contrast-agent 4.11.0 → 4.14.0

data/lib/contrast/agent/assess/policy/propagator/center.rb

@@ -24,7 +24,7 @@ module Contrast
                 end
 
                 # find original in the target, copy tags to the new position in target
-                original_start_index = target[0..target.length / 2 + 1].rindex(source1)
+                original_start_index = target[0..(target.length / 2) + 1].rindex(source1)
                 original_start_index ||= 1
                 properties.copy_from(source1, target, original_start_index, propagation_node.untags)
 

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -13,6 +13,8 @@ module Contrast
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
             class << self
               def propagate propagation_node, preshift, target
+                return unless Contrast::ASSESS.require_dynamic_sources?
+
                 class_type = preshift.object.cs__class
                 class_name = class_type.cs__name
                 tainted_columns = {}

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/utils/duck_utils'
+require 'contrast/utils/substitution_utils'
 
 module Contrast
   module Agent
@@ -17,9 +18,7 @@ module Contrast
           class Substitution
             include Contrast::Components::Logger::InstanceMethods
             extend Contrast::Components::Logger::InstanceMethods
-
-            CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
-            CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze
+            extend Contrast::Utils::SubstitutionUtils
 
             class << self
               # gsub is hard. there are four versions of this method
@@ -38,157 +37,6 @@ module Contrast
               def sub_tagger patcher, preshift, ret, block
                 substitution_tagger(patcher, preshift, ret, !block.nil?, false)
               end
-
-              private
-
-              def substitution_tagger patcher, preshift, ret, block, global = true
-                return ret unless ret
-
-                begin
-                  source = preshift.object
-                  self_tracked = Contrast::Agent::Assess::Tracker.tracked?(source)
-                  args = preshift.args[1]
-                  incoming_tracked = args && determine_tracked(args)
-                  return ret unless self_tracked || incoming_tracked
-
-                  parent_events = []
-                  if block
-                    block_sub(self_tracked, source, ret)
-                  elsif args.is_a?(String)
-                    string_sub(parent_events, self_tracked, preshift, ret, args, incoming_tracked, global)
-                  elsif args.is_a?(Hash)
-                    hash_sub(self_tracked, source, ret)
-                  else # Enumerator, only for gsub
-                    pattern_gsub(parent_events, preshift, ret)
-                  end
-
-                  if self_tracked
-                    source_properties = Contrast::Agent::Assess::Tracker.properties(source)
-                    parent_event = source_properties&.event
-                    parent_events.prepend(parent_event) if parent_event
-                  end
-                  string_build_event(parent_events, patcher, preshift, ret)
-                rescue StandardError => e
-                  logger.error('Unable to apply gsub propagator', e)
-                end
-                ret
-              end
-
-              def determine_tracked args
-                # if there's no arg, it can't be tracked
-                return false unless args
-
-                # if it's a string, just ask if it's tracked
-                case args
-                when String
-                  Contrast::Agent::Assess::Tracker.tracked?(args)
-                  # if it's a hash, ask if it has a tracked string
-                when Hash
-                  args.values.any? { |value| value.is_a?(String) && Contrast::Agent::Assess::Tracker.tracked?(value) }
-                  # this should never happen
-                else
-                  false
-                end
-              end
-
-              def string_sub parent_events, self_tracked, preshift, ret, incoming, incoming_tracked, global
-                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
-
-                incoming_properties = Contrast::Agent::Assess::Tracker.properties(incoming)
-                parent_events << incoming_properties&.event if incoming_properties&.event
-
-                source = preshift.object
-
-                # We can't efficiently find the places that things were
-                # copied from regexp / captures. Trading accuracy for
-                # performance
-                if incoming.match?(CAPTURE_GROUP_REGEXP) || incoming.match?(CAPTURE_NAME_REGEXP)
-                  properties.splat_from(source, ret) if self_tracked
-                  return
-                end
-
