ rb_funcall(contrast_patcher(), rb_sym_enter_scope, 0); /* Get the name of the calling method */ method = rb_funcall(object, rb_sym_method, 0); /* Retrieve from Ruby Patcher class * [method_policy object, Symbol representing original method] */ switch (impl) { case IMPL_ALIAS_INSTANCE: case IMPL_PREPEND_INSTANCE: known = rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qtrue); break; case IMPL_PREPEND_SINGLETON: known = rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qfalse); break; case IMPL_ALIAS_SINGLETON: known = rb_funcall(patch_status, rb_sym_info_for, 3, object, method, Qfalse); break; } /* Index into above array & retrieve contents */ if (RTEST(known)) { method_policy = rb_funcall(known, rb_sym_brackets, 1, INT2NUM(0)); } else { method_policy = Qnil; } /* Check conditions for not doing Contrast analysis */ if (nested_scope) { /* if we were in scope */ do_contrast = 0; } else if (!RTEST(known)) { /* nothing to be done with entirely unknown method*/ do_contrast = 0; } else if (!RTEST(method_policy)) { /* nothing to be done without a method policy */ do_contrast = 0; } original_args[0] = INT2NUM(argc); original_args[1] = (VALUE)argv; original_args[2] = object; if (impl == IMPL_ALIAS_INSTANCE || impl == IMPL_ALIAS_SINGLETON) { /* Alias patching moves the original method to "cs__#{method}" */ cs__method = rb_funcall(known, rb_sym_brackets, 1, INT2NUM(1)); /* We may not have built the alias yet */ if (!RTEST(cs__method)) { cs__method = rb_funcall(contrast_patcher(), rb_sym_build_method_name, 2, object, method); } original_args[3] = cs__method; } /* Enter any scopes specific to method policy */ rb_funcall(contrast_patcher(), rb_sym_enter_method_scope, 1, method_policy); /* If we're not doing Contrast analysis, exit scope and treat as normal. */ if (!do_contrast) { goto call_original; } /* Otherwise, invoke Contrast analysis. */ VALUE wrapped_args[7]; wrapped_args[0] = impl; wrapped_args[1] = (VALUE)original_args; wrapped_args[2] = method; wrapped_args[3] = method_policy; wrapped_args[4] = object; wrapped_args[5] = INT2NUM(argc); wrapped_args[6] = (VALUE)argv; return rb_ensure(contrast_run_patches, (VALUE)wrapped_args, contrast_ensure_function, method_policy); call_original: /* exit scope */ contrast_ensure_function(method_policy); switch (impl) { case IMPL_ALIAS_INSTANCE: case IMPL_ALIAS_SINGLETON: return contrast_patch_call_original(original_args); case IMPL_PREPEND_INSTANCE: case IMPL_PREPEND_SINGLETON: return contrast_call_super(original_args); }; } VALUE contrast_alias_instance_patch(const int argc, const VALUE *argv, const VALUE object) { return contrast_patch_dispatch(argc, argv, IMPL_ALIAS_INSTANCE, object); } VALUE contrast_alias_singleton_patch(const int argc, const VALUE *argv, const VALUE object) { return contrast_patch_dispatch(argc, argv, IMPL_ALIAS_SINGLETON, object); } VALUE contrast_prepend_instance_patch(const int argc, const VALUE *argv, const VALUE object) { return contrast_patch_dispatch(argc, argv, IMPL_PREPEND_INSTANCE, object); } VALUE contrast_prepend_singleton_patch(const int argc, const VALUE *argv, const VALUE object) { return contrast_patch_dispatch(argc, argv, IMPL_PREPEND_SINGLETON, object); } VALUE contrast_patch_define_method(const VALUE self, const VALUE clazz, const VALUE method_policy, const VALUE cs_method) { const VALUE original_method_name = rb_funcall(method_policy, rb_sym_method_name, 0); const VALUE is_instance_method = rb_funcall(method_policy, rb_sym_instance_method, 0); char *cStr; VALUE str; rb_funcall(patch_status, rb_sym_set_info_for, 5, clazz, original_method_name, method_policy, is_instance_method, cs_method); /* Some methods we patch rely on a specific C level patch, * in those cases we should still add the method to the info_for hash * on the class, but we should skip setting up the generic Contrast * monkeypatch */ VALUE is_custom_patch = rb_funcall(method_policy, rb_sym_custom_patch, 0); if (RTEST(is_custom_patch)) { return Qnil; } str = rb_funcall(original_method_name, rb_sym_cs_to_s, 0); cStr = StringValueCStr(str); const VALUE is_private = rb_funcall(method_policy, rb_sym_private_method, 0); if (RTEST(is_instance_method)) { rb_funcall(clazz, rb_sym_alias_method, 2, cs_method, original_method_name); if (RTEST(is_private)) { rb_funcall(clazz, rb_sym_public, 1, cs_method); } rb_define_method(clazz, cStr, contrast_alias_instance_patch, -1); if (RTEST(is_private)) { rb_funcall(clazz, rb_sym_private, 1, original_method_name); } } else { /* * we have to send the method call to either the singleton class or the * instance depending on the method type. send_to will hold this for us. * https://stackoverflow.com/questions/212407/what-exactly-is-the-singleton-class-in-ruby */ const VALUE singleton_class = rb_funcall(clazz, rb_sym_cs_singleton_class, 0); rb_funcall(singleton_class, rb_sym_alias_method, 2, cs_method, original_method_name); if (RTEST(is_private)) { rb_funcall(singleton_class, rb_sym_public, 1, cs_method); } rb_define_singleton_method(clazz, cStr, contrast_alias_singleton_patch, -1); if (RTEST(is_private)) { rb_funcall(singleton_class, rb_sym_private, 1, original_method_name); } } return Qnil; } VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule, const VALUE method_policy) { const VALUE instance = Qtrue; const VALUE singleton = Qfalse; const VALUE original_method_name = rb_funcall(method_policy, rb_sym_method_name, 0); const VALUE is_private = rb_funcall(method_policy, rb_sym_private_method, 0); const VALUE is_instance_method = rb_funcall(method_policy, rb_sym_instance_method, 0); // Set the value for instance or singleton method if (RTEST(is_instance_method)){ rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule, original_method_name, method_policy, instance, Qnil); } else { rb_funcall(patch_status, rb_sym_set_info_for, 5, originalModule, original_method_name, method_policy, singleton, Qnil); } VALUE module = rb_define_module_under(originalModule, "ContrastPrepend"); VALUE str = rb_funcall(original_method_name, rb_sym_cs_to_s, 0); char *cMethodName = StringValueCStr(str); if (RTEST(is_instance_method)) { if (RTEST(is_private)) { rb_define_private_method(module, cMethodName, contrast_prepend_instance_patch, -1); } else { rb_define_method(module, cMethodName, contrast_prepend_instance_patch, -1); } } else { rb_define_singleton_method(module, cMethodName, contrast_prepend_singleton_patch, -1); } rb_prepend_module(originalModule, module); return Qtrue; } void Init_cs__contrast_patch(void) { rb_sym_brackets = rb_intern("[]"); rb_sym_build_method_name = rb_intern("build_method_name"); rb_sym_build_preshift = rb_intern("build_preshift"); rb_sym_contrast_apply_post_patch = rb_intern("apply_post_patch"); rb_sym_contrast_apply_pre_patch = rb_intern("apply_pre_patch"); rb_sym_cs_to_s = rb_intern("to_s"); rb_sym_custom_patch = rb_intern("requires_custom_patch?"); rb_sym_info_for = rb_intern("info_for"); rb_sym_propagation_node = rb_intern("propagation_node"); rb_sym_set_info_for = rb_intern("set_info_for"); rb_sym_private_method = rb_intern("private_method?"); rb_sym_method_name = rb_intern("method_name"); rb_sym_alias_method = rb_intern("alias_method"); rb_sym_public = rb_intern("public"); rb_sym_private = rb_intern("private"); rb_sym_instance_method = rb_intern("instance_method"); rb_sym_cs_singleton_class = rb_intern("cs__singleton_class"); rb_sym_enter_method_scope = rb_intern("enter_method_scope!"); rb_sym_exit_method_scope = rb_intern("exit_method_scope!"); rb_define_module_function(contrast_patcher(), "contrast_define_method", contrast_patch_define_method, 3); rb_define_module_function(contrast_patcher(), "contrast_prepend_method", contrast_patch_prepend, 2); /* patch_status = Contrast::Agent::Patching::Policy::PatchStatus */ patch_status = rb_define_class_under(policy, "PatchStatus", rb_cObject); /* preshift_class = Contrast::Agent::Assess::PreShift */ preshift_class = rb_define_class_under(assess, "PreShift", rb_cObject); }