contrast-agent 4.10.0 → 4.13.1

data/lib/contrast/agent/metric_telemetry_event.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/metrics_hash'
+require 'contrast/agent/telemetry_event'
+
+module Contrast
+  module Agent
+    # This class will hold the basic information for a Telemetry Event
+    class MetricTelemetryEvent < Contrast::Agent::TelemetryEvent
+      include Contrast::Utils
+
+      attr_reader :fields
+
+      def initialize
+        super
+        @fields = MetricsHash.new(Numeric)
+        @fields['_filter'] = 0
+      end
+
+      def to_json **_args
+        super.merge!({ fields: @fields })
+      end
+    end
+  end
+end

data/lib/contrast/agent/middleware.rb

@@ -10,8 +10,10 @@ require 'contrast/utils/object_share'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/heap_dump_util'
+require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
+require 'contrast/agent/startup_metrics_telemetry_event'
 
 require 'contrast/utils/timer'
 
@@ -68,6 +70,7 @@ module Contrast
         ::Contrast::SETTINGS.reset_state
 
         inform_deprecations
+        telemetry_disclaimer
 
         if ::Contrast::CONFIG.invalid?
           ::Contrast::AGENT.disable!
@@ -89,6 +92,13 @@ module Contrast
           Contrast::Agent.thread_watcher.ensure_running?
         end
 
+        if Contrast::Agent::Telemetry.enabled?
+          logger.debug_with_time('middleware: sending startup metrics telemetry event') do
+            event = Contrast::Agent::StartupMetricsTelemetryEvent.new
+            Contrast::Agent.thread_watcher.telemetry_queue.send_event(event)
+          end
+        end
+
         logger.debug_with_time('middleware: instrument shared libraries and patch') do
           Contrast::Agent::Patching::Policy::Patcher.patch
         end
@@ -225,6 +235,18 @@ module Contrast
         Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
                     'Please contact Customer Support prior if you require continued support.')
       end
+
+      # Displays Telemetry disclaimer if Telemetry is enabled.
+      # if .telemetry file doesn't exist we create one and then show the disclaimer.
+      # if the file already exists we do nothing.
+      def telemetry_disclaimer
+        return unless Contrast::Agent::Telemetry.enabled?
+        return unless Contrast::Utils::Telemetry.create_telemetry_file
+
+        logger.info Contrast::Utils::Telemetry.disclaimer
+        $stdout.print Contrast::Utils::Telemetry.disclaimer
+        true
+      end
     end
   end
 end

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -46,7 +46,6 @@ module Contrast
                 path_part = "cs__assess_#{ p }"
                 Contrast::Extension::Assess::InstrumentHelper.instrument "#{ path_part }/#{ path_part }"
               end
-              Contrast::Extension::Assess::InstrumentHelper.instrument 'cs__protect_kernel/cs__protect_kernel'
               true
             end
           end

data/lib/contrast/agent/patching/policy/method_policy.rb

@@ -81,15 +81,21 @@ module Contrast
               deadzone_node =    find_method_node(module_policy.deadzone_nodes, method_name, instance_method)
               method_visibility = find_visibility(source_node, propagation_node, trigger_node, protect_node,
                                                   inventory_node, deadzone_node)
-              MethodPolicy.new(method_name: method_name,
-                               method_visibility: method_visibility,
-                               instance_method: instance_method,
-                               source_node: source_node,
-                               propagation_node: propagation_node,
-                               trigger_node: trigger_node,
-                               protect_node: protect_node,
-                               inventory_node: inventory_node,
-                               deadzone_node: deadzone_node)
+              method_policy = MethodPolicy.new(method_name: method_name,
+                                               method_visibility: method_visibility,
+                                               instance_method: instance_method,
+                                               source_node: source_node,
+                                               propagation_node: propagation_node,
+                                               trigger_node: trigger_node,
+                                               protect_node: protect_node,
+                                               inventory_node: inventory_node,
+                                               deadzone_node: deadzone_node)
+
+              return method_policy unless check_method_policy_nodes_empty? source_node, propagation_node, trigger_node,
+                                                                           protect_node, inventory_node, deadzone_node
+
+              create_new_node(module_policy, method_policy) if module_policy.deadzone_nodes&.any?
+              method_policy
             end
 
