contrast-agent 4.11.0 → 4.14.0

data/lib/contrast/framework/manager.rb

@@ -9,16 +9,18 @@ require 'contrast/framework/rails/support'
 require 'contrast/framework/grape/support'
 require 'contrast/framework/sinatra/support'
 require 'contrast/utils/class_util'
+require 'contrast/framework/manager_extend'
 
 module Contrast
   module Framework
     # Allows access to framework specific information
     class Manager
       include Contrast::Components::Logger::InstanceMethods
+      include Contrast::Framework::ManagerExtend
 
-      # Order here does matter as the first framework listed will be the first one we pull information from
-      # Rack will be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra
-      # do not exist
+      # Order here does matter as the first framework listed will be the first one we pull information from Rack will
+      # be a special case that may involve updating some logic to handle only applying Rack if Rails/Sinatra do not
+      # exist
       SUPPORTED_FRAMEWORKS = [
         Contrast::Framework::Rails::Support, Contrast::Framework::Sinatra::Support,
         Contrast::Framework::Grape::Support, Contrast::Framework::Rack::Support
@@ -34,9 +36,8 @@ module Contrast
         @_frameworks.compact!
       end
 
-      # Patches that have to be applied as early as possible to catch calls
-      # that happen prior to the first Request, typically those around
-      # configuration.
+      # Patches that have to be applied as early as possible to catch calls that happen prior to the first Request,
+      # typically those around configuration.
       def before_load_patches!
         @_before_load_patches ||= begin
           SUPPORTED_FRAMEWORKS.each(&:before_load_patches!)
@@ -66,6 +67,10 @@ module Contrast
         Contrast::Framework::PlatformVersion.from_string(framework_version)
       end
 
+      def platform_version_string
+        first_framework_result :version, ''
+      end
+
       def server_type
         first_framework_result :server_type, 'rack'
       end
@@ -81,8 +86,8 @@ module Contrast
 
       # Build a request from the provided env, based on the framework(s) we're currently supporting.
       #
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values
-      # of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [::Rack::Request] either a rack request or subclass thereof.
       def retrieve_request env
         # If we're mounted on Rails, use Rails.
@@ -99,8 +104,8 @@ module Contrast
         logger.warn('Unable to retrieve_request', e)
       end
 
-      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
-      #   and values of this particular Request
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this particular Request
       # @return [Boolean] true if at least one framework is streaming the response; false if none are streaming
       def streaming? env
         result = false
@@ -111,13 +116,14 @@ module Contrast
         result
       end
 
-      # Iterate through current frameworks and return the current request's route. This will be the first
-      # non-nil result.
+      # Iterate through current frameworks and return the current request's route. This will be the first non-nil
+      # result.
       #
       # @param request [Contrast::Agent::Request] the current request.
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
       def get_route_dtm request
-        @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.reject(&:nil?).first
+        @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.
+            reject(&:nil?).first
       end
 
       # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect
@@ -125,6 +131,9 @@ module Contrast
       # have support enabled, we'll enable it now. We'll also need to catch up on any other startup actions that we've
       # missed. Most likely, this is only necessary for those applications which have applications mounted on them.
       #
+      # TODO: RUBY-1354
+      # TODO: RUBY-1356
+      #
       # @param mod [Module] the module or class that was just loaded
       def register_late_framework mod
         return unless mod
@@ -147,37 +156,6 @@ module Contrast
       rescue StandardError => e
         logger.warn('Unable to register a late framework', e, module: mod.cs__name)
       end
-
-      private
-
-      def enable_framework_support? klass
-        Contrast::Utils::ClassUtil.truly_defined?(klass)
-      end
-
-      def routes_for_all_frameworks
-        data_for_all_frameworks :collect_routes
-      end
-
-      # This returns an array of all data from each framework in a flat, no-nil values array
-      #
-      # @param method_name [Symbol] the method to call on each FrameworkSupport class
-      # @return [Array]
-      def data_for_all_frameworks method_name
-        @_frameworks.flat_map { |framework| framework.send(method_name) }.compact
-      end
-
-      # This returns a single object from the first framework to successfully respond
-      #
-      # @param method_name [Symbol] the method to call on each FrameworkSupport class
-      # @return [Object] - Determined by method to be invoked
-      def first_framework_result method_name, default_value
-        result = nil
-        @_frameworks.each do |framework|
-          result = framework.send(method_name)
-          break if result
-        end
-        result || default_value
-      end
     end
   end
 end

