contrast-agent 4.13.1 → 4.14.0

data/lib/contrast/utils/hash_digest_extend.rb

@@ -0,0 +1,86 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'digest'
+require 'contrast/utils/hash_digest'
+
+module Contrast
+  module Utils
+    # We use this class to provide hashes for our Request and Finding objects
+    # based upon our definitions of uniqueness.
+    # While the uniqueness of the request object is something internal to the
+    # Ruby agent, the uniqueness of the Finding hash is defined by a
+    # specification shared across all agent teams. The spec can be found here:
+    # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/vulnerability/preflight.md
+    module HashDigestExtend
+      def generate_request_hash request
+        hash = new
+        hash.update(request.request_method)
+        hash.update(request.normalized_uri)
+        request.parameters.each_key do |name|
+          hash.update(name)
+        end
+        cl = request.headers[Contrast::Utils::HashDigest::CONTENT_LENGTH_HEADER]
+        hash.update_on_content_length(cl) if cl
+        hash.finish
+      end
+
+      def generate_event_hash finding, source, request
+        return generate_dataflow_hash(finding, request) if finding.events.length.to_i > 1
+
+        id = finding.rule_id
+        return generate_crypto_hash(finding, source, request) if Contrast::Utils::HashDigest::CRYPTO_RULES.include?(id)
+
+        generate_trigger_hash(finding, request)
+      end
+
+      def generate_config_hash finding
+        hash = new
+        hash.update(finding.rule_id)
+        path = finding.properties[Contrast::Utils::HashDigest::CONFIG_PATH_KEY]
+        hash.update(path)
+        method = finding.properties[Contrast::Utils::HashDigest::CONFIG_SESSION_ID_KEY]
+        hash.update(method)
+        hash.finish
+      end
+
+      def generate_class_scanning_hash finding
+        hash = new
+        hash.update(finding.rule_id)
+        module_name = finding.properties[Contrast::Utils::HashDigest::CLASS_SOURCE_KEY]
+        hash.update(module_name)
+        # We're not currently collecting this. 30/7/19 HM
+        line_no = finding.properties[Contrast::Utils::HashDigest::CLASS_LINE_NO_KEY]
+        hash.update(line_no)
+        field = finding.properties[Contrast::Utils::HashDigest::CLASS_CONSTANT_NAME_KEY]
+        hash.update(field)
+        hash.finish
+      end
+
+      private
+
+      def generate_crypto_hash finding, algorithm, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update(algorithm)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
+      def generate_dataflow_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_sources(finding.events)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+
+      def generate_trigger_hash finding, request
+        hash = new
+        hash.update(finding.rule_id)
+        hash.update_on_request(finding, request)
+        hash.finish
+      end
+    end
+  end
+end

data/lib/contrast/utils/head_dump_utils_extend.rb

@@ -0,0 +1,74 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # this module extends HeadDumpUtil
+    module HeadDumpExtend
+      def log_enabled_warning
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        delay  = control[:delay]
+        clean  = control[:clean]
+
+        logger.info <<~WARNING
+          *****************************************************
+          ********      HEAP DUMP HAS BEEN ENABLED     ********
+          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
+          *****************************************************
+
+          Heap dump is a debugging tool that snapshots the entire
+          state of the Ruby VM. It is an exceptionally expensive
+          process, and should only be used to debug especially
+          pernicious errors.
+
+          It will write multiple memory snaphots, which are liable
+          to be multiple gigabytes in size.
+          They will be named "[unix timestamp]-heap.dump",
+          e.g.: 1020304050-heap.dump
+
+          It will then call Ruby `exit()`.
+
+          If this is not your specific intent, you can (and should)
+          disable this option in your Contrast config file.
+
+          HEAP DUMP PARAMETERS:
+          \t[write files to this directory]             dir:     #{ dir    }
+          \t[wait this many seconds in between dumps]   window:  #{ window }
+          \t[heap dump this many times]                 count:   #{ count  }
+          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
+          \t[perform gc pass before dump]               clean:   #{ clean  }
+
+          *****************************************************
+          ********        YOU HAVE BEEN WARNED         ********
+          *****************************************************
+        WARNING
+      end
+
+      def capture_heap_dump
+        control = Contrast::Utils::HeapDumpUtil.control
+        dir    = control[:path]
+        window = control[:window]
+        count  = control[:count]
+        clean  = control[:clean]
+        logger.info('HEAP DUMP MAIN LOOP')
+        ObjectSpace.trace_object_allocations_start
+        count.times do |i|
+          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
+          snapshot_heap(dir, clean)
+          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
+          sleep(window)
+        end
+      ensure
+        ObjectSpace.trace_object_allocations_stop
+        logger.info('*****************************************************')
+        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
+        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
+        logger.info('*****************************************************')
+        exit # rubocop:disable Rails/Exit We weren't kidding!
+      end
+    end
+  end
+end