             def find_method_node nodes, method_name, is_instance_method
@@ -103,6 +109,45 @@ module Contrast
             def find_visibility *nodes
               nodes.find { |node| node }&.method_visibility
             end
+
+            def check_method_policy_nodes_empty?(source_node, propagation_node, trigger_node, protect_node,
+                                                 inventory_node, deadzone_node)
+              return false unless source_node.nil? && propagation_node.nil? && trigger_node.nil? && protect_node.nil? &&
+                  inventory_node.nil? && deadzone_node.nil?
+
+              true
+            end
+
+            private
+
+            def create_new_node module_policy, method_policy
+              return if module_policy.deadzone_nodes.empty?
+
+              module_policy.deadzone_nodes.map do |node|
+                next unless node.method_name.nil?
+
+                klass = Module.cs__const_get(node.class_name)
+                next unless it_defined? klass, method_policy.method_name
+
+                new_node = {}
+                new_node['instance_method'] = method_policy.instance_method
+                new_node['method_visibility'] =
+                  klass.private_method_defined?(method_policy.method_name) ? 'private' : 'public'
+                new_node['method_name'] = method_policy.method_name
+                new_node['class_name'] = node.class_name
+                new_node = Contrast::Agent::Deadzone::Policy::DeadzoneNode.new(new_node)
+                method_policy.instance_variable_set(:@method_visibility, new_node.method_visibility)
+                method_policy.instance_variable_set(:@deadzone_node, new_node)
+                module_policy.deadzone_nodes << new_node
+                break unless method_policy.deadzone_node.nil?
+              end
+            end
+
+            def it_defined? klass, method_name
+              klass.instance_methods(false).include?(method_name) ||
+                  klass.private_instance_methods(false).include?(method_name) ||
+                  klass.singleton_methods(false).include?(method_name)
+            end
           end
         end
       end

data/lib/contrast/agent/patching/policy/patch.rb

@@ -4,6 +4,7 @@
 require 'monitor'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/patching/policy/patch_utils'
 
 require 'contrast/agent'
 require 'contrast/logger/log'
@@ -32,6 +33,8 @@ module Contrast
         # provides a map for which methods our renamed functions need to call
         # and how.
         module Patch
+          extend Contrast::Utils::Patching::PatchUtils
+
           class << self
             include Contrast::Agent::Assess::Policy::SourceMethod
             include Contrast::Agent::Assess::Policy::PropagationMethod
@@ -57,226 +60,6 @@ module Contrast
               end
             end
 
