contrast-agent 4.14.0 → 5.2.0

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -1,68 +1,172 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'json'
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/reporting_events/finding_event'
+require 'contrast/agent/reporting/reporting_events/finding_request'
 require 'contrast/agent/reporting/reporting_events/reporting_event'
+require 'contrast/agent/assess/events/event_data'
+require 'contrast/utils/timer'
 
 module Contrast
   module Agent
     module Reporting
-      # This is the new Findings class which will include all the needed information
-      # for the new reporting system
+      # This is the new Finding class which will include all the needed information for the new reporting system to
+      # relay this information in the Finding/Trace messages. These findings are used by TeamServer to construct the
+      # vulnerability information for the assess feature. They represent those parts of the application, either through
+      # configuration, method invocation, or dataflow, which are determined to be insecure.
       class Finding < Contrast::Agent::Reporting::ReportingEvent
-        attr_accessor :events, :properties, :request, :hash_code
+        include Contrast::Components::Logger::InstanceMethods
+
+        # @return [Integer] the time, in ms, that this object was initialized
+        attr_reader :created
+        # @return [String] the ID of the rule associated with this finding
         attr_reader :rule_id
+        # @return [Array<Contrast::Agent::Reporting::RouteDiscovery>] the routes associated with this finding, if the
+        #   finding is request based.
+        attr_reader :routes
+        # @return [Array<Contrast::Agent::Reporting::FindingEvent>] the events associated with this finding, if the
+        #   finding is event (dataflow) based.
+        attr_reader :events
+        # @return [String] the evidence associated with this finding, if the finding is event based. deprecated in
+        #   favor of properties
+        # attr_reader :evidence
+        # @return [Hash<String,String>] properties that prove the violation of the rule for this finding
+        attr_reader :properties
+        # @return [Contrast::Agent::Reporting::FindingRequest] the request associated with this finding, if the finding
+        #   is request based
+        attr_reader :request
+        # @return [String] the uniquely identifying hash of this finding
+        attr_accessor :hash_code
+
+        CONFIGURATION_RULES = %w[rails-http-only-disabled secure-flag-missing session-timeout].cs__freeze
+        HARDCODED_RULES = %w[hardcoded-key hardcoded-password].cs__freeze
+        PROPERTIES_RULES = %w[
+          autocomplete-missing
+          cache-controls-missing
+          clickjacking-control-missing
+          csp-header-missing
+          csp-header-insecure
+          hsts-header-missing
+          parameter-pollution
+          xcontenttype-header-missing
+          xxssprotection-header-disabled
+        ].cs__freeze
+
+        class << self
+          # @param finding_dtm [Contrast::Api::Dtm::Finding]
+          # @return [Contrast::Agent::Reporting::Finding]
+          def convert finding_dtm
+            report = new(finding_dtm.rule_id)
+            report.attach_property_data(finding_dtm)
+            report
+          end
+        end
 
         def initialize rule_id
-          super
-          @event_type = :report_vulnerability
+          @event_method = :PUT
+          @event_endpoint = "#{ Contrast::API.api_url }/api/ng/traces"
           @events = []
-          @platform = Contrast::Utils::ObjectShare::RUBY
+          @routes = []
           @rule_id = Contrast::Utils::StringUtils.truncate(rule_id)
           @properties = {}
+          @created = Contrast::Utils::Timer.now_ms
+          super()
+        end
+
+        # Some reports require specific additional headers to be used. To that end, we'll attach them here, letting
+        # each handle their own.
+        #
+        # @param request [Net::HTTPRequest]
+        def attach_headers request
+          request['Report-Hash'] = hash_code
         end
 
