contrast-agent 4.12.0 → 4.14.1

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -6,6 +6,7 @@ require 'contrast/agent/assess/policy/source_validation/source_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/source_method_utils'
 
 module Contrast
   module Agent
@@ -16,6 +17,7 @@ module Contrast
         # used in Assess vulnerability detection.
         module SourceMethod
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::SourceMethodUtils
 
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
@@ -133,15 +135,6 @@ module Contrast
                   !Contrast::Agent::Assess::Tracker.trackable?(key)
             end
 
-            # Safely duplicate the target, or return nil
-            #
-            # @param target [Object] the thing to check for duplication
-            def safe_dup target
-              target.dup
-            rescue StandardError => _e
-              nil
-            end
-
             # Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
             # replace it with our new tracked one.
             def handle_hash_key target, to_replace
@@ -174,68 +167,6 @@ module Contrast
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
             end
 
-            # Find the name of the source
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
-            #   none provided by the node
-            def determine_source_name source_node, object, ret, *args
-              return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
-
-              source_node_source = source_node.sources[0]
-              case source_node_source
-              when nil
-                nil
-              when Contrast::Utils::ObjectShare::RETURN_KEY
-                ret
-              when Contrast::Utils::ObjectShare::OBJECT_KEY
-                object
-              else
-                args[source_node_source]
-              end
-            end
-
-            # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
-            # information to build the context of this invocation, we're not disabled, and we can't immediately
-            # determine the invocation was done safely.
-            #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
-            #   method being called
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method should be analyzed
-            def analyze? method_policy, object, ret, args
-              return false unless method_policy&.source_node
-              return false unless ::Contrast::ASSESS.enabled?
-              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
-
-              !safe_invocation?(method_policy.source_node, object, ret, args)
-            end
-
-            # Determine if the method was invoked safely.
-            #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
-            #   event
-            # @param _object [Object] the Object on which the method was invoked
-            # @param _ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            # @return [boolean] if the invocation of this method was safe
-            def safe_invocation? source_node, _object, _ret, args
-              # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
-              # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
-              # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
-              # instance, uses action_dispatch. to store several values. Technically, you can't call
-              # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
-              source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
-                  args&.any? &&
-                  !args[0].to_s.start_with?('HTTP_')
-            end
-
             # Find the literal target of the propagation
             #
             # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -6,6 +6,8 @@ require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/trigger_method_utils'
+require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
 
 module Contrast
   module Agent
@@ -15,8 +17,9 @@ module Contrast
         # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
         # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
         # report is issued to the Service.
-        module TriggerMethod
+        module TriggerMethod # rubocop:disable Metrics/ModuleLength
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::TriggerMethodUtils
 
           # The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules
           # without routes.
@@ -50,6 +53,14 @@ module Contrast
               apply_trigger(trigger_node, source, object, ret, *args)
             end
 
+            def append_to_finding finding, trigger_node, source, object, ret, request, *args
+              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
+              finding.version = determine_compliance_version(finding)
+              append_events(finding, trigger_node, source, object, ret, args)
+              append_route(finding, request)
+              append_hash(finding, source, request)
+            end
+
             # This converts the source of the finding, and the events leading up to it into a Finding
             #
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
@@ -61,18 +72,21 @@ module Contrast
             # @return [Contrast::Api::Dtm::Finding, nil] the Contrast::Api::Dtm::Finding to send to TeamServer or
             #   nil if conditions were not met
             def build_finding trigger_node, source, object, ret, *args
+              content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
+
+              if content_type.nil? && trigger_node.collectable?
+                Contrast::Agent::FINDINGS.collect_finding trigger_node, source, object, ret, *args
+                return
+              end
+
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
 
               request = find_request(source)
               return unless reportable?(request&.env)
 