-                # if it's just a straight insert, that we can do
-                # Copy the tags from us to the return
-                ranges = find_string_sub_insert(properties, preshift, incoming, ret, global)
-
-                properties.delete_tags_at_ranges(ranges)
-                properties.shift_tags(ranges)
-                return unless incoming_tracked
-                return unless incoming_properties
-
-                tags = incoming_properties.tag_keys
-                ranges.each do |range|
-                  tags.each do |tag|
-                    properties.add_tag(tag, range)
-                  end
-                end
-              end
-
-              # Find the points at which the new String was placed into the original
-              #
-              # @param properties [Contrast::Agent::Assess::Properties] the Properties of the ret
-              # @param preshift [Contrast::Agent::Assess::PreShift] the capture of the state of the code just prior to
-              #   the invocation of the patched method
-              # @param incoming [String] the new String going into the substitution
-              # @param ret [String] the result of the substitution
-              # @param global [Boolean] if this was a global or single substitution
-              # @return [Array<Range>] the Ranges where substitution occurred
-              def find_string_sub_insert properties, preshift, incoming, ret, global
-                pattern = preshift.args[0]
-                source = preshift.object
-
-                properties.copy_from(source, ret)
-                # Figure out where inserts occurred
-                last_idx = 0
-                ranges = []
-                # For each insert, move the tag ranges
-                while last_idx
-                  idx = source.index(pattern, last_idx)
-                  break unless idx
-
-                  last_idx = idx ? idx + 1 : nil
-                  start_index = idx
-                  end_index = idx + incoming.length
-                  ranges << (start_index...end_index)
-                  break unless global
-                end
-                ranges
-              end
-
-              def block_sub self_tracked, source, ret
-                return unless self_tracked
-
-                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
-                properties&.splat_from(source, ret)
-              end
-
-              def hash_sub self_tracked, source, ret
-                return unless self_tracked
-
-                properties = Contrast::Agent::Assess::Tracker.properties!(ret)
-                properties&.splat_from(source, ret)
-              end
-
-              def pattern_gsub parent_events, preshift, ret
-                source = preshift.object
-                return unless (source_properties = Contrast::Agent::Assess::Tracker.properties(source))
-                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
-
-                source_properties.tag_keys.each do |key|
-                  properties.add_tag(key, 0...1)
-                end
-                parent_event = source_properties.event
-                parent_events << parent_event if parent_event
-              end
-
-              def string_build_event parent_events, patcher, preshift, ret
-                return unless Contrast::Agent::Assess::Tracker.tracked?(ret)
-
-                properties = Contrast::Agent::Assess::Tracker.properties(ret)
-                args = preshift.args
-                properties.build_event(patcher, ret, preshift.object, ret, args, 2)
-                properties.event.instance_variable_set(:@_parent_events, parent_events)
-              end
             end
           end
         end

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -6,6 +6,7 @@ require 'contrast/agent/assess/policy/source_validation/source_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/source_method_utils'
 
 module Contrast
   module Agent
@@ -16,6 +17,7 @@ module Contrast
         # used in Assess vulnerability detection.
         module SourceMethod
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::SourceMethodUtils
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -133,15 +135,6 @@ module Contrast
                   !Contrast::Agent::Assess::Tracker.trackable?(key)
             end
 
-            # Safely duplicate the target, or return nil
-            #
-            # @param target [Object] the thing to check for duplication
-            def safe_dup target
-              target.dup
-            rescue StandardError => _e
-              nil
-            end
-
             # Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
             # replace it with our new tracked one.
             def handle_hash_key target, to_replace
@@ -174,68 +167,6 @@ module Contrast
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
             end
 