+        # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+        #   trigger event
+        # @param source [Object] the source of the Trigger Event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param request [Contrast::Agent::Request]
+        # @param args [Array<Object>] the Arguments with which the method was invoked
         def attach_data trigger_node, source, object, ret, request, *args
-          @events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args)
-          @request = request
-          from_properties source, @events
-          attach_routes request
+          event_messages = Contrast::Agent::Reporting::FindingEvent.from_source(source)
+          events.concat(event_messages) if event_messages&.any?
+          event_data = Contrast::Agent::Assess::Events::EventData.new(trigger_node, source, object, ret, args)
+          contrast_event = Contrast::Agent::Assess::ContrastEvent.new(event_data)
+          events << Contrast::Agent::Reporting::FindingEvent.convert(contrast_event)
+          attach_properties
+          return unless request
+
+          @request = Contrast::Agent::Reporting::FindingRequest.convert(request)
+          @routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
         end
 
-        def to_controlled_hash **_args
+        # Attach the data from a Contrast::Api::Dtm::Finding required for property based findings generated during
+        # response analysis.
+        #
+        # @param finding_dtm [Contrast::Api::Dtm::Finding]
+        def attach_property_data finding_dtm
+          @hash_code = finding_dtm.hash_code
+          @rule_id = finding_dtm.rule_id
+          finding_dtm.properties.each_pair do |key, value|
+            @properties[key] = value
+          end
+          finding_dtm.routes.each do |route|
+            @routes << Contrast::Agent::Reporting::RouteDiscovery.convert(route)
+          end
+          request = Contrast::Agent::REQUEST_TRACKER.current&.request
+          @request = Contrast::Agent::Reporting::FindingRequest.convert(request) if request
+        end
+
+        # Convert the instance variables on the class, and other information, into the identifiers required for
+        # TeamServer to process the JSON form of this message.
+        #
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_hash
           validate
-          {
-              platform: @platform,
-              ruleId: @rule_id,
-              request: request,
-              properties: properties,
-              events: events,
-              routes: routes
+          hsh = {
+              created: created,
+              hash: hash_code.to_s,
+              ruleId: rule_id,
+              session_id: @agent_session_id_value.to_s,
+              version: 4
           }
+          hsh[:events] = events.map(&:to_controlled_hash) if event_based?
+          # hsh[:evidence] = evidence unless event_based? || property_based?
+          hsh[:properties] = properties if property_based?
+          hsh[:tags] = Contrast::ASSESS.tags if Contrast::ASSESS.tags
+          return hsh unless request_based?
+
+          hsh[:request] = request.to_controlled_hash
+          hsh[:routes] = routes.map(&:to_controlled_hash)
+          hsh
         end
 
+        # @raise [ArgumentError]
         def validate
-          raise(ArgumentError, "#{ self } did not have a proper platform. Unable to continue.") unless @platform
           raise(ArgumentError, "#{ self } did not have a proper rule. Unable to continue.") unless @rule_id
-          raise(ArgumentError, "#{ self } did not have proper events. Unable to continue.") if events.empty?
-          raise(ArgumentError, "#{ self } did not have proper properties. Unable to continue.") if properties.empty?
-          raise(ArgumentError, "#{ self } did not have a proper request. Unable to continue.") unless request
 
-          nil
+          if event_based? && events.empty?
+            raise(ArgumentError, "#{ self } did not have proper events for #{ @rule_id }. Unable to continue.")
+          end
+          if property_based? && properties.empty?
+            raise(ArgumentError, "#{ self } did not have proper properties for #{ @rule_id }. Unable to continue.")
+          end
+          return unless request_based? && request.nil?
+
+          raise(ArgumentError, "#{ self } did not have a proper request for #{ @rule_id }. Unable to continue.")
         end
 
         private
 
-        def from_properties source, events
-          return unless source
-          return unless Contrast::Agent::Assess::Tracker.trackable?(source)
-
-          properties = Contrast::Agent::Assess::Tracker.properties(source)
-
-          build_events events, properties.event if properties.event
-          @properties = properties if properties
-        end
+        # Our events have properties on them. To report them to TeamServer, we need to pull them from our object up to
+        # the Contrast::Agent::Reporting::Finding level.
+        #
+        # TODO: RUBY-99999 put properties on events, not just on DTM
+        def attach_properties; end
 
         def build_events events, event
           return unless event
@@ -70,19 +174,53 @@ module Contrast
           event.parent_events&.each do |parent_event|
             build_events(events, parent_event)
           end
-
           events << event
         end
 