data/lib/contrast/framework/manager_extend.rb

@@ -0,0 +1,50 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+require 'contrast/extension/module'
+require 'contrast/framework/platform_version'
+require 'contrast/framework/rack/support'
+require 'contrast/framework/rails/support'
+require 'contrast/framework/grape/support'
+require 'contrast/framework/sinatra/support'
+require 'contrast/utils/class_util'
+
+module Contrast
+  module Framework
+    # Allows access to framework specific information
+    module ManagerExtend
+      private
+
+      def enable_framework_support? klass
+        Contrast::Utils::ClassUtil.truly_defined?(klass)
+      end
+
+      def routes_for_all_frameworks
+        data_for_all_frameworks :collect_routes
+      end
+
+      # This returns an array of all data from each framework in a flat, no-nil values array
+      #
+      # @param method_name [Symbol] the method to call on each FrameworkSupport class
+      # @return [Array]
+      def data_for_all_frameworks method_name
+        @_frameworks.flat_map { |framework| framework.send(method_name) }.
+            compact
+      end
+
+      # This returns a single object from the first framework to successfully respond
+      #
+      # @param method_name [Symbol] the method to call on each FrameworkSupport class
+      # @return [Object] - Determined by method to be invoked
+      def first_framework_result method_name, default_value
+        result = nil
+        @_frameworks.each do |framework|
+          result = framework.send(method_name)
+          break if result
+        end
+        result || default_value
+      end
+    end
+  end
+end

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -5,10 +5,14 @@ module Contrast
   module Framework
     module Rails
       module Patch
-        # This class acts as our patch into the ActionController::Live::Buffer
-        # class, allowing us to track the close event on streamed responses.
+        # This class acts as our patch into the ActionController::Live::Buffer class, allowing us to track the close
+        # event on streamed responses.
         module ActionControllerLiveBuffer
           class << self
+            # TODO: RUBY-1353
+            # TODO: RUBY-1355
+            # TODO: RUBY-1357
+            # TODO: RUBY-1357
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
@@ -20,10 +24,9 @@ module Contrast
             def instrument
               @_instrument ||= begin
                 ::ActionController::Live::Buffer.class_eval do
-                  # normally pre->in->post filters are applied however, in a streamed response
-                  # we can run into a case where it's pre -> in -> post -> more infilters
-                  # in order to submit anything found during the infilters after the response has
-                  # been written we need to explicitly send them
+                  # normally pre->in->post filters are applied however, in a streamed response we can run into a case
+                  # where it's pre -> in -> post -> more infilters in order to submit anything found during the
+                  # infilters after the response has been written we need to explicitly send them
                   alias_method :cs__close, :close
                   def close
                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages

data/lib/contrast/framework/rails/patch/support.rb

@@ -38,37 +38,39 @@ module Contrast
                                     instrumenting_module:
                                       'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
                               ])
-            if RUBY_VERSION < '2.6.0'
-              patches.merge([
-                              # TODO: RUBY-714 remove w/ EOL of 2.5
-                              #
-                              # @deprecated  Everything past here is used for Rewriting and can
-                              #   be removed once we no longer support 2.5.
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActionController::Railties::Helper::ClassMethods',
-                                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::Scoping::Named::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_named',
-                                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
-                              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
-                                  method_to_instrument: :inherited,
-                                  instrumenting_module:
-                                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
-                            ])
-            end
+            patches.merge(special_after_load_patches) if RUBY_VERSION < '2.6.0'
             patches
           end
+
+          def special_after_load_patches
+            [
+              # TODO: RUBY-714 remove w/ EOL of 2.5
+              #
+              # @deprecated  Everything past here is used for Rewriting and can
+              #   be removed once we no longer support 2.5.
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActionController::Railties::Helper::ClassMethods',
+                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::Scoping::Named::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_named',
+                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
+              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
+                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
+                  method_to_instrument: :inherited,
+                  instrumenting_module:
+                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
+            ]
+          end
         end
       end
     end

data/lib/contrast/framework/rails/railtie.rb

@@ -14,7 +14,7 @@ module Contrast
         initializer 'Contrast Ruby Agent Initializer' do |app|
           log_rails = defined?(Rails) && defined?(Rails.logger)
 
