contrast-agent 4.10.0 → 4.13.1

data/lib/contrast/components/config.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/utils/env_configuration_item'
+require 'ougai'
 require 'contrast/configuration'
 
 module Contrast
@@ -23,17 +24,33 @@ module Contrast
     # time than to silently fail to deliver functionality.
     module Config
       CONTRAST_ENV_MARKER = 'CONTRAST__'
+      CONTRAST_LOG = 'contrast_agent.log'
+      CONTRAST_NAME = 'Contrast Agent'
 
       class Interface # :nodoc:
         def initialize
           build
         end
 
-        def build log: true
+        # Basic logger for handling configuration validation logging
+        # the file to log is determined by the default one or set
+        # by the config file, if that configuration is found
+        def proto_logger
+          @_proto_logger ||= begin
+            @_proto_logger = ::Ougai::Logger.new(logger_path || CONTRAST_LOG)
+            @_proto_logger.progname = CONTRAST_NAME
+            @_proto_logger.level = ::Ougai::Logging::Severity::WARN
+            @_proto_logger.formatter = Contrast::Logger::Format.new
+            @_proto_logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+            @_proto_logger
+          end
+        end
+
+        def build
           @_valid = nil
           @config = Contrast::Configuration.new
           env_overrides
-          validate(log: log)
+          validate
         end
         alias_method :rebuild, :build
 
@@ -43,7 +60,7 @@ module Contrast
         end
 
         def valid?
-          @_valid = validate(log: false) if @_valid.nil?
+          @_valid = validate if @_valid.nil?
           @_valid
         end
 
@@ -59,20 +76,28 @@ module Contrast
 
         SESSION_VARIABLES = 'Invalid configuration. '\
                             "Setting both application.session_id and application.session_metadata is not allowed.\n"
-        def validate log: false
+        API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
+        API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
+        API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
+        API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
+        def validate
           # The config has information about how to construct the logger.
           # If the config is invalid, and you want to know about it, then
           # you have a circular dependency if you try to log it,
-          # hence `log: false`.
+          # so we use basic proto_logger to do this job.
           if !session_id.empty? && !session_metadata.empty?
-            if log
-              cs__class.log_error(SESSION_VARIABLES)
-            else
-              puts SESSION_VARIABLES
-            end
+            proto_logger.error(SESSION_VARIABLES)
             return false
           end
-
+          if bypass
+            msg = []
+            msg << API_URL unless api_url
+            msg << API_KEY unless api_key
+            msg << API_SERVICE_KEY unless api_service_key
+            msg << API_USERNAME unless api_username
+            msg.any? { |m| proto_logger.error(m) }
+            return false unless msg.empty?
+          end
           true
         end
 
@@ -108,6 +133,60 @@ module Contrast
         def session_metadata
           @config.application.session_metadata
         end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_url
+          @config.api.url
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_key
+          @config.api.api_key
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_service_key
+          @config.api.service_key
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def api_username
+          @config.api.user_name
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def bypass
+          @config.root.agent.service.bypass
+        end
+
+        # Typically, the following values would be accessed through Contrast::Components::AppContext
+        # and Contrast::Components::Logger, but we're too early in the initialization of the Agent to use
+        # that mechanism, so we look it up directly for ourselves.
+        #
+        # @return [String, nil]
+        def logger_path
+          @config.root.agent.logger.path
+        end
       end
     end
   end

data/lib/contrast/components/contrast_service.rb

@@ -31,6 +31,12 @@ module Contrast
               (LOCALHOST.match?(host) || !!socket_path)
         end
 
+        def use_agent_communication?
+          return @_use_agent_communication unless @_use_agent_communication.nil?
+
+          @_use_agent_communication = true?(::Contrast::CONFIG.root.agent.service.bypass)
+        end
+
         def host
           @_host ||=
             (::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s

data/lib/contrast/config/api_configuration.rb

@@ -0,0 +1,22 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/config/default_value'
+
+module Contrast
+  module Config
+    # Api keys configuration
+    class ApiConfiguration < BaseConfiguration
+      URL = 'https://app.contrastsecurity.com/Contrast'
+      KEYS = {
+          api_key: EMPTY_VALUE,
+          url: Contrast::Config::DefaultValue.new(URL),
+          user_name: EMPTY_VALUE,
+          service_key: EMPTY_VALUE
+      }.cs__freeze
+      def initialize hsh
+        super(hsh, KEYS)
+      end
+    end
+  end
+end

data/lib/contrast/config/assess_configuration.rb

@@ -10,6 +10,7 @@ module Contrast
           tags: EMPTY_VALUE,
           enable: EMPTY_VALUE,
           enable_scan_response: Contrast::Config::DefaultValue.new('true'),
+          enable_dynamic_sources: Contrast::Config::DefaultValue.new('true'),
           sampling: Contrast::Config::SamplingConfiguration,
           rules: Contrast::Config::AssessRulesConfiguration,
           stacktraces: Contrast::Config::DefaultValue.new('ALL')

