contrast-agent 4.12.0 → 4.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a0a50913c5c680462f9afd79070ca1f3d46d09d66ffdb943b1dc778f84830d6
-  data.tar.gz: bb3254c6a2cdc2b4add4e09b4bf1ed63c6a640f0dd82824db2769b911aacf96b
+  metadata.gz: 469e09f0e64dcdb68643154ca601b20b8f61d634789dec642a374d6a51671fec
+  data.tar.gz: e4053b76ef09eaf13ee1cf09418d5ae50cd5e518b5e69f611c0a22d15a9bcd4d
 SHA512:
-  metadata.gz: 78d5e66ee3ab7408e94348f6c2998e73cd78227a8b75cffa7add261b771092d470431ce8e44357dfb7d1a178e03e5033efc9f7a4c974a979f9dea88b2c55a3ec
-  data.tar.gz: d20f41b563778d84e63e4db7a9399e666a85fe1a2343772258f5248cd139f02e6a6bea33e51d9e5a0f954b1e2b4683ec08f3db7a52ab5a6990f7d725d2bc3dea
+  metadata.gz: 311a76a16c063b1d3afe09921e82efa59ea6367165d78fb26c833ab1dcf1e0daba2c3a0bf3597651cd86d146f4480004e916bb78842c6d8185f824dc768c204d
+  data.tar.gz: 3a4c0db4f013ccd0c7427ef01e451fa2d57b9458de7ce2c23df3444f3fcc4c824a7b841d81bf2aa25ecfd378be2afcea3ea57cded948bd350f4c6516a509477e

data/ext/cs__assess_module/cs__assess_module.c

@@ -57,6 +57,45 @@ contrast_assess_module_module_eval(const int argc, const VALUE *argv,
     return ret;
 }
 
+VALUE
+contrast_assess_module_prepend(const int argc, const VALUE *argv,
+                               const VALUE self) {
+
+    rb_prepend_module(self, argv[0]);
+
+    VALUE module_at;
+    VALUE rb_incl_in_mod_ary = rb_funcall(self, rb_intern("included_in"), 0);
+
+    if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
+       int i = 0;
+       int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+       for (i = 0; i < size; ++i) {
+           module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
+           if (RB_TYPE_P(module_at, T_MODULE)) {
+              rb_include_module(module_at, argv[0]);
+           }
+       }
+    }
+    return self;
+}
+
+VALUE
+contrast_assess_module_included(const int argc, const VALUE *argv,
+                               const VALUE self) {
+   VALUE frozen;
+   if (RB_TYPE_P(self, T_MODULE)) {
+       // check if frozen
+       frozen = rb_funcall(self, rb_intern("cs__frozen?"), 0);
+       if (frozen == Qfalse) {
+           VALUE ary = rb_funcall(self, rb_intern("included_in"), 0);
+           if (RB_TYPE_P(ary, T_ARRAY)) {
+              rb_ary_push(ary, argv[0]);
+           }
+       }
+   }
+   return self;
+}
+
 void Init_cs__assess_module(void) {
     module_eval_trigger =
         rb_define_class_under(core_assess, "EvalTrigger", rb_cObject);
@@ -76,4 +115,13 @@ void Init_cs__assess_module(void) {
 
     contrast_register_patch("Module", "module_eval",
                             contrast_assess_module_module_eval);
+   /*
+    * We patch these for better ancestors handling, and only for older ruby versions.
+    */
+  if (rb_ver_below_three()) {
+     contrast_register_patch("Module", "included",
+                             contrast_assess_module_included);
+     contrast_register_patch("Module", "prepend",
+                             contrast_assess_module_prepend);
+     }
 }

data/ext/cs__assess_module/cs__assess_module.h

@@ -24,5 +24,12 @@ contrast_assess_module_class_eval(const int argc, const VALUE *argv,
 VALUE
 contrast_assess_module_module_eval(const int argc, const VALUE *argv,
                                    const VALUE mod);
+VALUE
+contrast_assess_module_prepend(const int argc, const VALUE *argv,
+                               const VALUE self);
+
+VALUE
+contrast_assess_module_included(const int argc, const VALUE *argv,
+                               const VALUE mod);
 
 void Init_cs__assess_module(void);

data/ext/cs__common/cs__common.c

@@ -144,6 +144,11 @@ _contrast_register_patch(const char *module_name, const char *method_name,
     return SYM2ID(underlying_method_name);
 }
 
+int rb_ver_below_three() {
+  int ruby_version = FIX2INT(rb_funcall(rb_const_get(rb_cObject, rb_intern("RUBY_VERSION")), rb_intern("to_i"), 0));
+  return ruby_version < 3;
+}
+
 void Init_cs__common(void) {
     cs__send_method = rb_intern("send");
     cs__alias_method_sym = ID2SYM(rb_intern("alias_method"));

data/ext/cs__common/cs__common.h

@@ -34,6 +34,14 @@ static VALUE rb_sym_alias_singleton;
 static VALUE rb_sym_prepend_instance;
 static VALUE rb_sym_prepend_singleton;
 