-            # THIS IS CALLED FROM C. Do not change the signature lightly.
-            #
-            # This method functions to call the infilter methods from our
-            # patches, allowing for analysis and reporting at the point just
-            # before the patched code is invoked.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_pre_patch method_policy, method, exception, object, args
-              apply_protect(method_policy, method, exception, object, args)
-              apply_inventory(method_policy, method, exception, object, args)
-            rescue Contrast::SecurityException => e
-              # We were told to block something, so we gotta. Don't catch this
-              # one, let it get back to our Middleware or even all the way out to
-              # the framework
-              raise e
-            rescue StandardError => e
-              # Anything else was our bad and we gotta catch that to allow for
-              # normal application flow
-              logger.error('Unable to apply pre patch to method.', e)
-            rescue Exception => e # rubocop:disable Lint/RescueException
-              # This is something like NoMemoryError that we can't
-              # hope to handle.  Nonetheless, shouldn't leak scope.
-              exit_contrast_scope!
-              raise e
-            end
-
-            # THIS IS CALLED FROM C. Do not change the signature lightly.
-            #
-            # This method functions to call the infilter methods from our
-            # patches, allowing for analysis and reporting at the point just
-            # after the patched code is invoked
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
-            # @param object [Object] The object on which the method was
-            #   invoked, typically what would be returned by self.
-            # @param ret [Object] The return of the method that was invoked.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            # @param block [Proc] The block passed to the method that was
-            #   invoked.
-            def apply_post_patch method_policy, preshift, object, ret, args, block
-              apply_assess(method_policy, preshift, object, ret, args, block)
-            rescue StandardError => e
-              logger.error('Unable to apply post patch to method.', e)
-            end
-
-            # Apply the Protect patch which applies to the given method.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_protect method_policy, method, exception, object, args
-              return unless ::Contrast::AGENT.enabled?
-              return unless ::Contrast::PROTECT.enabled?
-
-              apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
-            end
-
-            # Apply the Inventory patch which applies to the given method.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_inventory method_policy, method, exception, object, args
-              return unless ::Contrast::INVENTORY.enabled?
-
-              apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
-            end
-
-            # Apply the Assess patches which apply to the given method.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   Mapping of the triggers on the given method.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture
-            #   of the state of the code just prior to the invocation of the
-            #   patched method.
-            # @param object [Object] The object on which the method was
-            #   invoked, typically what would be returned by self.
-            # @param ret [Object] The return of the method that was invoked.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            # @param block [Proc] The block passed to the method that was
-            #   invoked.
-            def apply_assess method_policy, preshift, object, ret, args, block
-              source_ret = nil
-              propagated_ret = nil
-              return ret unless method_policy && ::Contrast::ASSESS.enabled?
-
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return ret if current_context && !current_context.analyze_request?
-
-              trigger_node = method_policy.trigger_node
-              if trigger_node
-                Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
-              end
-              if method_policy.source_node
-                # If we were given a frozen return, and it was the target of a
-                # source, and we have frozen sources enabled, we'll need to
-                # replace the return. Note, this is not the default case.
-                source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret,
-                                                                                           args)
-              end
-              if method_policy.propagation_node
-                propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
-                    method_policy,
-                    preshift,
-                    object,
-                    source_ret || ret,
-                    args,
-                    block)
-              end
-              handle_return(propagated_ret, source_ret, ret)
-            rescue StandardError => e
-              logger.error('Unable to assess method call.', e)
-              handle_return(propagated_ret, source_ret, ret)
-            rescue Exception => e # rubocop:disable Lint/RescueException
-              logger.error('Unable to assess method call.', e)
-              handle_return(propagated_ret, source_ret, ret)
-              raise e
-            end
-
-            # Generic invocation of the Inventory or Protect patch which apply
-            # to the given method.
-            #
-            # @param trigger_node [Contrast::Agent::Inventory::Policy::TriggerNode]
-            #   Mapping of the specific trigger on the given method.
-            # @param method [Symbol] The method into which we're patching
-            # @param exception [StandardError] Any exception raised during the
-            #   call of the patched method.
-            # @param object [Object] The object on which the method is invoked,
-            #   typically what would be returned by self.
-            # @param args [Array<Object>] The arguments passed to the method
-            #   being invoked.
-            def apply_trigger_only trigger_node, method, exception, object, args
-              return unless trigger_node
-
-              # If that rule only applies in the case of an exception being
-              # thrown and there's no exception here, move along, or vice versa
-              return if trigger_node.on_exception && !exception
-              return if !trigger_node.on_exception && exception
-
-              # Each patch has an applicator that handles logic for it. Think
-              # of this as being similar to propagator actions, most closely
-              # resembling CUSTOM - they all have a common interface but their
-              # own logic based on what's in the method(s) they've been patched
-              # into.
-              # Each patch also knows the method of its applicator. Some
-              # things, like AppliesXxeRule, have different methods depending
-              # on the library patched. This lets us handle the boilerplate of
-              # patching while still allowing for custom handling of the
-              # methods.
-              applicator_method = trigger_node.applicator_method
-              # By calling send like this, we can reuse all the patching.
-              # We `send` to the given method of the given class
-              # (applicator) since they all accept the same inputs
-              trigger_node.applicator.send(applicator_method, method, exception, trigger_node.properties, object, args)
-            end
-
-            # Method to choose which replaced return from the post_patch to
-            # actually return
-            #
-            # @param propagated_ret [Object, nil] The replaced return from the
-            #   propagation patch.
-            # @param source_ret [Object, nil] The replaced return from the
-            #   source patch.
-            # @param ret [Object, nil] The original return of the patched
-            #   method.
-            # @return [Object, nil] The thing to return from the post patch.
-            def handle_return propagated_ret, source_ret, ret
-              safe_return = propagated_ret || source_ret || ret
-              safe_return.rewind if Contrast::Utils::IOUtil.should_rewind?(safe_return)
-              safe_return
-            end
-
-            # Given a module and method, construct an expected name for the
-            # alias by which Contrast will reference the original.
-            #
-            # @param patched_class [Module] the module being patched
-            # @param patched_method [Symbol] the method being patched
-            # @return [Symbol]
-            def build_method_name patched_class, patched_method
-              (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-                  patched_class.cs__name.gsub('::', '_').downcase +
-                  Contrast::Utils::ObjectShare::UNDERSCORE +
-                  patched_method.to_s).to_sym
-            end
-
-            # Given a method, return a symbol in the format
-            # <method_start>_unbound_<method_name>
-            def build_unbound_method_name patcher_method
-              (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-                'unbound' +
-                Contrast::Utils::ObjectShare::UNDERSCORE +
-                patcher_method.to_s).to_sym
-            end
-
             # @param mod [Module] the module in which the patch should be
             #   placed.
             # @param methods [Array(Symbol)] all the instance or singleton
@@ -343,7 +126,7 @@ module Contrast
               underlying_method_name = build_unbound_method_name(method_name).to_sym
 