-            # Find the name of the source
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
-            #   none provided by the node
-            def determine_source_name source_node, object, ret, *args
-              return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
-
-              source_node_source = source_node.sources[0]
-              case source_node_source
-              when nil
-                nil
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              else
-                args[source_node_source]
-              end
-            end
-
-            # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
-            # information to build the context of this invocation, we're not disabled, and we can't immediately
-            # determine the invocation was done safely.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
-            #   method being called
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method should be analyzed
-            def analyze? method_policy, object, ret, args
-              return false unless method_policy&.source_node
-              return false unless ::Contrast::ASSESS.enabled?
-              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
-
-              !safe_invocation?(method_policy.source_node, object, ret, args)
-            end
-
-            # Determine if the method was invoked safely.
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param _object [Object] the Object on which the method was invoked
-            # @param _ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method was safe
-            def safe_invocation? source_node, _object, _ret, args
-              # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
-              # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
-              # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
-              # instance, uses action_dispatch. to store several values. Technically, you can't call
-              # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
-              source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
-                  args&.any? &&
-                  !args[0].to_s.start_with?('HTTP_')
-            end
-
             # Find the literal target of the propagation
             #
             # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -6,6 +6,8 @@ require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/trigger_method_utils'
+require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 
 module Contrast
   module Agent
@@ -15,8 +17,9 @@ module Contrast
         # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
         # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
         # report is issued to the Service.
-        module TriggerMethod
+        module TriggerMethod # rubocop:disable Metrics/ModuleLength
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::TriggerMethodUtils
 
           # The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules
           # without routes.
@@ -50,6 +53,14 @@ module Contrast
               apply_trigger(trigger_node, source, object, ret, *args)
             end
 
+            def append_to_finding finding, trigger_node, source, object, ret, request, *args
+              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
+              finding.version = determine_compliance_version(finding)
+              append_events(finding, trigger_node, source, object, ret, args)
+              append_route(finding, request)
+              append_hash(finding, source, request)
+            end
+
             # This converts the source of the finding, and the events leading up to it into a Finding
             #
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
@@ -61,18 +72,21 @@ module Contrast
             # @return [Contrast::Api::Dtm::Finding, nil] the Contrast::Api::Dtm::Finding to send to TeamServer or
             #   nil if conditions were not met
             def build_finding trigger_node, source, object, ret, *args
+              content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
+
+              if content_type.nil? && trigger_node.collectable?
+                Contrast::Agent::FINDINGS.collect_finding trigger_node, source, object, ret, *args
+                return
+              end
+
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
 
               request = find_request(source)
               return unless reportable?(request&.env)
 
+              handle_new_finding trigger_node, source, object, ret, request, *args
               finding = Contrast::Api::Dtm::Finding.new
-              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-
-              append_events(finding, trigger_node, source, object, ret, args)
-              append_route(finding, request)
-              append_hash(finding, source, request)
-              finding.version = determine_compliance_version(finding)
+              append_to_finding finding, trigger_node, source, object, ret, request, *args
               logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
                                               rule: trigger_node.rule_id)
               report_finding(finding, request)
@@ -84,6 +98,8 @@ module Contrast
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #
+            # TODO: RUBY-1351
+            #
             # @param finding [Contrast::Api::Dtm::Finding] the Finding to report.
             # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
             def report_finding finding, request = nil
@@ -106,66 +122,37 @@ module Contrast
               Contrast::Agent.messaging_queue.send_event_eventually(activity)
             end
 
-            private
+            def handle_new_finding trigger_node, source, object, ret, request, *args
+              return unless Contrast::Agent::Reporter.enabled?
 
-            # A request is reportable if it is not from ActionController::Live
-            #
-            # @param env [Hash] the env of the Request
-            # @return [Boolean]
-            def reportable? env
-              !(defined?(ActionController::Live) &&
-                env &&
-                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+              new_finding_and_reporting trigger_node, source, object, ret, request, *args
             end
 
