contrast-agent 4.11.0 → 4.14.0

data/lib/contrast/utils/middleware_utils.rb

@@ -0,0 +1,87 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # helper methods for Contrast::Agent::Middleware
+    # including disclaimers, deprecation notices, error handling, setup
+    module MiddlewareUtils
+      private
+
+      def setup_agent
+        ::Contrast::SETTINGS.reset_state
+
+        inform_deprecations
+        telemetry_disclaimer
+
+        if ::Contrast::CONFIG.invalid?
+          ::Contrast::AGENT.disable!
+          logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
+        elsif ::Contrast::AGENT.disabled?
+          logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        else
+          ::Contrast::AGENT.enable!
+        end
+      end
+
+      SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
+      # We're only going to suppress SecurityExceptions indicating a blocked attack. And, only if the
+      # config.agent.ruby.exceptions.capture? is set
+      def handle_exception exception
+        if security_exception?(exception)
+          exception_control = ::Contrast::AGENT.exception_control
+          raise exception unless exception_control[:enable]
+
+          [exception_control[:status], {}, [exception_control[:message]]]
+        else
+          logger.debug('Re-throwing original error', exception)
+          raise exception
+        end
+      end
+
+      # Is the given exception one raised by our Protect code?
+      #
+      # @param exception [Exception]
+      # @return [Boolean]
+      def security_exception? exception
+        exception.is_a?(Contrast::SecurityException) || exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+      end
+
+      # As we deprecate support to prepare to remove dead code, we need to inform our users still relying on the now
+      # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
+      # Kernel#warn approach
+      def inform_deprecations
+        # Ruby 2.5 is currently in security maintenance, meaning int is only receiving updates for security issues. It
+        # will move to eol on 31 March 2021. As such, we can remove support for it in Q3. We'll begin the deprecation
+        # warnings now so that customers have time to reach out if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
+        #   drop 2.5 support.
+        return unless RUBY_VERSION < '2.6.0'
+
+        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
+                    'Please contact Customer Support prior if you require continued support.')
+      end
+
+      # Displays Telemetry disclaimer if Telemetry is enabled.
+      # if .telemetry file doesn't exist we create one and then show the disclaimer.
+      # if the file already exists we do nothing.
+      def telemetry_disclaimer
+        return unless Contrast::Agent::Telemetry.enabled?
+        return unless Contrast::Utils::Telemetry.create_telemetry_file
+
+        logger.info Contrast::Utils::Telemetry.disclaimer
+        $stdout.print Contrast::Utils::Telemetry.disclaimer
+        true
+      end
+
+      def application_code env
+        logger.trace_with_time('application') do
+          app.call(env)
+        end
+      rescue Contrast::SecurityException => e
+        logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
+        raise e
+      end
+    end
+  end
+end