+/*
+ * Check if ruby version is < 3.0.0.
+ * We are using this for handling ancestors of included modules.
+ * Since this is fixed after Ruby 3.0.0 we should remove this after
+ * dropping support for older versions, as no longer needed.
+ */
+int rb_ver_below_three();
+
 void patch_via_funchook(void *original_function, void *hook_function);
 
 void contrast_alias_method(const VALUE target, const char *to,

data/ext/cs__contrast_patch/cs__contrast_patch.c

@@ -43,7 +43,7 @@ VALUE contrast_patch_call_original(const VALUE *args) {
         if (rb_block_given_p()) {
             return rb_funcall_with_block_kw(object, method_id, argc, params, rb_block_proc(), RB_PASS_CALLED_KEYWORDS);
         } else {
-            return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS); 
+            return rb_funcallv_kw(object, method_id, argc, params, RB_PASS_CALLED_KEYWORDS);
         }
     /* Ruby < 2.7 */
     #else
@@ -448,6 +448,21 @@ VALUE contrast_patch_prepend(const VALUE self, const VALUE originalModule,
                                    -1);
     }
     rb_prepend_module(originalModule, module);
+
+    if (rb_ver_below_three()) {
+        VALUE module_at;
+        VALUE rb_incl_in_mod_ary = rb_funcall(originalModule, rb_intern("included_in"), 0);
+        if (RB_TYPE_P(rb_incl_in_mod_ary, T_ARRAY)) {
+            int i = 0;
+            int size = rb_funcall(rb_incl_in_mod_ary, rb_intern("length"), 0);
+            for (i = 0; i < size; ++i) {
+                module_at = rb_ary_entry(rb_incl_in_mod_ary, i);
+                if (RB_TYPE_P(module_at, T_MODULE)) {
+                    rb_include_module(module_at, module);
+                }
+            }
+        }
+   }
     return Qtrue;
 }
 

data/ext/cs__os_information/cs__os_information.c

@@ -0,0 +1,31 @@
+/* Copyright (c) 2021 Contrast Security, Inc.  See
+ * https://www.contrastsecurity.com/enduser-terms-0317a for more details. */
+
+#include "cs__os_information.h"
+#include <dlfcn.h>
+#include <ruby.h>
+#include <sys/utsname.h>
+
+VALUE contrast, utils, os;
+
+VALUE contrast_get_system_information()
+{
+    struct utsname uname_pointer;
+
+    uname (&uname_pointer);
+
+    VALUE rb_data_hash = rb_hash_new();
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_type"), rb_str_new2(uname_pointer.sysname));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_version"), rb_str_new2(uname_pointer.release));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_complete_version"), rb_str_new2(uname_pointer.version));
+    rb_hash_aset(rb_data_hash, rb_str_new2("os_arch"), rb_str_new2(uname_pointer.machine));
+    return rb_data_hash;
+}
+
+void Init_cs__os_information(void)
+{
+    contrast = rb_define_module("Contrast");
+    utils = rb_define_module_under(contrast, "Utils");
+    os = rb_define_module_under(utils, "OS");
+    rb_define_module_function(os, "get_system_information", contrast_get_system_information, 0);
+}

data/ext/cs__os_information/cs__os_information.h

@@ -0,0 +1,7 @@
+#include <ruby.h>
+
+extern VALUE contrast, utils, os;
+
+VALUE contrast_get_system_information();
+
+void Init_cs__os_information(void);

data/ext/cs__os_information/extconf.rb

@@ -0,0 +1,5 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+$TO_MAKE = File.basename(__dir__)
+require_relative '../extconf_common'

data/lib/contrast/agent/assess/policy/propagation_method.rb

@@ -7,6 +7,7 @@ require 'contrast/agent/assess/policy/propagator'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/propagation_method_utils'
 
 module Contrast
   module Agent
@@ -16,35 +17,9 @@ module Contrast
         # untrusted value. In general, these methods work on the String class or a holder of Strings.
         module PropagationMethod
           extend Contrast::Components::Logger::InstanceMethods
-
-          APPEND_ACTION = 'APPEND'
-          CENTER_ACTION = 'CENTER'
-          INSERT_ACTION = 'INSERT'
-          KEEP_ACTION = 'KEEP'
-          NEXT_ACTION = 'NEXT'
-          NOOP_ACTION = 'NOOP'
-          PREPEND_ACTION = 'PREPEND'
-          REPLACE_ACTION = 'REPLACE'
-          REMOVE_ACTION = 'REMOVE'
-          REVERSE_ACTION = 'REVERSE'
-          SPLAT_ACTION = 'SPLAT'
-          SPLIT_ACTION = 'SPLIT'
-          DB_WRITE_ACTION = 'DB_WRITE'
-          CUSTOM_ACTION = 'CUSTOM'
+          extend Contrast::Utils::Assess::PropagationMethodUtils
 