-            # Find the request for this finding. This assumes, for now, that if there is an active request, then that
-            # is the request to report. Otherwise, we'll use the first request found in the events of the
-            # source_object.
-            #
-            # @param source [Object,nil] some Object used as the source of a trigger event
-            # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
-            def find_request source
-              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
-              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
-
-              properties.events.each do |event|
-                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-
-                return event.request if event.request
-              end
-              nil
+            def new_finding_and_reporting trigger_node, source, object, ret, request, *args
+              # sent to reporter
+              # here we will generate new type of finding
+              ruby_finding = Contrast::Agent::Reporting::Finding.new trigger_node.rule_id
+              ruby_finding.attach_data trigger_node, source, object, ret, request, *args
+              hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
+              ruby_finding.hash_code = hash_code
+              # save the current finding
+              Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
+
+              new_preflight = Contrast::Agent::Reporting::Preflight.new
+              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
+              new_preflight_message.routes << request
+              new_preflight_message.hash_code = hash_code
+              new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
+              new_preflight.messages << new_preflight_message
+              Contrast::Agent.reporter_queue.send_event_immediately(new_preflight)
             end
 
+            private
+
             def settings
               Contrast::Agent::FeatureState.instance
             end
 
-            # This is our method that actually checks the taint on the object our trigger_node targets.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_trigger trigger_node, source, object, ret, *args
-              return unless trigger_node
-              return if trigger_node.rule_disabled?
-              return if trigger_node.dataflow? && source.nil?
-
-              if trigger_node.regexp_rule?
-                apply_regexp_rule(trigger_node, source, object, ret, *args)
-              elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
-              elsif trigger_node.dataflow?
-                apply_dataflow_rule(trigger_node, source, object, ret, *args)
-              else # trigger rule - just calling the method is dangerous
-                build_finding(trigger_node, source, object, ret, *args)
-              end
-            rescue StandardError => e
-              logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
-            end
-
             # Given the marker from the trigger_node (the pointer indicating the entity from which the taint
             # originated), return the entity on which this trigger needs to operate.
             #
@@ -199,58 +186,6 @@ module Contrast
               end
             end
 
-            # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
-            # based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_regexp_rule trigger_node, source, object, ret, *args
-              return unless source.is_a?(String)
-              return if trigger_node.good_value && source.match?(trigger_node.good_value)
-              return if trigger_node.bad_value && source !~ trigger_node.bad_value
-
-              build_finding(trigger_node, source, object, ret, *args)
-            end
-
-            # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
-            # based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_dataflow_rule trigger_node, source, object, ret, *args
-              return unless source
-
-              if Contrast::Agent::Assess::Tracker.trackable?(source)
-                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
-                return unless trigger_node.violated?(source)
-
-                build_finding(trigger_node, source, object, ret, *args)
-              elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
-                source.each_pair do |key, value|
-                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
-                source.each do |value|
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              else
-                logger.debug('Trigger source is untrackable. Unable to inspect.',
-                             node_id: trigger_node.id,
-                             source_id: source.__id__,
-                             source_type: source.cs__class.cs__name,
-                             frozen: source.cs__frozen?)
-              end
-            end
-
             def append_events finding, trigger_node, source, object, ret, args
               append_from_source(finding, source)
               finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -14,7 +14,7 @@ module Contrast
         # specifically for those methods which result in the trigger of a
         # vulnerability (indicate points in the application where uncontrolled
         # user input can do damage).
-        class TriggerNode < PolicyNode
+        class TriggerNode < PolicyNode # rubocop:disable Metrics/ClassLength
           JSON_BAD_VALUE = 'bad_value'
           JSON_GOOD_VALUE = 'good_value'
           JSON_DISALLOWED_TAGS = 'disallowed_tags'
@@ -22,6 +22,10 @@ module Contrast
           JSON_RULE_NAME = 'name'
           JSON_CUSTOM_PATCH = 'custom_patch'
 
+          # Our list with rules to be collected and reported back when we have response
+          # from the application. Some rules rely on Content-Type validation.
+          COLLECTABLE_RULES = %w[reflected-xss].cs__freeze
+
           attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
 
           def initialize trigger_hash = {}, rule_hash = {}
@@ -67,6 +71,10 @@ module Contrast
             :TYPE_METHOD
           end
 