data/lib/contrast/utils/net_http_base.rb

@@ -0,0 +1,158 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'net/http'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'socket'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client base to be used by different services
+    # All HTTP clients reporting to Telemetry or TS should inherit from this
+    class NetHttpBase
+      include Contrast::Components::Logger::InstanceMethods
+      # This method initializes the Net::HTTP client we'll need. it will validate
+      # the connection and make the first request. If connection is valid and response
+      # is available then the open connection is returned.
+      #
+      # @param service_name [String] Name of service used in logging messages
+      # @param url [String]
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # self signed certificates provided by config [default = false]
+      # @return [Net::HTTP, nil] Return open connection or nil
+      def initialize_connection service_name, url, use_proxy = false, use_custom_cert = false
+        return unless url
+
+        addr = URI(url)
+        # the proxy is enabled only if there is provided url even if the enable is set to true
+        return if addr.host.nil? || addr.port.nil? || addr.scheme != 'https'
+
+        proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
+        net_http_client = initialize_client addr, proxy_addr, use_proxy, use_custom_cert
+        return if net_http_client.nil?
+
+        net_http_client.start
+        return unless net_http_client.started?
+
+        logger.warn("Starting #{ service_name } connection test")
+        return unless connection_verified? net_http_client
+
+        net_http_client
+      rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, OpenSSL::SSL::SSLError => e
+        logger.warn("#{ service_name } connection failed", e.message)
+        nil
+      end
+
+      # Validates connection with assigned domain.
+      # If connection is running, SSL certificate of the endpoint is valid, Ip address is resolvable
+      # and response is received without peer's reset or refuse of connection,
+      # then validation returns true. Error handling is in place so that the work of the agent will continue as
+      # normal without Telemetry.
+      #
+      # @param client [Net::HTTP]
+      # @return [Boolean] true | false
+      def connection_verified? client
+        return @_connection_verified unless @_connection_verified.nil?
+        return false if client.nil?
+
+        # Before RUBY 2.7 there is no #ipaddr
+        ipaddr = if RUBY_VERSION < '2.7.0'
+                   socket = TCPSocket.open(client.address, client.port)
+                   ipaddr = socket.peeraddr[3]
+                   socket.close
+                   ipaddr
+                 else
+                   client.ipaddr
+                 end
+        response = client.request(Net::HTTP::Get.new(client.address))
+        verify_cert = OpenSSL::SSL.verify_certificate_identity(client.peer_cert, client.address)
+        resolved = resolved? client.address, ipaddr
+        @_connection_verified = if resolved && response && verify_cert
+                                  true
+                                else
+                                  false
+                                end
+      rescue OpenSSL::SSL::SSLError, Resolv::ResolvError, Errno::ECONNRESET, Errno::ECONNREFUSED,
+             Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
+             Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
+
+        logger.warn("#{ service_name } connection failed", e.message)
+        false
+      end
+
+      private
+
+      # Resolves the address of the assigned domain to array of corresponding IPs (if more than one)
+      # and runs a matcher to see if current connection IP is in the list.
+      # This is called within #verify_connection, if called on it's own there will be no
+      # error handling.
+      #
+      # @param address [String] Human friendly address of assigned domain
+      # @param ipaddr [String] Machine friendly IP address of the assigned domain
+      # @return[Boolean] true if both addresses are resolved | false if one of the addresses
+      # is non-resolvable
+      def resolved? address, ipaddr
+        return @_resolved unless @_resolved.nil?
+
+        @_resolved = if (addresses = Resolv.getaddresses address)
+                       addresses.any? { |addr| addr.include?(ipaddr) }
+                     else
+                       false
+                     end
+      end
+
+      # if the configuration for the use of self-signed certificates is enabled
+      # and required for this client then assign the files and keys to the client
+      #
+      # @param client [Net::HTTP]
+      def assign_cert client
+        if Contrast::API.certification_ca_file
+          client.ca_file = OpenSSL::X509::Certificate.new(File.read(Contrast::API.certification_ca_file)).to_s
+        elsif Contrast::API.certification_cert_file
+          client.cert = OpenSSL::X509::Certificate.new(File.read(Contrast::API.certification_cert_file)).to_s
+        elsif Contrast::API.certification_key_file
+          client.key = OpenSSL::PKey::RSA.new(File.read(Contrast::API.certification_key_file)).to_s
+        end
+      rescue Errno::ENOENT => e
+        logger.error('Custom certificates failed', e.message)
+      end
+
+      # sets default setting for client validation of certificates and
+      # timeout options
+      #
+      # @param addr [URI::Generic] uri of assigned domain
+      # @param proxy_addr [URI::Generic | nil] uri of proxy
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # self signed certificates provided by config [default = false]
+      # @return [Net::HTTP]
+      def initialize_client addr, proxy_addr, use_proxy, use_custom_cert
+        initialize_client = if proxy_enabled? && use_proxy
+                              Net::HTTP.new(addr.host, nil, proxy_addr&.host, proxy_addr&.port)
+                            else
+                              Net::HTTP.new(addr.host, addr.port)
+                            end
+        assign_cert(initialize_client) if use_custom_cert && Contrast::API.certification_enabled?
+        initialize_client.use_ssl = true
+        initialize_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        initialize_client.verify_depth = 5
+        # open connection timeout in ms
+        # if connection reaches timeout this will produce Net::OpenTimeout error
+        initialize_client.open_timeout = 10
+        # if we can't read the response or a chunk within time this will cause a
+        # Net::ReadTimeout error when the request is made
+        initialize_client.read_timeout = 10
+        initialize_client
+      end
+
+      # Check if proxy is enabled
+      #
+      # @return @_proxy_enabled [Boolean] True if proxy is enabled and url is present else false
+      def proxy_enabled?
+        @_proxy_enabled ||= Contrast::API.proxy_enabled? && !Contrast::API.proxy_url.nil? if @_proxy_enabled.nil?
+      end
+    end
+  end
+end