           class << self
-            def determine_target propagation_node, ret, object, args
-              target = propagation_node.targets[0]
-              case target
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              else
-                args[target]
-              end
-            end
-
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that governs the
             #   patches to this method
             # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
@@ -65,21 +40,6 @@ module Contrast
               PropagationMethod.apply_propagator(propagation_node, preshift, target, object, ret, args, block)
             end
 
-            PROPAGATION_ACTIONS = {
-                APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
-                CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
-                INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
-                KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
-                NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
-                NOOP_ACTION => nil,
-                PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
-                REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
-                REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
-                REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
-                SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
-                SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
-            }.cs__freeze
-
             # I lied above. We had to figure out what the target of the propagation was. Now that we know, we'll
             # actually do things to it. Note that the return of this method will replace the original return of the
             # patched function unless it is nil, so be sure you're returning what you intend.
@@ -116,80 +76,6 @@ module Contrast
               nil
             end
 
-            # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
-            # about the target based on the context with which the method was called. As such, defer determining if the
-            # target is valid to that method.
-            #
-            # In all other cases, a target is valid for propagation if it is not nil
-            #
-            # @param target [Object] the thing to which to propagate
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
-            #   propagation event.
-            # @return [Boolean]
-            def valid_target? target, propagation_node
-              return true if propagation_node.action == CUSTOM_ACTION
-
-              !!target
-            end
-
-            ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
-            # If the action required needs a length and the target does not have one, the length is not valid
-            #
-            # @param target [Object] the thing to which to propagate
-            # @param action [String] the name of the action taken during this propagation
-            # @return [Boolean]
-            def valid_length? target, action
-              return true if ZERO_LENGTH_ACTIONS.include?(action)
-
-              if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
-                target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
-              else
-                !target.to_s.empty?
-              end
-            end
-
-            # Before we do any work, we should check if we even need to. If the source and target of this patcher are
-            # not tracked, there's no need to do anything. A copy of nothing is still nothing.
-            #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
-            #   propagation event.
-            # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
-            #   the invocation of the patched method.
-            # @param target [Object] the thing to which to propagate
-            # @return [Boolean]
-            def can_propagate? propagation_node, preshift, target
-              return false unless appropriate_target?(propagation_node, target)
-              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
-              return false unless preshift
-
-              propagation_node.sources.each do |source|
-                case source
-                when Contrast::Utils::ObjectShare::OBJECT_KEY
-                  return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
-                else
-                  # has to be P, there's no ret source type (yet? ever?)
-                  return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
-                end
-              end
-              false
-            end
-
-            # We cannot propagate to frozen things that have not been updated to work with our property tracking,
-            # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
-            # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
-            # do.
-            #
-            # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
-            #   propagation event.
-            # @param target [Object] the Target to which to propagate.
-            # @return [Boolean] if the target can be propagated to
-            def appropriate_target? propagation_node, target
-              # special handle Returns b/c we can do unfreezing magic during propagation
-              return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
-
-              Contrast::Agent::Assess::Tracker.trackable?(target)
-            end
-
             # If this patcher has tags, apply them to the entire target
             # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
             #   propagation event.

data/lib/contrast/agent/assess/policy/propagation_node.rb

@@ -95,8 +95,8 @@ module Contrast
 
           def needs_object?
             if @_needs_object.nil?
-              @_needs_object = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
-                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+              @_needs_object = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
+                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                   sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
                   targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
             end
@@ -105,8 +105,8 @@ module Contrast
 
           def needs_args?
             if @_needs_args.nil?
-              @_needs_args = action == Contrast::Agent::Assess::Policy::PropagationMethod::CUSTOM_ACTION ||
-                  action == Contrast::Agent::Assess::Policy::PropagationMethod::DB_WRITE_ACTION ||
+              @_needs_args = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
+                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                   sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
                   targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
             end

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -6,6 +6,7 @@ require 'contrast/agent/assess/policy/source_validation/source_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/source_method_utils'
 
 module Contrast
   module Agent
@@ -16,6 +17,7 @@ module Contrast
         # used in Assess vulnerability detection.
         module SourceMethod
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::SourceMethodUtils
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -133,15 +135,6 @@ module Contrast
                   !Contrast::Agent::Assess::Tracker.trackable?(key)
             end
 