-        def attach_routes request
-          context = Contrast::Agent::REQUEST_TRACKER.current
-          if context
-            @routes << context.route if context.route
-          elsif request&.route
-            @routes << request.route
-          elsif request&.path
-            @routes << request.path
-          end
+        # Rules which are event based must have an event to be sent to TeamServer. They include the Trigger, Regexp,
+        # and Data flow type Rules, meaning all those which are not Properties based. Eventually, we may have
+        # validation for each of those types; however, that's a refactor for after we've translated all rules from the
+        # Service and have had time to build proper child structure.
+        #
+        # @return [Boolean]
+        def event_based?
+          !property_based? && !config_based?
+        end
+
+        # Rules which are property based must have a property to be sent to TeamServer. Eventually, each rule may own
+        # its own validation, as the properties each needs are different; however, that's a refactor for after we've
+        # translated all rules from the Service and have had time to build proper child structure.
+        #
+        # @return [Boolean]
+        def property_based?
+          PROPERTIES_RULES.include?(@rule_id)
+        end
+
+        # Rules which are config based must have a configuration to be sent to TeamServer. Eventually, each rule may own
+        # its own validation, as the properties each needs are different; however, that's a refactor for after we've
+        # translated all rules from the Service and have had time to build proper child structure.
+        #
+        # @return [Boolean]
+        def config_based?
+          CONFIGURATION_RULES.include?(@rule_id)
+        end
+
+        # Rules which are hardcode based send properties to TeamServer. Eventually, each rule may own its own
+        # validation, as the properties each needs are different; however, that's a refactor for after we've
+        # translated all rules from the Service and have had time to build proper child structure.
+        #
+        # @return [Boolean]
+        def hardcoded?
+          HARDCODED_RULES.include?(@rule_id)
+        end
+
+        # Rules which are request based must have a request to be sent to TeamServer. Most rules fit this category, so
+        # we'll default to true for now. Eventually, this will be split out for those rules, like Hardcoded, which do
+        # not need requests.
+        #
+        # @return [Boolean]
+        def request_based?
+          !config_based? && !hardcoded?
         end
       end
     end