data/lib/contrast/utils/object_share.rb

@@ -30,6 +30,7 @@ module Contrast
       SEMICOLON =     ';'
       SINGLE_QUOTE =  '\''
       SLASH =         '/'
+      SPACE =         ' '
       UNDERSCORE =    '_'
       DOUBLE_UNDERSCORE = '__'
       AT =            '@'

data/lib/contrast/utils/os.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/scope'
+require 'cs__os_information/cs__os_information'
 
 module Contrast
   module Utils
@@ -31,6 +32,28 @@ module Contrast
             zombie_pid_list.split("\n")
           end
         end
+
+        # Check current OS type
+        # returns true if check is correct or false if not
+        def windows?
+          (/cygwin|mswin|mingw|bccwin|wince|emx/ =~ RUBY_PLATFORM) != nil
+        end
+
+        def mac?
+          RUBY_PLATFORM.include? 'darwin'
+        end
+
+        def unix?
+          !windows?
+        end
+
+        def linux?
+          unix? and !mac?
+        end
+
+        def jruby?
+          RUBY_ENGINE == 'jruby'
+        end
       end
     end
   end

data/lib/contrast/utils/patching/policy/patch_utils.rb

@@ -0,0 +1,232 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Patching
+      # This module will include all methods for different patch applies from Patch module
+      # and some other module methods from the same place, so we can ease the main module
+      module PatchUtils
+        # Method to choose which replaced return from the post_patch to
+        # actually return
+        #
+        # @param propagated_ret [Object, nil] The replaced return from the
+        #   propagation patch.
+        # @param source_ret [Object, nil] The replaced return from the
+        #   source patch.
+        # @param ret [Object, nil] The original return of the patched
+        #   method.
+        # @return [Object, nil] The thing to return from the post patch.
+        def handle_return propagated_ret, source_ret, ret
+          safe_return = propagated_ret || source_ret || ret
+          safe_return.rewind if Contrast::Utils::IOUtil.should_rewind?(safe_return)
+          safe_return
+        end
+
+        # Given a module and method, construct an expected name for the
+        # alias by which Contrast will reference the original.
+        #
+        # @param patched_class [Module] the module being patched
+        # @param patched_method [Symbol] the method being patched
+        # @return [Symbol]
+        def build_method_name patched_class, patched_method
+          (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
+            patched_class.cs__name.gsub('::', '_').downcase +
+            Contrast::Utils::ObjectShare::UNDERSCORE +
+            patched_method.to_s).to_sym
+        end
+
+        # Given a method, return a symbol in the format
+        # <method_start>_unbound_<method_name>
+        def build_unbound_method_name patcher_method
+          (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
+            'unbound' +
+            Contrast::Utils::ObjectShare::UNDERSCORE +
+            patcher_method.to_s).to_sym
+        end
+
+        # ===== PATCH APPLIERS =====
+        # THIS IS CALLED FROM C. Do not change the signature lightly.
+        #
+        # This method functions to call the infilter methods from our
+        # patches, allowing for analysis and reporting at the point just
+        # before the patched code is invoked.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_pre_patch method_policy, method, exception, object, args
+          apply_protect(method_policy, method, exception, object, args)
+          apply_inventory(method_policy, method, exception, object, args)
+        rescue Contrast::SecurityException => e
+          # We were told to block something, so we gotta. Don't catch this
+          # one, let it get back to our Middleware or even all the way out to
+          # the framework
+          raise e
+        rescue StandardError => e
+          # Anything else was our bad and we gotta catch that to allow for
+          # normal application flow
+          logger.error('Unable to apply pre patch to method.', e)
+        rescue Exception => e # rubocop:disable Lint/RescueException
+          # This is something like NoMemoryError that we can't
+          # hope to handle.  Nonetheless, shouldn't leak scope.
+          exit_contrast_scope!
+          raise e
+        end
+
+        # THIS IS CALLED FROM C. Do not change the signature lightly.
+        #
+        # This method functions to call the infilter methods from our
+        # patches, allowing for analysis and reporting at the point just
+        # after the patched code is invoked
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture
+        #   of the state of the code just prior to the invocation of the
+        #   patched method.
+        # @param object [Object] The object on which the method was
+        #   invoked, typically what would be returned by self.
+        # @param ret [Object] The return of the method that was invoked.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        # @param block [Proc] The block passed to the method that was
+        #   invoked.
+        def apply_post_patch method_policy, preshift, object, ret, args, block
+          apply_assess(method_policy, preshift, object, ret, args, block)
+        rescue StandardError => e
+          logger.error('Unable to apply post patch to method.', e)
+        end
+
+        # Apply the Protect patch which applies to the given method.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_protect method_policy, method, exception, object, args
+          return unless ::Contrast::AGENT.enabled?
+          return unless ::Contrast::PROTECT.enabled?
+
+          apply_trigger_only(method_policy&.protect_node, method, exception, object, args)
+        end
+
+        # Apply the Inventory patch which applies to the given method.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_inventory method_policy, method, exception, object, args
+          return unless ::Contrast::INVENTORY.enabled?
+
+          apply_trigger_only(method_policy&.inventory_node, method, exception, object, args)
+        end
+
+        # Apply the Assess patches which apply to the given method.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   Mapping of the triggers on the given method.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture
+        #   of the state of the code just prior to the invocation of the