               target_module = Module.cs__const_get(target_module_name)
-
+              target_module = target_module.cs__singleton_class if %i[prepend_singleton prepend].include? impl
               target_module = target_module.cs__singleton_class if %i[alias_singleton prepend].include? impl
 
               visibility = if target_module.private_instance_methods(false).include?(method_name)
@@ -360,6 +143,30 @@ module Contrast
                                    ERR
                            end
 
+              reflect_implementation impl, target_module, unbound_method, visibility
+              # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
+              # can't invoke this logging method or we'll seg fault as we'd
+              # change the method definition mid-call
+              # if method_name != :[]= &&
+              #   Contrast::Agent::Logger.defined!
+              #   logger.trace(
+              #       'Registered C-defined patch',
+              #       implementation: impl,
+              #       module: target_mod,
+              #       method: method_name,
+              #       visibility: visibility)
+              # end
+              underlying_method_name
+            end
+
+            # @param impl [Symbol] Strategy for applying the patch: { :alias_instance, :alias_singleton, or :prepend }:
+            # @param target_module [Module] The targeted module
+            # @param unbound_method [UnboundMethod] An unbound method, to be patched into target_module.
+            # @param visibility [Symbol] method visibility
+            def reflect_implementation impl, target_module, unbound_method, visibility
+              method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
+              underlying_method_name = build_unbound_method_name(method_name).to_sym
+
               case impl
               when :alias_instance, :alias_singleton
                 # Core to patching. Ignore define method usage cop.
@@ -370,27 +177,19 @@ module Contrast
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
-              when :prepend
-                prepending_module = Module.new
-                prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                prepending_module.send(visibility, method_name)
+              when :prepend_instance, :prepend_singleton
+
+                unless target_module.instance_methods(false).include? underlying_method_name
+
+                  prepending_module = Module.new
+                  prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                  prepending_module.send(visibility, method_name)
+
+                end
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module
                 # rubocop:enable Performance/Kernel/DefineMethod
               end
-              # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
-              # can't invoke this logging method or we'll seg fault as we'd
-              # change the method definition mid-call
-              # if method_name != :[]= &&
-              #   Contrast::Agent::Logger.defined!
-              #   logger.trace(
-              #       'Registered C-defined patch',
-              #       implementation: impl,
-              #       module: target_module_name,
-              #       method: method_name,
-              #       visibility: visibility)
-              # end
-              underlying_method_name
             end
 
             # @return [Boolean]

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -10,6 +10,7 @@ require 'contrast/agent/patching/policy/module_policy'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/class_util'
+require 'contrast/utils/patching/policy/patcher_utils'
 
 # assess
 require 'contrast/agent/assess/policy/policy'
@@ -44,6 +45,7 @@ module Contrast
         # and how.
         module Patcher
           extend Contrast::Agent::Patching::Policy::AfterLoadPatcher
+          extend Contrast::Utils::Patching::PatcherUtils
           extend Contrast::Components::Logger::InstanceMethods
           extend Contrast::Components::Scope::InstanceMethods
 
@@ -77,47 +79,6 @@ module Contrast
               end
             end
 
-            # This method is called by TracePointHook to instrument a specific class during a require
-            # or eval of dynamic class definition
-            def patch_specific_module mod
-              with_contrast_scope do
-                mod_name = mod.cs__name
-                return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
-                return if ::Contrast::AGENT.skip_instrumentation?(mod_name)
-
-                load_patches_for_module(mod_name)
-
-                return if all_module_names.none?(mod_name)
-
-                module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
-                patch_into_module(module_data)
-                all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
-              rescue StandardError => e
-                logger.error('Unable to patch module', e, module: mod_name)
-              end
-            end
-
-            # We did it, team. We found a patcher(s) that applies to the given
-            # class (or module) and the given method. Time to do some tracking.
-            #
-            # @param mod [Module] the module in which the patch should be
-            #   placed.
-            # @param methods [Array(Symbol)] all the instance or singleton
-            #   methods in this mod.
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that applies to the given method_name.
-            # @return [Boolean] if patched, either by this invocation or a
-            #   previous, or not
-            def patch_method mod, methods, method_policy
-              return false unless methods&.any? # don't even build the name if there are no methods
-
-              if Contrast::Utils::ClassUtil.prepended_method?(mod, method_policy)
-                Contrast::Agent::Patching::Policy::Patch.instrument_with_prepend(mod, method_policy)
-              else
-                Contrast::Agent::Patching::Policy::Patch.instrument_with_alias(mod, methods, method_policy)
-              end
-            end
-
             private
 