+              handle_new_finding trigger_node, source, object, ret, request, *args
               finding = Contrast::Api::Dtm::Finding.new
-              finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-
-              append_events(finding, trigger_node, source, object, ret, args)
-              append_route(finding, request)
-              append_hash(finding, source, request)
-              finding.version = determine_compliance_version(finding)
+              append_to_finding finding, trigger_node, source, object, ret, request, *args
               logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
                                               rule: trigger_node.rule_id)
               report_finding(finding, request)
@@ -84,6 +98,8 @@ module Contrast
             # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
             # immediately report it with the finding.
             #
+            # TODO: RUBY-1351
+            #
             # @param finding [Contrast::Api::Dtm::Finding] the Finding to report.
             # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
             def report_finding finding, request = nil
@@ -106,66 +122,37 @@ module Contrast
               Contrast::Agent.messaging_queue.send_event_eventually(activity)
             end
 
-            private
+            def handle_new_finding trigger_node, source, object, ret, request, *args
+              return unless Contrast::Agent::Reporter.enabled?
 
-            # A request is reportable if it is not from ActionController::Live
-            #
-            # @param env [Hash] the env of the Request
-            # @return [Boolean]
-            def reportable? env
-              !(defined?(ActionController::Live) &&
-                env &&
-                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
+              new_finding_and_reporting trigger_node, source, object, ret, request, *args
             end
 
-            # Find the request for this finding. This assumes, for now, that if there is an active request, then that
-            # is the request to report. Otherwise, we'll use the first request found in the events of the
-            # source_object.
-            #
-            # @param source [Object,nil] some Object used as the source of a trigger event
-            # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
-            def find_request source
-              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
-              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
-
-              properties.events.each do |event|
-                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-
-                return event.request if event.request
-              end
-              nil
+            def new_finding_and_reporting trigger_node, source, object, ret, request, *args
+              # sent to reporter
+              # here we will generate new type of finding
+              ruby_finding = Contrast::Agent::Reporting::Finding.new trigger_node.rule_id
+              ruby_finding.attach_data trigger_node, source, object, ret, request, *args
+              hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
+              ruby_finding.hash_code = hash_code
+              # save the current finding
+              Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
+
+              new_preflight = Contrast::Agent::Reporting::Preflight.new
+              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
+              new_preflight_message.routes << request
+              new_preflight_message.hash_code = hash_code
+              new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
+              new_preflight.messages << new_preflight_message
+              Contrast::Agent.reporter_queue.send_event_immediately(new_preflight)
             end
 
+            private
+
             def settings
               Contrast::Agent::FeatureState.instance
             end
 
-            # This is our method that actually checks the taint on the object our trigger_node targets.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_trigger trigger_node, source, object, ret, *args
-              return unless trigger_node
-              return if trigger_node.rule_disabled?
-              return if trigger_node.dataflow? && source.nil?
-
-              if trigger_node.regexp_rule?
-                apply_regexp_rule(trigger_node, source, object, ret, *args)
-              elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
-              elsif trigger_node.dataflow?
-                apply_dataflow_rule(trigger_node, source, object, ret, *args)
-              else # trigger rule - just calling the method is dangerous
-                build_finding(trigger_node, source, object, ret, *args)
-              end
-            rescue StandardError => e
-              logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
-            end
-
             # Given the marker from the trigger_node (the pointer indicating the entity from which the taint
             # originated), return the entity on which this trigger needs to operate.
             #
@@ -199,58 +186,6 @@ module Contrast
               end
             end
 
-            # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
-            # based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_regexp_rule trigger_node, source, object, ret, *args
-              return unless source.is_a?(String)
-              return if trigger_node.good_value && source.match?(trigger_node.good_value)
-              return if trigger_node.bad_value && source !~ trigger_node.bad_value
-
-              build_finding(trigger_node, source, object, ret, *args)
-            end
-
-            # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
-            # based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
-            #   trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_dataflow_rule trigger_node, source, object, ret, *args
-              return unless source
-
-              if Contrast::Agent::Assess::Tracker.trackable?(source)
-                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
-                return unless trigger_node.violated?(source)
-
-                build_finding(trigger_node, source, object, ret, *args)
-              elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
-                source.each_pair do |key, value|
-                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
-                source.each do |value|
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              else
-                logger.debug('Trigger source is untrackable. Unable to inspect.',
-                             node_id: trigger_node.id,
-                             source_id: source.__id__,
-                             source_type: source.cs__class.cs__name,
-                             frozen: source.cs__frozen?)
-              end
-            end
-
             def append_events finding, trigger_node, source, object, ret, args
               append_from_source(finding, source)
               finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -22,6 +22,10 @@ module Contrast
           JSON_RULE_NAME = 'name'
           JSON_CUSTOM_PATCH = 'custom_patch'
 