data/lib/contrast/utils/heap_dump_util.rb

@@ -5,6 +5,7 @@ require 'objspace'
 require 'singleton'
 require 'contrast/components/heap_dump'
 require 'contrast/components/logger'
+require 'contrast/utils/head_dump_utils_extend'
 
 module Contrast
   module Utils
@@ -13,6 +14,7 @@ module Contrast
       extend Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Logger::InstanceMethods
       extend Contrast::Components::HeapDump::InstanceMethods
+      include Contrast::Utils::HeadDumpExtend
 
       LOG_ERROR_DUMPS = 'Unable to generate heap dumps'
       FILE_WRITE_FLAGS = 'w'
@@ -47,71 +49,6 @@ module Contrast
         nil
       end
 
-      def log_enabled_warning
-        control = Contrast::Utils::HeapDumpUtil.control
-        dir    = control[:path]
-        window = control[:window]
-        count  = control[:count]
-        delay  = control[:delay]
-        clean  = control[:clean]
-
-        logger.info <<~WARNING
-          *****************************************************
-          ********      HEAP DUMP HAS BEEN ENABLED     ********
-          *** APPLICATION PROCESS WILL EXIT UPON COMPLETION ***
-          *****************************************************
-
-          Heap dump is a debugging tool that snapshots the entire
-          state of the Ruby VM. It is an exceptionally expensive
-          process, and should only be used to debug especially
-          pernicious errors.
-
-          It will write multiple memory snaphots, which are liable
-          to be multiple gigabytes in size.
-          They will be named "[unix timestamp]-heap.dump",
-          e.g.: 1020304050-heap.dump
-
-          It will then call Ruby `exit()`.
-
-          If this is not your specific intent, you can (and should)
-          disable this option in your Contrast config file.
-
-          HEAP DUMP PARAMETERS:
-          \t[write files to this directory]             dir:     #{ dir    }
-          \t[wait this many seconds in between dumps]   window:  #{ window }
-          \t[heap dump this many times]                 count:   #{ count  }
-          \t[wait this many seconds into app lifetime]  delay:   #{ delay  }
-          \t[perform gc pass before dump]               clean:   #{ clean  }
-
-          *****************************************************
-          ********        YOU HAVE BEEN WARNED         ********
-          *****************************************************
-        WARNING
-      end
-
-      def capture_heap_dump
-        control = Contrast::Utils::HeapDumpUtil.control
-        dir    = control[:path]
-        window = control[:window]
-        count  = control[:count]
-        clean  = control[:clean]
-        logger.info('HEAP DUMP MAIN LOOP')
-        ObjectSpace.trace_object_allocations_start
-        count.times do |i|
-          logger.info('STARTING HEAP DUMP PASS', current_pass: i, max: count)
-          snapshot_heap(dir, clean)
-          logger.info('FINISHING HEAP DUMP PASS', current_pass: i, max: count)
-          sleep(window)
-        end
-      ensure
-        ObjectSpace.trace_object_allocations_stop
-        logger.info('*****************************************************')
-        logger.info('********        HEAP DUMP HAS CONCLUDED      ********')
-        logger.info('***     APPLICATION PROCESS WILL EXIT SHORTLY     ***')
-        logger.info('*****************************************************')
-        exit # rubocop:disable Rails/Exit We weren't kidding!
-      end
-
       def snapshot_heap dir, clean
         output = "#{ Time.now.to_f }-heap.dump"
         output = File.join(dir, output)