+        #   patched method.
+        # @param object [Object] The object on which the method was
+        #   invoked, typically what would be returned by self.
+        # @param ret [Object] The return of the method that was invoked.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        # @param block [Proc] The block passed to the method that was
+        #   invoked.
+        def apply_assess method_policy, preshift, object, ret, args, block
+          source_ret = nil
+          propagated_ret = nil
+          return ret unless method_policy && ::Contrast::ASSESS.enabled?
+
+          current_context = Contrast::Agent::REQUEST_TRACKER.current
+          return ret if current_context && !current_context.analyze_request?
+
+          trigger_node = method_policy.trigger_node
+          if trigger_node
+            Contrast::Agent::Assess::Policy::TriggerMethod.apply_trigger_rule(trigger_node, object, ret, args)
+          end
+          if method_policy.source_node
+            # If we were given a frozen return, and it was the target of a
+            # source, and we have frozen sources enabled, we'll need to
+            # replace the return. Note, this is not the default case.
+            source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret, args)
+          end
+          if method_policy.propagation_node
+            propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(
+                method_policy,
+                preshift,
+                object,
+                source_ret || ret,
+                args,
+                block)
+          end
+          handle_return(propagated_ret, source_ret, ret)
+        rescue StandardError => e
+          logger.error('Unable to assess method call.', e)
+          handle_return(propagated_ret, source_ret, ret)
+        rescue Exception => e # rubocop:disable Lint/RescueException
+          logger.error('Unable to assess method call.', e)
+          handle_return(propagated_ret, source_ret, ret)
+          raise e
+        end
+
+        # Generic invocation of the Inventory or Protect patch which apply
+        # to the given method.
+        #
+        # @param trigger_node [Contrast::Agent::Inventory::Policy::TriggerNode]
+        #   Mapping of the specific trigger on the given method.
+        # @param method [Symbol] The method into which we're patching
+        # @param exception [StandardError] Any exception raised during the
+        #   call of the patched method.
+        # @param object [Object] The object on which the method is invoked,
+        #   typically what would be returned by self.
+        # @param args [Array<Object>] The arguments passed to the method
+        #   being invoked.
+        def apply_trigger_only trigger_node, method, exception, object, args
+          return unless trigger_node
+
+          # If that rule only applies in the case of an exception being
+          # thrown and there's no exception here, move along, or vice versa
+          return if trigger_node.on_exception && !exception
+          return if !trigger_node.on_exception && exception
+
+          # Each patch has an applicator that handles logic for it. Think
+          # of this as being similar to propagator actions, most closely
+          # resembling CUSTOM - they all have a common interface but their
+          # own logic based on what's in the method(s) they've been patched
+          # into.
+          # Each patch also knows the method of its applicator. Some
+          # things, like AppliesXxeRule, have different methods depending
+          # on the library patched. This lets us handle the boilerplate of
+          # patching while still allowing for custom handling of the
+          # methods.
+          applicator_method = trigger_node.applicator_method
+          # By calling send like this, we can reuse all the patching.
+          # We `send` to the given method of the given class
+          # (applicator) since they all accept the same inputs
+          trigger_node.applicator.send(applicator_method, method, exception, trigger_node.properties, object, args)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/patching/policy/patcher_utils.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Patching
+      # This module will include patch methods from Patcher module
+      # in case of need to add new logic to the Patcher
+      # please do it here
+      module PatcherUtils
+        # This method is called by TracePointHook to instrument a specific class during a require
+        # or eval of dynamic class definition
+        def patch_specific_module mod
+          with_contrast_scope do
+            mod_name = mod.cs__name
+            return unless Contrast::Utils::ClassUtil.truly_defined?(mod_name)
+            return if ::Contrast::AGENT.skip_instrumentation?(mod_name)
+
+            load_patches_for_module(mod_name)
+
+            return if all_module_names.none?(mod_name)
+
+            module_data = Contrast::Agent::ModuleData.new(mod, mod_name)
+            patch_into_module(module_data)
+            all_module_names.delete(mod_name) if status_type.get_status(mod).patched?
+          rescue StandardError => e
+            logger.error('Unable to patch module', e, module: mod_name)
+          end
+        end
+
+        # We did it, team. We found a patcher(s) that applies to the given
+        # class (or module) and the given method. Time to do some tracking.
+        #
+        # @param mod [Module] the module in which the patch should be
+        #   placed.
+        # @param methods [Array(Symbol)] all the instance or singleton
+        #   methods in this mod.
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
+        #   the policy that applies to the given method_name.
+        # @return [Boolean] if patched, either by this invocation or a
+        #   previous, or not
+        def patch_method mod, methods, method_policy
+          return false unless methods&.any? # don't even build the name if there are no methods
+
+          if Contrast::Utils::ClassUtil.prepended_method?(mod, method_policy)
+            Contrast::Agent::Patching::Policy::Patch.instrument_with_prepend(mod, method_policy)
+          else
+            Contrast::Agent::Patching::Policy::Patch.instrument_with_alias(mod, methods, method_policy)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/request_utils.rb