+          # Our list with rules to be collected and reported back when we have response
+          # from the application. Some rules rely on Content-Type validation.
+          COLLECTABLE_RULES = %w[reflected-xss].cs__freeze
+
           attr_reader :rule_id, :required_tags, :disallowed_tags, :good_value, :bad_value
 
           def initialize trigger_hash = {}, rule_hash = {}
@@ -67,6 +71,10 @@ module Contrast
             :TYPE_METHOD
           end
 
+          def collectable?
+            COLLECTABLE_RULES.include?(rule_id)
+          end
+
           def rule_disabled?
             ::Contrast::ASSESS.rule_disabled?(rule_id)
           end
@@ -160,8 +168,8 @@ module Contrast
             @disallowed_tags << LIMITED_CHARS
             @disallowed_tags << CUSTOM_ENCODED
             @disallowed_tags << CUSTOM_VALIDATED
-            @disallowed_tags << ENCODER_START + loud_name
-            @disallowed_tags << VALIDATOR_START + loud_name
+            @disallowed_tags << (ENCODER_START + loud_name)
+            @disallowed_tags << (VALIDATOR_START + loud_name)
           end
 
           def validate_rule_tags tags
@@ -200,14 +208,14 @@ module Contrast
               satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
               # if this range matches all the required tags and we're already
               # chunking, meaning the previous range matched, do nothing
-              if satisfied && chunking
-                start_range += 1
-                next
-              end
 
               # if we are satisfied and we were not chunking, this represents
               # the start of the next range, so create a new entry.
               if satisfied
+                if chunking
+                  start_range += 1
+                  next
+                end
                 ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
                 chunking = true
                 # if we are chunking and not satisfied, this represents the end

data/lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb

@@ -18,7 +18,7 @@ module Contrast
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
             def self.valid? _patcher, _object, _ret, _args
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
-              return true unless content_type
+              return false unless content_type
 
               content_type = content_type.downcase
               SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }

data/lib/contrast/agent/assess/property/tagged.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/assess/tag'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/tag_util'
+require 'contrast/utils/assess/property/tagged_utils'
 
 module Contrast
   module Agent
@@ -13,6 +14,7 @@ module Contrast
         # This module serves to hold the functionality required for the
         # management of our dataflow tags.
         module Tagged
+          include Contrast::Utils::Assess::TaggedUtils
           # Is any tag present?
           # Creating Tags is expensive and we check for Tags all the time on
           # untracked things. ALWAYS!!! call this method before checking if an
@@ -22,157 +24,6 @@ module Contrast
             instance_variable_defined?(:@_tags) && tags.any?
           end
 