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -34,11 +34,28 @@ module Contrast
           finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash)
           finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
           Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+          if Contrast::Agent::Reporter.enabled?
+            cs__report_new_finding hash, rule_id, user_provided_options, call_location
+          end
         end
       rescue StandardError => e
         logger.error('Unable to build a finding', e, rule: rule_id)
       end
 
+      def cs__report_new_finding hash_code, rule_id, user_provided_options, call_location
+        new_preflight = Contrast::Agent::Reporting::Preflight.new
+        new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
+        new_preflight_message.hash_code = hash_code
+        new_preflight_message.data = "#{ rule_id },#{ hash_code }"
+        new_preflight.messages << new_preflight_message
+
+        ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
+        ruby_finding.hash_code = hash_code
+        set_new_finding_properties(ruby_finding, user_provided_options, call_location)
+        Contrast::Agent.reporter_queue.send_event_immediately(new_preflight)
+        Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
+      end
+
       private
 
       # Set the properties needed to report and subsequently render this finding on the finding given.
@@ -76,6 +93,18 @@ module Contrast
         end
         call_location&.label&.dup
       end
+
+      def set_new_finding_properties finding, user_provided_options, call_location
+        path = call_location.path
+        # just get the file name, not the full path
+        path = path.split(Contrast::Utils::ObjectShare::SLASH).last
+        session_id = user_provided_options[:key].to_s if user_provided_options
+        finding.properties[CS__SESSION_ID] = session_id
+        finding.properties[CS__PATH] = path
+        file_path = call_location.absolute_path
+        snippet = file_snippet(file_path, call_location)
+        finding.properties[CS__SNIPPET] = snippet
+      end
     end
   end
 end

data/lib/contrast/utils/io_util.rb

@@ -11,7 +11,7 @@ module Contrast
 
       class << self
         # We're only going to call rewind on things that we believe are safe to
-        # call it on. This method white lists those cases and returns false in
+        # call it on. This method allow lists those cases and returns false in
         # all others.
         def should_rewind? potential_io
           return true if potential_io.is_a?(StringIO)