             POLICIES = [
@@ -246,6 +207,7 @@ module Contrast
             def patch_into_instance_methods module_data, module_policy
               mod = module_data.mod
               methods = all_instance_methods(mod, true)
+              methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
               patch_into_methods(mod, methods, module_policy, true)
             end
 
@@ -309,6 +271,5 @@ require 'contrast/extension/module'
 require 'contrast/extension/assess'
 require 'contrast/extension/inventory'
 require 'contrast/extension/protect'
-require 'contrast/extension/protect/kernel'
 
 require 'cs__contrast_patch/cs__contrast_patch'

data/lib/contrast/agent/request.rb

@@ -92,10 +92,12 @@ module Contrast
                 defined?(Rack::Multipart::UploadedFile) &&
                 body.is_a?(Rack::Multipart::UploadedFile)
 
-            logger.trace("not parsing uploaded file body :: #{ body.original_filename }::#{ body.content_type }")
+            logger.trace('not parsing uploaded file body',
+                         file_name: body.original_filename,
+                         content_type: body.content_type)
             @_body = nil
           else
-            logger.trace("parsing body from request :: #{ body.cs__class.cs__name }")
+            logger.trace('parsing body from request', body_type: body.cs__class.cs__name)
             @_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
           end
 
@@ -185,7 +187,7 @@ module Contrast
         when Enumerable
           idx = 0
           res = {}
-          while idx < val.size
+          while idx < val.length
             res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
             idx += 1
           end

data/lib/contrast/agent/request_context.rb

@@ -60,14 +60,10 @@ module Contrast
           # generic holder for properties that can be set throughout this request
           @_properties = {}
 
-          @sample = true
-
           if ::Contrast::ASSESS.enabled?
-            @sample_request, @sample_response = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
+            @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
 
-          @sample_response &&= ::Contrast::ASSESS.scan_response?
-
           append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
         end
       end
@@ -77,11 +73,31 @@ module Contrast
       end
 
       def analyze_request?
-        @sample_request
+        analyze_request_assess? || analyze_req_res_protect?
       end
 
       def analyze_response?
-        @sample_response
+        analyze_response_assess? || analyze_req_res_protect?
+      end
+
+      def analyze_req_res_protect?
+        ::Contrast::PROTECT.enabled?
+      end
+
+      def analyze_request_assess?
+        return false unless analyze_req_res_assess?
+
+        @sample_req
+      end
+
+      def analyze_response_assess?
+        return false unless analyze_req_res_assess?
+
+        @sample_res &&= ::Contrast::ASSESS.scan_response?
+      end
+
+      def analyze_req_res_assess?
+        ::Contrast::ASSESS.enabled?
       end
 
       # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
@@ -131,8 +147,10 @@ module Contrast
         handle_protect_state(service_response)
         ia = service_response.input_analysis
         if ia
-          logger.trace("Analysis from Contrast Service: evaluations=#{ ia.results.length }")
-          logger.trace('Results', input_analysis: ia.inspect)
+          if logger.trace?
+            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
+            logger.trace('Results', input_analysis: ia.inspect)
+          end
           @speedracer_input_analysis = ia
           speedracer_input_analysis.request = request
         else
@@ -169,7 +187,7 @@ module Contrast
       # that has been accumulated since the last request
       def extract_after rack_response
         @response = Contrast::Agent::Response.new(rack_response)
-        activity.http_response = @response.dtm if @sample_response
+        activity.http_response = @response.dtm if @sample_res
       rescue StandardError => e
         logger.error('Unable to extract information after request', e)
       end
@@ -202,7 +220,10 @@ module Contrast
           rule = ::Contrast::PROTECT.rule(rule_id)
           next unless rule
 
-          logger.debug('Building attack result from Contrast Service input analysis result', result: ia_result.inspect)
+          if logger.debug?
+            logger.debug('Building attack result from Contrast Service input analysis result',
+                         result: ia_result.inspect)
+          end
 
           attack_result = if rule.mode == :BLOCK
                             # special case for rules (like reflected xss) that used to have an infilter / block mode