-          # Is the given tag present?
-          # Used in testing, so found by `be_tagged`, if you're grepping for it
-          #
-          # @param label [Symbol] the tag to check for
-          # @return [Boolean]
-          def tagged? label
-            tracked? && tags.key?(label)
-          end
-
-          # Similar to #tracked?, but limited to a given range.
-          #
-          # @param start [Integer] the inclusive start index to check.
-          # @param finish [Integer] the exclusive end index to check.
-          # @return [Boolean]
-          def any_tags_between? start, finish
-            return false unless tracked?
-
-            tags.each_value do |tag_array|
-              return true if tag_array.any? { |tag| tag.overlaps?(start, finish) }
-            end
-            false
-          end
-
-          # Find all of the ranges that span a given index. This is used
-          # in propagation when we need to shift tags about. For instance, in
-          # the append method when we need to see if any tag at the end needs
-          # to be expanded out to the size of the new String.
-          #
-          # Note: Tags do not know their key, so this is only the range covered
-          #
-          # @param idx [Integer] the index to check for tags
-          # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
-          #   covering the given index. This is only the ranges, not the names.
-          def tags_at idx
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
-
-            at = []
-            tags.each_value do |tag_array|
-              tag_array.each do |tag|
-                if tag.covers?(idx)
-                  at << tag
-                elsif tag.above?(idx)
-                  break
-                end
-              end
-            end
-            at
-          end
-
-          # given a range, select all tags in that range the selected tags are
-          # shifted such that the start index of the new tag (0) aligns with
-          # the given start index in the range
-          #
-          # current tags: 5-15
-          # range       : 5-10
-          # result      : 0-05
-          #
-          # Note that we disable Lint/DuplicateBranch in this branch in order
-          # list out all tag range cases in the proper order to make this
-          # easier to understand
-          #
-          # @param range [Range] the span to check, inclusive to exclusive
-          # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
-          #   key to tags
-          def tags_at_range range
-            return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
-
-            at = Hash.new { |h, k| h[k] = [] }
-            tags.each_pair do |key, value|
-              add = nil
-              value.each do |tag|
-                within_range = resize_to_range(tag, range)
-                if within_range
-                  add ||= []
-                  add << within_range
-                end
-              end
-              next unless add&.any?
-
-              at[key] = add
-            end
-            at
-          end
-
-          # Given a tag name and range object, add a new tag to this
-          # collection. If the given range touches an existing tag,
-          # we'll combine the two, adjusting the existing one and
-          # dropping this new one.
-          #
-          # @param label [String] the name of the tag
-          # @param range [Range] the Range that the tag covers, inclusive to
-          #   exclusive
-          def add_tag label, range
-            length = range.end - range.begin
-            tag = Contrast::Agent::Assess::Tag.new(label, length, range.begin)
-            existing = fetch_tag(label)
-            tags[label] = Contrast::Utils::TagUtil.ordered_merge(existing, tag)
-          end
-
-          def set_tags label, tag_ranges
-            tags[label] = tag_ranges
-          end
-
-          # Returns a list of all current tags.
-          #
-          # @return [Hash<Contrast::Agent::Assess::Tag>]
-          def get_tags # rubocop:disable Naming/AccessorMethodName
-            return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
-
-            tags
-          end
-
-          # We'll use this as a helper method to retrieve tags from the hash.
-          # Because the hash auto-populates an empty array when we try to
-          # access a tag in it, we cannot use the [] method without side
-          # effect. To get around this, we'll use a fetch work around.
-          #
-          # @param label [Symbol] the label to look up
-          # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
-          #   that label
-          def fetch_tag label
-            get_tags.fetch(label, nil) if tracked?
-          end
-
-          # Remove all tags with a given label
-          def delete_tags label
-            tags.delete(label) if tracked?
-          end
-
-          # Reset the tag hash
-          def clear_tags
-            tags.clear if tracked?
-          end
-
-          # Returns a list of all current tag labels, most likely to be used for
-          # a splat operation
-          def tag_keys
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
-
-            tags.keys
-          end
-
-          # Calls merge to combine touching or overlapping tags
-          # Deletes empty tags
-          def cleanup_tags
-            return unless tracked?
-
-            Contrast::Utils::TagUtil.merge_tags(tags)
-            tags.delete_if { |_, value| value.empty? }
-          end
-
           # Remove all tags within the given ranges.
           # This does not delete an entire tag if part of that tag is
           # outside this range, meaning we may reduce sizes of tags
@@ -228,6 +79,8 @@ module Contrast
           end
 
           # Remove the tag ranges covering the given range
+          # and appends any trailing value that might
+          # exist after removal of range
           def remove_tags range
             return unless tracked?
 