data/lib/contrast/utils/log_utils.rb

@@ -0,0 +1,108 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # Method utility used by Contrast::Logger::log
+    module LogUtils
+      DEFAULT_NAME     = 'contrast.log'
+      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
+      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
+      STDOUT_STR       = 'STDOUT'
+      STDERR_STR       = 'STDERR'
+      PROGNAME         = 'Contrast Agent'
+      DATE_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%L%z'
+
+      private
+
+      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        logger = case path
+                 when STDOUT_STR, STDERR_STR
+                   ::Ougai::Logger.new(Object.cs__const_get(path))
+                 else
+                   ::Ougai::Logger.new(path)
+                 end
+        add_contrast_loggers(logger)
+        logger.progname = PROGNAME
+        logger.level = level_const
+        logger.formatter = Contrast::Logger::Format.new
+        logger.formatter.datetime_format = DATE_TIME_FORMAT
+        logger
+      end
+
+      def add_contrast_loggers logger
+        logger.extend(Contrast::Logger::Application)
+        logger.extend(Contrast::Logger::Request)
+        logger.extend(Contrast::Logger::Time)
+      end
+
+      # Determine the valid path to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_file [String, nil] the file to which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [String] the path to which to log or STDOUT / STDERR if one of those values provided.
+      def find_valid_path log_file
+        config = ::Contrast::CONFIG.root.agent.logger
+        config_path = config&.path&.length.to_i.positive? ? config.path : nil
+        valid_path(config_path || log_file)
+      end
+
+      def valid_path path
+        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
+        return path if path == STDOUT_STR
+        return path if path == STDERR_STR
+
+        path = DEFAULT_NAME if path.empty?
+        if write_permission?(path)
+          path
+        elsif write_permission?(DEFAULT_NAME)
+          # Log once when the path is invalid. We'll change to this path, so no
+          # need to log again.
+          if previous_path != DEFAULT_NAME
+            $stdout.puts "[!] Unable to write to '#{ path }'. Writing to default log '#{ DEFAULT_NAME }' instead."
+          end
+          DEFAULT_NAME
+        else
+          # Log once when the path is invalid. We'll change to this path, so no
+          # need to log again.
+          $stdout.puts "[!] Unable to write to '#{ path }'. Writing to standard out instead."
+          STDOUT_STR
+        end
+      end
+
+      # Determine the valid level to which to log, given the precedence of config > settings > default.
+      #
+      # @param log_level [String, nil] the level at which to log as provided by the settings retrieved from the
+      #   TeamServer.
+      # @return [::Ougai::Logging::Severity] the level at which to log
+      def find_valid_level log_level
+        config = ::Contrast::CONFIG.root.agent.logger
+        config_level = config&.level&.length&.positive? ? config.level : nil
+
+        valid_level(config_level || log_level)
+      end
+
+      def valid_level level
+        level ||= DEFAULT_LEVEL
+        level = level.upcase
+        if VALID_LEVELS.include?(level)
+          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
+        else
+          DEFAULT_LEVEL
+        end
+      rescue StandardError
+        DEFAULT_LEVEL
+      end
+
+      # Log that the Agent log has changed and include some default information at the start of the log.
+      def log_update
+        logger.debug('Initialized new contrast agent logger')
+        logger.debug_with_time('middleware: log environment') do
+          logger.application_environment
+          logger.application_configuration
+          logger.application_libraries
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/middleware_utils.rb

@@ -0,0 +1,87 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    # helper methods for Contrast::Agent::Middleware
+    # including disclaimers, deprecation notices, error handling, setup
+    module MiddlewareUtils
+      private
+
+      def setup_agent
+        ::Contrast::SETTINGS.reset_state
+
+        inform_deprecations
+        telemetry_disclaimer
+
+        if ::Contrast::CONFIG.invalid?
+          ::Contrast::AGENT.disable!
+          logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
+        elsif ::Contrast::AGENT.disabled?
+          logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        else
+          ::Contrast::AGENT.enable!
+        end
+      end
+
+      SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
+      # We're only going to suppress SecurityExceptions indicating a blocked attack. And, only if the
+      # config.agent.ruby.exceptions.capture? is set
+      def handle_exception exception
+        if security_exception?(exception)
+          exception_control = ::Contrast::AGENT.exception_control
+          raise exception unless exception_control[:enable]
+
+          [exception_control[:status], {}, [exception_control[:message]]]
+        else
+          logger.debug('Re-throwing original error', exception)
+          raise exception
+        end
+      end
+
+      # Is the given exception one raised by our Protect code?
+      #
+      # @param exception [Exception]
+      # @return [Boolean]
+      def security_exception? exception
+        exception.is_a?(Contrast::SecurityException) || exception.message&.include?(SECURITY_EXCEPTION_MARKER)
+      end
+
+      # As we deprecate support to prepare to remove dead code, we need to inform our users still relying on the now
+      # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
+      # Kernel#warn approach
+      def inform_deprecations
+        # Ruby 2.5 is currently in security maintenance, meaning int is only receiving updates for security issues. It
+        # will move to eol on 31 March 2021. As such, we can remove support for it in Q3. We'll begin the deprecation
+        # warnings now so that customers have time to reach out if they'll be impacted.
+        # TODO: RUBY-715 remove this part of the method, leaving it empty if there are no other deprecations, when we
+        #   drop 2.5 support.
+        return unless RUBY_VERSION < '2.6.0'
+
+        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.5 will be removed in April 2021. '\
+                    'Please contact Customer Support prior if you require continued support.')
+      end
+
+      # Displays Telemetry disclaimer if Telemetry is enabled.
+      # if .telemetry file doesn't exist we create one and then show the disclaimer.
+      # if the file already exists we do nothing.
+      def telemetry_disclaimer
+        return unless Contrast::Agent::Telemetry.enabled?
+        return unless Contrast::Utils::Telemetry.create_telemetry_file
+
+        logger.info Contrast::Utils::Telemetry.disclaimer
+        $stdout.print Contrast::Utils::Telemetry.disclaimer
+        true
+      end
+
+      def application_code env
+        logger.trace_with_time('application') do
+          app.call(env)
+        end
+      rescue Contrast::SecurityException => e
+        logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
+        raise e
+      end
+    end
+  end
+end