data/lib/contrast/config/env_variables.rb

@@ -0,0 +1,25 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    # This module is holding all the Env Variables that we could use through the agent lifecycle
+    module EnvVariables
+      ENV_VARIABLES = {
+          telemetry_opt_outs: ENV['CONTRAST_AGENT_TELEMETRY_OPTOUT'].to_s || Contrast::Config::DefaultValue.new('false')
+      }.cs__freeze
+
+      def return_value key
+        return unless ENV_VARIABLES.key?(key.to_sym)
+
+        sym_key = key.downcase.to_sym
+        return_val = ENV_VARIABLES[sym_key]
+        if return_val.is_a?(Contrast::Config::DefaultValue)
+          return_val.value
+        else
+          return_val
+        end
+      end
+    end
+  end
+end

data/lib/contrast/config/root_configuration.rb

@@ -6,6 +6,7 @@ module Contrast
     # The base of the Common Configuration settings.
     class RootConfiguration < BaseConfiguration
       KEYS = {
+          api: Contrast::Config::ApiConfiguration,
           enable: BaseConfiguration::EMPTY_VALUE,
           agent: Contrast::Config::AgentConfiguration,
           application: Contrast::Config::ApplicationConfiguration,

data/lib/contrast/config/service_configuration.rb

@@ -19,7 +19,8 @@ module Contrast
           host: EMPTY_VALUE,
           port: EMPTY_VALUE,
           socket: EMPTY_VALUE,
-          logger: Contrast::Config::LoggerConfiguration
+          logger: Contrast::Config::LoggerConfiguration,
+          bypass: Contrast::Config::DefaultValue.new(false)
       }.cs__freeze
 
       def initialize hsh

data/lib/contrast/config.rb

@@ -24,6 +24,7 @@ require 'contrast/config/protect_rules_configuration'
 require 'contrast/config/sampling_configuration'
 
 require 'contrast/config/ruby_configuration'
+require 'contrast/config/api_configuration'
 require 'contrast/config/agent_configuration'
 require 'contrast/config/application_configuration'
 require 'contrast/config/server_configuration'

data/lib/contrast/configuration.rb

@@ -7,6 +7,7 @@ require 'fileutils'
 require 'contrast/config'
 require 'contrast/utils/object_share'
 require 'contrast/components/scope'
+require 'contrast/utils/exclude_key'
 
 module Contrast
   # This is how we read in the local settings for the Agent, both ENV/ CMD line
@@ -218,6 +219,8 @@ module Contrast
       case convert
       when Contrast::Config::BaseConfiguration
         convert.cs__class::KEYS.each_key do |key|
+          next if Contrast::Utils::ExcludeKey.excludable? key.to_s
+
           hash[key] = convert_to_hash(convert.send(key), {})
         end
         hash

data/lib/contrast/framework/manager.rb

@@ -16,9 +16,9 @@ module Contrast
     class Manager
       include Contrast::Components::Logger::InstanceMethods
 
-      # Order here does matter as the first framework listed will be the first one we pull information from
-      # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
-      # do not exist
+      # Order here does matter as the first framework listed will be the first one we pull information from Rack will
+      # be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra do not
+      # exist
       SUPPORTED_FRAMEWORKS = [
         Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
         Contrast::Framework::Grape::Support, Contrast::Framework::Rack::Support
@@ -34,9 +34,8 @@ module Contrast
         @_frameworks.compact!
       end
 
-      # Patches that have to be applied as early as possible to catch calls
-      # that happen prior to the first Request, typically those around
-      # configuration.
+      # Patches that have to be applied as early as possible to catch calls that happen prior to the first Request,
+      # typically those around configuration.
       def before_load_patches!
         @_before_load_patches ||= begin
           SUPPORTED_FRAMEWORKS.each(&:before_load_patches!)
@@ -81,8 +80,8 @@ module Contrast
 
       # Build a request from the provided env, based on the framework(s) we're currently supporting.
       #
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
-      # of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
         # If we're mounted on Rails, use Rails.
@@ -99,8 +98,8 @@ module Contrast
         logger.warn('Unable to retrieve_request', e)
       end
 
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
       def streaming? env
         result = false
@@ -111,8 +110,8 @@ module Contrast
         result
       end
 
-      # Iterate through current frameworks and return the current request's route. This will be the first
-      # non-nil result.
+      # Iterate through current frameworks and return the current request's route. This will be the first non-nil
+      # result.
       #
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
@@ -125,6 +124,9 @@ module Contrast
       # have support enabled, we'll enable it now. We'll also need to catch up on any other startup actions that we've
       # missed. Most likely, this is only necessary for those applications which have applications mounted on them.
       #
+      # TODO: RUBY-1354
+      # TODO: RUBY-1356
+      #
       # @param mod [Module] the module or class that was just loaded
       def register_late_framework mod
         return unless mod