@@ -238,19 +91,7 @@ module Contrast
               value.each do |tag|
                 comparison = tag.compare_range(range.begin, range.end)
                 # ABOVE and BELOW are not affected by this check
-                case comparison
-                when Contrast::Agent::Assess::Tag::LOW_SPAN
-                  tag.update_end(range.begin)
-                when Contrast::Agent::Assess::Tag::WITHIN
-                  remove << tag
-                when Contrast::Agent::Assess::Tag::WITHOUT
-                  new_tag = tag.clone
-                  new_tag.update_start(range.end)
-                  add << new_tag
-                  tag.update_end(range.begin)
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN
-                  tag.update_start(range.end)
-                end
+                tags_remove_comparison comparison, tag, remove, add, range
               end
               value.delete_if { |tag| remove.include?(tag) }
               Contrast::Utils::TagUtil.ordered_merge(value, add)
@@ -259,6 +100,29 @@ module Contrast
             full_delete.each { |key| tags.delete(key) }
           end
 
+          # This method is for the tags comparison
+          # the idea is to move the whole case here
+          # @param comparison [String] indicates type of removal is to occur
+          # @param tag Contrast::Agent::Assess::Tag
+          # @param remove [String] holds removed Tag if exists
+          # @param add [String] holds trailing Tag if exists
+          # @param range [Range] start and stop for idx for removal
+          def tags_remove_comparison comparison, tag, remove, add, range
+            case comparison
+            when Contrast::Agent::Assess::Tag::LOW_SPAN
+              tag.update_end(range.begin)
+            when Contrast::Agent::Assess::Tag::WITHIN
+              remove << tag
+            when Contrast::Agent::Assess::Tag::WITHOUT
+              new_tag = tag.clone
+              new_tag.update_start(range.end)
+              add << new_tag
+              tag.update_end(range.begin)
+            when Contrast::Agent::Assess::Tag::HIGH_SPAN
+              tag.update_start(range.end)
+            end
+          end
+
           # Shift the tag ranges covering the given range
           # We assume this is for a deletion, meaning we
           # have to move tags to the left
@@ -302,32 +166,36 @@ module Contrast
                 comparison = tag.compare_range(range.begin, range.end)
                 length = range.end - range.begin
                 # BELOW is not affected by this check
-                case comparison
-                  # part of the tag is being inserted on
-                when Contrast::Agent::Assess::Tag::LOW_SPAN
-                  new_tag = tag.clone
-                  new_tag.update_start(range.begin)
-                  new_tag.shift(length)
-                  add << new_tag
-                  tag.update_end(range.begin)
-                  # the tag exists in the inserted range. it is partially shifted
-                when Contrast::Agent::Assess::Tag::WITHIN
-                  tag.shift(length)
-                  # the tag spans the range. leave the part below alone
-                when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
-                  new_tag = tag.clone
-                  new_tag.update_start(range.begin)
-                  new_tag.shift(length)
-                  add << new_tag
-                  tag.update_end(range.begin)
-                when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE # rubocop:disable Lint/DuplicateBranch
-                  tag.shift(length)
-                end
+                shift_tags_comparison comparison, add, tag, length, range
               end
               Contrast::Utils::TagUtil.ordered_merge(value, add)
             end
           end
 
+          def shift_tags_comparison comparison, add, tag, length, range
+            case comparison
+              # part of the tag is being inserted on
+            when Contrast::Agent::Assess::Tag::LOW_SPAN
+              new_tag = tag.clone
+              new_tag.update_start(range.begin)
+              new_tag.shift(length)
+              add << new_tag
+              tag.update_end(range.begin)
+              # the tag exists in the inserted range. it is partially shifted
+            when Contrast::Agent::Assess::Tag::WITHIN
+              tag.shift(length)
+              # the tag spans the range. leave the part below alone
+            when Contrast::Agent::Assess::Tag::WITHOUT # rubocop:disable Lint/DuplicateBranch
+              new_tag = tag.clone
+              new_tag.update_start(range.begin)
+              new_tag.shift(length)
+              add << new_tag
+              tag.update_end(range.begin)
+            when Contrast::Agent::Assess::Tag::HIGH_SPAN, Contrast::Agent::Assess::Tag::ABOVE # rubocop:disable Lint/DuplicateBranch
+              tag.shift(length)
+            end
+          end
+
           private
 
           # Because of the auto-fill thing, we should not allow direct access to