-            # Safely duplicate the target, or return nil
-            #
-            # @param target [Object] the thing to check for duplication
-            def safe_dup target
-              target.dup
-            rescue StandardError => _e
-              nil
-            end
-
             # Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
             # replace it with our new tracked one.
             def handle_hash_key target, to_replace
@@ -174,68 +167,6 @@ module Contrast
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
             end
 
-            # Find the name of the source
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
-            #   none provided by the node
-            def determine_source_name source_node, object, ret, *args
-              return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
-
-              source_node_source = source_node.sources[0]
-              case source_node_source
-              when nil
-                nil
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              else
-                args[source_node_source]
-              end
-            end
-
-            # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
-            # information to build the context of this invocation, we're not disabled, and we can't immediately
-            # determine the invocation was done safely.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
-            #   method being called
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method should be analyzed
-            def analyze? method_policy, object, ret, args
-              return false unless method_policy&.source_node
-              return false unless ::Contrast::ASSESS.enabled?
-              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
-
-              !safe_invocation?(method_policy.source_node, object, ret, args)
-            end
-
-            # Determine if the method was invoked safely.
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param _object [Object] the Object on which the method was invoked
-            # @param _ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method was safe
-            def safe_invocation? source_node, _object, _ret, args
-              # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
-              # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
-              # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
-              # instance, uses action_dispatch. to store several values. Technically, you can't call
-              # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
-              source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
-                  args&.any? &&
-                  !args[0].to_s.start_with?('HTTP_')
-            end
-
             # Find the literal target of the propagation
             #
             # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -6,6 +6,7 @@ require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/trigger_method_utils'
 
 module Contrast
   module Agent
@@ -17,6 +18,7 @@ module Contrast
         # report is issued to the Service.
         module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::TriggerMethodUtils
 
           # The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules
           # without routes.
@@ -84,6 +86,8 @@ module Contrast
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #
+            # TODO: RUBY-1351
+            #
             # @param finding [Contrast::Api::Dtm::Finding] the Finding to report.
             # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
             def report_finding finding, request = nil
@@ -108,64 +112,10 @@ module Contrast
 
             private
 
-            # A request is reportable if it is not from ActionController::Live
-            #
-            # @param env [Hash] the env of the Request
-            # @return [Boolean]
-            def reportable? env
-              !(defined?(ActionController::Live) &&
-                env &&
-                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
-            end
-
-            # Find the request for this finding. This assumes, for now, that if there is an active request, then that
-            # is the request to report. Otherwise, we'll use the first request found in the events of the
-            # source_object.
-            #
-            # @param source [Object,nil] some Object used as the source of a trigger event
-            # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
-            def find_request source
-              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
-              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
-
-              properties.events.each do |event|
-                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-
-                return event.request if event.request
-              end
-              nil
-            end
-
             def settings
               Contrast::Agent::FeatureState.instance
             end
 
-            # This is our method that actually checks the taint on the object our trigger_node targets.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_trigger trigger_node, source, object, ret, *args
-              return unless trigger_node
-              return if trigger_node.rule_disabled?
-              return if trigger_node.dataflow? && source.nil?
-
-              if trigger_node.regexp_rule?
-                apply_regexp_rule(trigger_node, source, object, ret, *args)
-              elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
-              elsif trigger_node.dataflow?
-                apply_dataflow_rule(trigger_node, source, object, ret, *args)
-              else # trigger rule - just calling the method is dangerous
-                build_finding(trigger_node, source, object, ret, *args)
-              end
-            rescue StandardError => e
-              logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
-            end
-
             # Given the marker from the trigger_node (the pointer indicating the entity from which the taint
             # originated), return the entity on which this trigger needs to operate.
             #
@@ -199,58 +149,6 @@ module Contrast
               end
             end
 
-            # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
-            # based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_regexp_rule trigger_node, source, object, ret, *args
-              return unless source.is_a?(String)
-              return if trigger_node.good_value && source.match?(trigger_node.good_value)
-              return if trigger_node.bad_value && source !~ trigger_node.bad_value
-
-              build_finding(trigger_node, source, object, ret, *args)
-            end
-
-            # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
-            # based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_dataflow_rule trigger_node, source, object, ret, *args
-              return unless source
-
-              if Contrast::Agent::Assess::Tracker.trackable?(source)
-                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
-                return unless trigger_node.violated?(source)
-
-                build_finding(trigger_node, source, object, ret, *args)
-              elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
-                source.each_pair do |key, value|
-                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
-                source.each do |value|
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              else
-                logger.debug('Trigger source is untrackable. Unable to inspect.',
-                             node_id: trigger_node.id,
-                             source_id: source.__id__,
-                             source_type: source.cs__class.cs__name,
-                             frozen: source.cs__frozen?)
-              end
-            end
-
             def append_events finding, trigger_node, source, object, ret, args
               append_from_source(finding, source)
               finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,