-          Rails.logger.debug("In railtie ::#{ app.middleware.inspect }") if log_rails
+          Rails.logger.debug { "In railtie ::#{ app.middleware.inspect }" } if log_rails
 
           if ::Contrast::APP_CONTEXT.instrument_middleware_stack?
             ::Contrast::AGENT.insert_middleware(app)

data/lib/contrast/framework/sinatra/support.rb

@@ -106,7 +106,8 @@ module Contrast
           def _route_recurse controller, method, route
             return if controller.nil? || controller.cs__class == NilClass
 
-            route_patterns = controller.routes.fetch(method) { [] }.map(&:first)
+            route_patterns = controller.routes.fetch(method) { [] }.
+                map(&:first)
             route_pattern = route_patterns&.find do |matcher|
               matcher.params(route) # ::Mustermann::Sinatra match.
             end

data/lib/contrast/logger/application.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/exclude_key'
+
 module Contrast
   module Logger
     # Our decorator for the Ougai logger allowing for the logging of the
@@ -29,6 +31,8 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
+          next if Contrast::Utils::ExcludeKey.excludable? env_key.to_s
+
           env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/logger/log.rb

@@ -11,6 +11,7 @@ require 'contrast/logger/format'
 require 'contrast/logger/request'
 require 'contrast/logger/time'
 require 'contrast/components/config'
+require 'contrast/utils/log_utils'
 
 module Contrast
   # This module allows us to dynamically weave timing into our code, so that only when the time is actually needed do
@@ -26,9 +27,9 @@ module Contrast
     # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
     # logger set to TRACE.
     #
-    # @params: clazz [Class] the class of the method to time.
-    # @params: method [Symbol] the method to time.
-    # @params: method [String] optional custom logging message.
+    # @param: clazz [Class] the class of the method to time.
+    # @param: method [Symbol] the method to time.
+    # @param: method [String] optional custom logging message.
     def add_method_to_trace_timing clazz, method, msg = nil
       methods_to_time.append(METHOD_INFO.new(clazz, method, msg, false))
       enable_trace_timing if logger.level == ::Ougai::Logging::TRACE
@@ -37,9 +38,9 @@ module Contrast
     # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
     # logger set to TRACE.
     #
-    # @params: method_spec [METHOD_INFO] specs about the method to be timed.
-    # @params: class_method [Boolean] whether this is or isn't a class/module method.
-    def trace_time_class_method meth_spec, class_method
+    # @param: meth_spec [METHOD_INFO] specs about the method to be timed.
+    # @param: class_method [Boolean] whether this is or isn't a class/module method.
+    def trace_time_class_method meth_spec, class_method # rubocop:disable Metrics/AbcSize
       untimed_func_symbol = "untimed_#{ meth_spec.method_name }".to_sym
       send_to = class_method ? meth_spec.clazz.cs__singleton_class : meth_spec.clazz
       meth_spec.clazz.class_eval do
@@ -105,12 +106,7 @@ module Contrast
     class Log
       include Singleton
       include ::Contrast::TraceTiming
-
-      DEFAULT_NAME     = 'contrast.log'
-      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
-      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
-      STDOUT_STR       = 'STDOUT'
-      STDERR_STR       = 'STDERR'
+      include Contrast::Utils::LogUtils
 