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -5,10 +5,14 @@ module Contrast
   module Framework
     module Rails
       module Patch
-        # This class acts as our patch into the ActionController::Live::Buffer
-        # class, allowing us to track the close event on streamed responses.
+        # This class acts as our patch into the ActionController::Live::Buffer class, allowing us to track the close
+        # event on streamed responses.
         module ActionControllerLiveBuffer
           class << self
+            # TODO: RUBY-1353
+            # TODO: RUBY-1355
+            # TODO: RUBY-1357
+            # TODO: RUBY-1357
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
@@ -20,10 +24,9 @@ module Contrast
             def instrument
               @_instrument ||= begin
                 ::ActionController::Live::Buffer.class_eval do
-                  # normally pre->in->post filters are applied however, in a streamed response
-                  # we can run into a case where it's pre -> in -> post -> more infilters
-                  # in order to submit anything found during the infilters after the response has
-                  # been written we need to explicitly send them
+                  # normally pre->in->post filters are applied however, in a streamed response we can run into a case
+                  # where it's pre -> in -> post -> more infilters in order to submit anything found during the
+                  # infilters after the response has been written we need to explicitly send them
                   alias_method :cs__close, :close
                   def close
                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages

data/lib/contrast/framework/rails/patch/support.rb

@@ -38,37 +38,39 @@ module Contrast
                                     instrumenting_module:
                                       'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
                               ])
-            if RUBY_VERSION < '2.6.0'
-              patches.merge([
-                              # TODO: RUBY-714 remove w/ EOL of 2.5
-                              #
-                              # @deprecated  Everything past here is used for Rewriting and can
-                              #   be removed once we no longer support 2.5.
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActionController::Railties::Helper::ClassMethods',
-                                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::Scoping::Named::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_named',
-                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
-                            ])
-            end
+            patches.merge(special_after_load_patches) if RUBY_VERSION < '2.6.0'
             patches
           end
+
+          def special_after_load_patches
+            [
+              # TODO: RUBY-714 remove w/ EOL of 2.5
+              #
+              # @deprecated  Everything past here is used for Rewriting and can
+              #   be removed once we no longer support 2.5.
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActionController::Railties::Helper::ClassMethods',
+                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::Scoping::Named::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_named',
+                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
+            ]
+          end
         end
       end
     end

data/lib/contrast/logger/application.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/exclude_key'
+
 module Contrast
   module Logger
     # Our decorator for the Ougai logger allowing for the logging of the
@@ -29,6 +31,8 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
+          next if Contrast::Utils::ExcludeKey.excludable? env_key.to_s
+
           env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the PropagationMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module PropagationMethodUtils
+        APPEND_ACTION = 'APPEND'
+        CENTER_ACTION = 'CENTER'
+        INSERT_ACTION = 'INSERT'
+        KEEP_ACTION = 'KEEP'
+        NEXT_ACTION = 'NEXT'
+        NOOP_ACTION = 'NOOP'
+        PREPEND_ACTION = 'PREPEND'
+        REPLACE_ACTION = 'REPLACE'
+        REMOVE_ACTION = 'REMOVE'
+        REVERSE_ACTION = 'REVERSE'
+        SPLAT_ACTION = 'SPLAT'
+        SPLIT_ACTION = 'SPLIT'
+        DB_WRITE_ACTION = 'DB_WRITE'
+        CUSTOM_ACTION = 'CUSTOM'
+
+        ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
+
+        PROPAGATION_ACTIONS = {
+            APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
+            CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
+            INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
+            KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
+            NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            NOOP_ACTION => nil,
+            PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
+            REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
+            REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
+            REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
+            SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
+        }.cs__freeze
+
+        def determine_target propagation_node, ret, object, args
+          target = propagation_node.targets[0]
+          case target
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            args[target]
+          end
+        end
+
+        # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+        # about the target based on the context with which the method was called. As such, defer determining if the
+        # target is valid to that method.
+        #
+        # In all other cases, a target is valid for propagation if it is not nil
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @return [Boolean]
+        def valid_target? target, propagation_node
+          return true if propagation_node.action == CUSTOM_ACTION
+
+          !!target
+        end
+
+        # If the action required needs a length and the target does not have one, the length is not valid
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param action [String] the name of the action taken during this propagation
+        # @return [Boolean]
+        def valid_length? target, action
+          return true if ZERO_LENGTH_ACTIONS.include?(action)
+
+          if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
+            target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
+          else
+            !target.to_s.empty?
+          end
+        end
+
+        # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+        # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+        #   the invocation of the patched method.
+        # @param target [Object] the thing to which to propagate
+        # @return [Boolean]
+        def can_propagate? propagation_node, preshift, target
+          return false unless appropriate_target?(propagation_node, target)
+          return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          return false unless preshift
+
+          propagation_node.sources.each do |source|
+            case source
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
+            else
+              # has to be P, there's no ret source type (yet? ever?)
+              return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
+            end
+          end
+          false
+        end
+
+        # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+        # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+        # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+        # do.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param target [Object] the Target to which to propagate.
+        # @return [Boolean] if the target can be propagated to
+        def appropriate_target? propagation_node, target
+          # special handle Returns b/c we can do unfreezing magic during propagation
+          return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+          Contrast::Agent::Assess::Tracker.trackable?(target)
+        end
+      end
+    end
+  end
+end