+          def collectable?
+            COLLECTABLE_RULES.include?(rule_id)
+          end
+
           def rule_disabled?
             ::Contrast::ASSESS.rule_disabled?(rule_id)
           end
@@ -104,8 +112,7 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
-                                                     required_tags)
+            vulnerable_ranges = ranges_with_all_tags(properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
@@ -161,8 +168,8 @@ module Contrast
             @disallowed_tags << LIMITED_CHARS
             @disallowed_tags << CUSTOM_ENCODED
             @disallowed_tags << CUSTOM_VALIDATED
-            @disallowed_tags << ENCODER_START + loud_name
-            @disallowed_tags << VALIDATOR_START + loud_name
+            @disallowed_tags << (ENCODER_START + loud_name)
+            @disallowed_tags << (VALIDATOR_START + loud_name)
           end
 
           def validate_rule_tags tags
@@ -170,49 +177,56 @@ module Contrast
 
             tags.each do |tag|
               raise(ArgumentError, "Rule #{ rule_id } had an invalid tag. #{ tag } is not a known value.") unless
-                  Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
-                      Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
+                Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
+                    Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
             end
           end
 
           # Find the ranges that satisfy all of the given tags.
           #
-          # @param length [Integer] the length of the object which may have the
-          #   given tags -- used as the maximum index to search for all of the
-          #   tags.
           # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def ranges_with_all_tags length, properties, required_tags
+          def ranges_with_all_tags properties, required_tags
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
 
-            ranges = []
             chunking = false
+            ranges = []
+            # find the start and end range of required tags:
+            search_ranges = find_required_ranges properties, required_tags
+            start_range = search_ranges.first
+            end_range = search_ranges.last + 1
+
             # find all the indicies on the source that have all the given tags
-            (0..length).each do |idx|
-              tags_at = properties.tags_at(idx).to_a
+            while start_range < end_range
+
+              tags_at = properties.tags_at(start_range).to_a
               # only those that have all the required tags in the tags_at
               # satisfy the requirement
               satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
               # if this range matches all the required tags and we're already
               # chunking, meaning the previous range matched, do nothing
-              next if satisfied && chunking
 
               # if we are satisfied and we were not chunking, this represents
               # the start of the next range, so create a new entry.
               if satisfied
-                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                if chunking
+                  start_range += 1
+                  next
+                end
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
                 chunking = true
-              # if we are chunking and not satisfied, this represents the end
-              # of the range, meaning the last index is what satisfied the
-              # range. Because the range is exclusive end, we can just use this
-              # index.
+                # if we are chunking and not satisfied, this represents the end
+                # of the range, meaning the last index is what satisfied the
+                # range. Because the range is exclusive end, we can just use this
+                # index.
               elsif chunking
-                ranges[-1]&.update_end(idx)
+                ranges[-1]&.update_end(start_range)
                 chunking = false
               end
+              start_range += 1
             end
             ranges
           end
@@ -265,6 +279,33 @@ module Contrast
 
             true
           end
+
+          # Range finder helper for #ranges_with_all_tags
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param required_tags [Set<String>] the list of tags on which to match
+          # @return [Array] of required tags ranges to search
+          def find_required_ranges properties, required_tags
+            start_range = 0
+            end_range = 0
+            required_tags_arr = required_tags.to_a
+            idx = 0
+
+            while idx < required_tags_arr.length
+              # find the start and end range of required tags:
+              start_temp = properties.fetch_tag(required_tags_arr[idx])[0].start_idx
+              end_temp = properties.fetch_tag(required_tags_arr[idx])[0].end_idx
+              # first iteration only
+              start_range = start_temp if idx.zero?
+              end_range = end_temp if idx.zero?
+
+              # find the tag with smallest ranges
+              start_range = start_temp if start_range < start_temp
+              end_range = end_temp if end_range > end_temp
+              idx += 1
+            end
+            [start_range, end_range]
+          end
         end
       end
     end