       attr_reader :previous_path, :previous_level
 
@@ -167,97 +163,6 @@ module Contrast
         dir_name = File.dirname(File.absolute_path(path))
         File.writable?(dir_name)
       end
-
-      private
-
-      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
-        logger = case path
-                 when STDOUT_STR, STDERR_STR
-                   ::Ougai::Logger.new(Object.cs__const_get(path))
-                 else
-                   ::Ougai::Logger.new(path)
-                 end
-        add_contrast_loggers(logger)
-        logger.progname = 'Contrast Agent'
-        logger.level = level_const
-        logger.formatter = Contrast::Logger::Format.new
-        logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
-        logger
-      end
-
-      def add_contrast_loggers logger
-        logger.extend(Contrast::Logger::Application)
-        logger.extend(Contrast::Logger::Request)
-        logger.extend(Contrast::Logger::Time)
-      end
-
-      # Determine the valid path to which to log, given the precedence of config > settings > default.
-      #
-      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
-      #   TeamServer.
-      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
-      def find_valid_path log_file
-        config = ::Contrast::CONFIG.root.agent.logger
-        config_path = config&.path&.length.to_i.positive? ? config.path : nil
-        valid_path(config_path || log_file)
-      end
-
-      def valid_path path
-        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
-        return path if path == STDOUT_STR
-        return path if path == STDERR_STR
-
-        path = DEFAULT_NAME if path.empty?
-        if write_permission?(path)
-          path
-        elsif write_permission?(DEFAULT_NAME)
-          # Log once when the path is invalid. We'll change to this path, so no
-          # need to log again.
-          if previous_path != DEFAULT_NAME
-            puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
-          end
-          DEFAULT_NAME
-        else
-          # Log once when the path is invalid. We'll change to this path, so no
-          # need to log again.
-          puts "[!] Unable to write to '#{ path }'. Writing to standard out instead." if previous_path != STDOUT_STR
-          STDOUT_STR
-        end
-      end
-
-      # Determine the valid level to which to log, given the precedence of config > settings > default.
-      #
-      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
-      #   TeamServer.
-      # @return [::Ougai::Logging::Severity] the level at which to log
-      def find_valid_level log_level
-        config = ::Contrast::CONFIG.root.agent.logger
-        config_level = config&.level&.length&.positive? ? config.level : nil
-
-        valid_level(config_level || log_level)
-      end
-
-      def valid_level level
-        level ||= DEFAULT_LEVEL
-        level = level.upcase
-        if VALID_LEVELS.include?(level)
-          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
-        else
-          DEFAULT_LEVEL
-        end
-      rescue StandardError
-        DEFAULT_LEVEL
-      end
-
-      # Log that the Agent log has changed and include some default information at the start of the log.
-      def log_update
-        logger.debug('Initialized new contrast agent logger')
-        logger.debug_with_time('middleware: log environment') do
-          logger.application_environment
-          logger.application_configuration
-          logger.application_libraries
-        end
-      end
     end
   end
 end

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the PropagationMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module PropagationMethodUtils
+        APPEND_ACTION = 'APPEND'
+        CENTER_ACTION = 'CENTER'
+        INSERT_ACTION = 'INSERT'
+        KEEP_ACTION = 'KEEP'
+        NEXT_ACTION = 'NEXT'
+        NOOP_ACTION = 'NOOP'
+        PREPEND_ACTION = 'PREPEND'
+        REPLACE_ACTION = 'REPLACE'
+        REMOVE_ACTION = 'REMOVE'
+        REVERSE_ACTION = 'REVERSE'
+        SPLAT_ACTION = 'SPLAT'
+        SPLIT_ACTION = 'SPLIT'
+        DB_WRITE_ACTION = 'DB_WRITE'
+        CUSTOM_ACTION = 'CUSTOM'
+
+        ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
+
+        PROPAGATION_ACTIONS = {
+            APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
+            CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
+            INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
+            KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
+            NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            NOOP_ACTION => nil,
+            PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
+            REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
+            REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
+            REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
+            SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
+        }.cs__freeze
+
+        def determine_target propagation_node, ret, object, args
+          target = propagation_node.targets[0]
+          case target
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            args[target]
+          end
+        end
+
+        # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+        # about the target based on the context with which the method was called. As such, defer determining if the
+        # target is valid to that method.
+        #
+        # In all other cases, a target is valid for propagation if it is not nil
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @return [Boolean]
+        def valid_target? target, propagation_node
+          return true if propagation_node.action == CUSTOM_ACTION
+
+          !!target
+        end
+
+        # If the action required needs a length and the target does not have one, the length is not valid
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param action [String] the name of the action taken during this propagation
+        # @return [Boolean]
+        def valid_length? target, action
+          return true if ZERO_LENGTH_ACTIONS.include?(action)
+
+          if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
+            target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
+          else
+            !target.to_s.empty?
+          end
+        end
+
+        # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+        # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+        #   the invocation of the patched method.
+        # @param target [Object] the thing to which to propagate
+        # @return [Boolean]
+        def can_propagate? propagation_node, preshift, target
+          return false unless appropriate_target?(propagation_node, target)
+          return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          return false unless preshift
+
+          propagation_node.sources.each do |source|
+            case source
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
+            else
+              # has to be P, there's no ret source type (yet? ever?)
+              return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
+            end
+          end
+          false
+        end
+
+        # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+        # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+        # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+        # do.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param target [Object] the Target to which to propagate.
+        # @return [Boolean] if the target can be propagated to
+        def appropriate_target? propagation_node, target
+          # special handle Returns b/c we can do unfreezing magic during propagation
+          return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+          Contrast::Agent::Assess::Tracker.trackable?(target)
+        end
+      end
+    end
+  end
+end