data/lib/contrast/utils/net_http_base.rb

@@ -0,0 +1,158 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'net/http'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'socket'
+
+module Contrast
+  module Utils
+    # This module creates a Net::HTTP client base to be used by different services
+    # All HTTP clients reporting to Telemetry or TS should inherit from this
+    class NetHttpBase
+      include Contrast::Components::Logger::InstanceMethods
+      # This method initializes the Net::HTTP client we'll need. it will validate
+      # the connection and make the first request. If connection is valid and response
+      # is available then the open connection is returned.
+      #
+      # @param service_name [String] Name of service used in logging messages
+      # @param url [String]
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # self signed certificates provided by config [default = false]
+      # @return [Net::HTTP, nil] Return open connection or nil
+      def initialize_connection service_name, url, use_proxy = false, use_custom_cert = false
+        return unless url
+
+        addr = URI(url)
+        # the proxy is enabled only if there is provided url even if the enable is set to true
+        return if addr.host.nil? || addr.port.nil? || addr.scheme != 'https'
+
+        proxy_addr = URI(Contrast::API.proxy_url) if proxy_enabled?
+        net_http_client = initialize_client addr, proxy_addr, use_proxy, use_custom_cert
+        return if net_http_client.nil?
+
+        net_http_client.start
+        return unless net_http_client.started?
+
+        logger.warn("Starting #{ service_name } connection test")
+        return unless connection_verified? net_http_client
+
+        net_http_client
+      rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, OpenSSL::SSL::SSLError => e
+        logger.warn("#{ service_name } connection failed", e.message)
+        nil
+      end
+
+      # Validates connection with assigned domain.
+      # If connection is running, SSL certificate of the endpoint is valid, Ip address is resolvable
+      # and response is received without peer's reset or refuse of connection,
+      # then validation returns true. Error handling is in place so that the work of the agent will continue as
+      # normal without Telemetry.
+      #
+      # @param client [Net::HTTP]
+      # @return [Boolean] true | false
+      def connection_verified? client
+        return @_connection_verified unless @_connection_verified.nil?
+        return false if client.nil?
+
+        # Before RUBY 2.7 there is no #ipaddr
+        ipaddr = if RUBY_VERSION < '2.7.0'
+                   socket = TCPSocket.open(client.address, client.port)
+                   ipaddr = socket.peeraddr[3]
+                   socket.close
+                   ipaddr
+                 else
+                   client.ipaddr
+                 end
+        response = client.request(Net::HTTP::Get.new(client.address))
+        verify_cert = OpenSSL::SSL.verify_certificate_identity(client.peer_cert, client.address)
+        resolved = resolved? client.address, ipaddr
+        @_connection_verified = if resolved && response && verify_cert
+                                  true
+                                else
+                                  false
+                                end
+      rescue OpenSSL::SSL::SSLError, Resolv::ResolvError, Errno::ECONNRESET, Errno::ECONNREFUSED,
+             Errno::ETIMEDOUT, Errno::ESHUTDOWN, Errno::EHOSTDOWN, Errno::EHOSTUNREACH, Errno::EISCONN,
+             Errno::ECONNABORTED, Errno::ENETRESET, Errno::ENETUNREACH => e
+
+        logger.warn("#{ service_name } connection failed", e.message)
+        false
+      end
+
+      private
+