@@ -0,0 +1,88 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # used in Contrast::Agent::Request
+    module RequestUtils
+      # Return a flattened hash of params with realized paths for keys, in
+      # addition to a separate, valueless, entry for each nest key.
+      # See RUBY-621 for more details.
+      # { key : { nested_key : ['x','y','z' ] } }
+      # becomes
+      # {
+      #   key[nested_key][0] : 'x'
+      #   key[nested_key][1] : 'y'
+      #   key[nested_key][2] : 'z'
+      #   key :                ''
+      #   nested_key :         ''
+      # }
+      def normalize_params val, prefix: nil
+        # In non-recursive invocations, val should always be a Hash
+        # (rather than breaking this out into two methods)
+        case val
+        when Tempfile
+          # Skip if it's the auto-generated value from rails when it handles
+          # file uploads. The file name will still be sent to SR for analysis.
+          {}
+        when Hash
+          res = val.each_with_object({}) do |(k, v), hash|
+            k = Contrast::Utils::StringUtils.force_utf8(k)
+            nested_prefix = prefix.nil? ? k : "#{ prefix }[#{ k }]"
+            hash[k] = Contrast::Utils::ObjectShare::EMPTY_STRING
+            hash.merge! normalize_params(v, prefix: nested_prefix)
+          end
+          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
+          res
+        when Enumerable
+          idx = 0
+          res = {}
+          while idx < val.length
+            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
+            idx += 1
+          end
+          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
+          res
+        else
+          { prefix => Contrast::Utils::StringUtils.force_utf8(val) }
+        end
+      end
+
+      def read_body body
+        return body if body.is_a?(String)
+
+        begin
+          can_rewind = Contrast::Utils::DuckUtils.quacks_to?(body, :rewind)
+          # if we are after a middleware that failed to rewind
+          body.rewind if can_rewind
+          body.read
+        rescue StandardError => e
+          logger.error('Error in attempt to read body', message: e.message)
+          logger.trace('With Stack', e)
+          body.to_s
+        ensure
+          # be a good citizen and rewind
+          body.rewind if can_rewind
+        end
+      end
+
+      def traverse_parsed_multipart multipart_data, current_names
+        return current_names unless multipart_data
+
+        multipart_data.each_value do |data_value|
+          next unless data_value.is_a?(Hash)
+
+          tempfile = data_value[:tempfile]
+          if tempfile.nil?
+            traverse_parsed_multipart(data_value, current_names)
+          else
+            name = data_value[:name].to_s
+            file_name = data_value[:filename].to_s
+            current_names[name] = file_name
+          end
+        end
+        current_names
+      end
+    end
+  end
+end