+      # Resolves the address of the assigned domain to array of corresponding IPs (if more than one)
+      # and runs a matcher to see if current connection IP is in the list.
+      # This is called within #verify_connection, if called on it's own there will be no
+      # error handling.
+      #
+      # @param address [String] Human friendly address of assigned domain
+      # @param ipaddr [String] Machine friendly IP address of the assigned domain
+      # @return[Boolean] true if both addresses are resolved | false if one of the addresses
+      # is non-resolvable
+      def resolved? address, ipaddr
+        return @_resolved unless @_resolved.nil?
+
+        @_resolved = if (addresses = Resolv.getaddresses address)
+                       addresses.any? { |addr| addr.include?(ipaddr) }
+                     else
+                       false
+                     end
+      end
+
+      # if the configuration for the use of self-signed certificates is enabled
+      # and required for this client then assign the files and keys to the client
+      #
+      # @param client [Net::HTTP]
+      def assign_cert client
+        if Contrast::API.certification_ca_file
+          client.ca_file = OpenSSL::X509::Certificate.new(File.read(Contrast::API.certification_ca_file)).to_s
+        elsif Contrast::API.certification_cert_file
+          client.cert = OpenSSL::X509::Certificate.new(File.read(Contrast::API.certification_cert_file)).to_s
+        elsif Contrast::API.certification_key_file
+          client.key = OpenSSL::PKey::RSA.new(File.read(Contrast::API.certification_key_file)).to_s
+        end
+      rescue Errno::ENOENT => e
+        logger.error('Custom certificates failed', e.message)
+      end
+
+      # sets default setting for client validation of certificates and
+      # timeout options
+      #
+      # @param addr [URI::Generic] uri of assigned domain
+      # @param proxy_addr [URI::Generic | nil] uri of proxy
+      # @param use_proxy [Boolean] flag used to indicate proxy connections [default = false]
+      # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
+      # self signed certificates provided by config [default = false]
+      # @return [Net::HTTP]
+      def initialize_client addr, proxy_addr, use_proxy, use_custom_cert
+        initialize_client = if proxy_enabled? && use_proxy
+                              Net::HTTP.new(addr.host, nil, proxy_addr&.host, proxy_addr&.port)
+                            else
+                              Net::HTTP.new(addr.host, addr.port)
+                            end
+        assign_cert(initialize_client) if use_custom_cert && Contrast::API.certification_enabled?
+        initialize_client.use_ssl = true
+        initialize_client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        initialize_client.verify_depth = 5
+        # open connection timeout in ms
+        # if connection reaches timeout this will produce Net::OpenTimeout error
+        initialize_client.open_timeout = 10
+        # if we can't read the response or a chunk within time this will cause a
+        # Net::ReadTimeout error when the request is made
+        initialize_client.read_timeout = 10
+        initialize_client
+      end
+
+      # Check if proxy is enabled
+      #
+      # @return @_proxy_enabled [Boolean] True if proxy is enabled and url is present else false
+      def proxy_enabled?
+        @_proxy_enabled ||= Contrast::API.proxy_enabled? && !Contrast::API.proxy_url.nil? if @_proxy_enabled.nil?
+      end
+    end
+  end
+end

data/lib/contrast/utils/object_share.rb

@@ -30,6 +30,7 @@ module Contrast
       SEMICOLON =     ';'
       SINGLE_QUOTE =  '\''
       SLASH =         '/'
+      SPACE =         ' '
       UNDERSCORE =    '_'
       DOUBLE_UNDERSCORE = '__'
       AT =            '@'