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb

@@ -0,0 +1,293 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/reporting_events/finding_event_object'
+require 'contrast/agent/reporting/reporting_events/finding_event_parent_object'
+require 'contrast/agent/reporting/reporting_events/finding_event_property'
+require 'contrast/agent/reporting/reporting_events/finding_event_signature'
+require 'contrast/agent/reporting/reporting_events/finding_event_source'
+require 'contrast/agent/reporting/reporting_events/finding_event_stack'
+require 'contrast/agent/reporting/reporting_events/finding_event_taint_range'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new FindingEvent class which will include all the needed information for the new reporting system
+      # to relay this information in the Finding/Trace messages. These FindingEvents are used by TeamServer to
+      # construct the vulnerability information for the assess feature. They represent the operation the application
+      # underwent that transformed data during the dataflow.
+      class FindingEvent
+        # @return [Symbol] what the event did; CREATION, A2O, A2P, A2A, A2R, O2A, O2O, O2P, O2R, P2A, P2O, P2P, P2R,
+        #   TAG, TRIGGER.
+        attr_reader :action
+        # @return [Array<Contrast::Agent::Reporting::FindingEventObject>] the arguments passed to the method.
+        attr_reader :args
+        # @return [nil] unused.
+        attr_reader :code
+        # @return [Integer] the id of this event.
+        attr_reader :event_id
+        # @return [Array<Contrast::Agent::Reporting::FindingEventSource>] the source of taint
+        attr_reader :event_sources
+        # @return [nil] unused.
+        attr_reader :field_name
+        # @return [Contrast::Agent::Reporting::FindingEventObject] the object this method was invoked on.
+        attr_reader :object
+        # @@return [Array<Contrast::Agent::Reporting::FindingEventParentObject>] the ids of all the events directly
+        #   preceding this
+        attr_reader :parent_object_ids
+        # @return [Array<Contrast::Agent::Reporting::FindingEventProperty>]
+        attr_reader :properties
+        # @return  [Contrast::Agent::Reporting::FindingEventObject] the return of the method.
+        attr_reader :ret
+        # @return [Contrast::Agent::Reporting::FindingEventSignature] the signature of the method.
+        attr_reader :signature
+        # @return [String] the source of the taint from the method; ^(O|R|P\d+)$
+        attr_reader :source
+        # @return [Array<Contrast::Agent::Reporting::FindingEventStack>]
+        attr_reader :stack
+        # @return [String] comma separated list of descriptions of what's happened to the data
+        attr_reader :tags
+        # @return [Array<Contrast::Agent::Reporting::FindingEventTaintRange>] the tags and spans of the source that are
+        #   tracked
+        attr_reader :taint_ranges
+        # @return [String] the target of the taint from the method; ^(O|R|P\d+)$
+        attr_reader :target
+        # @return [String] the id of the thread on which the method was invoked
+        attr_reader :thread
+        # @return [Integer] the time, in ms, when the event was generated
+        attr_reader :time
+        # @return [String] the type of event; METHOD, PROPAGATION, TAG
+        attr_reader :type
+
+        class << self
+          # Find all the events leading up to the given source and return an array of FindingEvents
+          #
+          # @param source [Object] something that may have been tracked
+          # @return [Array<Contrast::Agent::Reporting::FindingEvent>]
+          def from_source source
+            return unless source && (props = Contrast::Agent::Assess::Tracker.properties(source))
+
+            build_events([], props.event) if props.event
+          end
+
+          # @param event [Contrast::Agent::Assess::ContrastEvent]
+          # @return [Contrast::Agent::Reporting::FindingEvent]
+          def convert event
+            report = new
+            report.attach_data(event)
+            report
+          end
+
+          private
+
+          # Pull the parent events from the given event, generating an array of FindingEvents, passing back the given
+          # array of events after populating it.
+          #
+          # @param events [Array<Contrast::Agent::Reporting::FindingEvent>]
+          # @param event [Contrast::Agent::Assess::ContrastEvent]
+          # @return [Array<Contrast::Agent::Reporting::FindingEvent>]
+          def build_events events, event
+            return unless event
+
+            event.parent_events&.each do |parent_event|
+              build_events(events, parent_event)
+            end
+            events << convert(event)
+            events
+          end
+        end
+
+        # Parse the data from a Contrast::Agent::Assess::ContrastEvent to attach what is required for reporting to
+        # TeamServer to this Contrast::Agent::Reporting::FindingEvent
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def attach_data event
+          @event_id = event.event_id
+          @time = event.time.to_i
+          @thread = event.thread.to_s
+          display_params!(event)
+          dataflow!(event)
+          event_sources!(event)
+          @signature = Contrast::Agent::Reporting::FindingEventSignature.convert(event)
+          stack!(event)
+          parent_ids!(event)
+          properties!(event)
+        end
+
+        # Convert the instance variables on the class, and other information, into the identifiers required for
+        # TeamServer to process the JSON form of this message.
+        #
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_hash # rubocop:disable Metrics/AbcSize
+          validate
+          {
+              action: action,
+              args: args.map(&:to_controlled_hash),
+              # code: code, # Unused by our agent
+              objectId: event_id,
+              eventSources: event_sources.map(&:to_controlled_hash),
+              # fieldName: field_name, # Unused by our agent
+              object: object.to_controlled_hash,
+              parentObjectIds: parent_object_ids.map(&:to_controlled_hash),
+              properties: properties.map(&:to_controlled_hash),
+              ret: ret&.to_controlled_hash,
+              signature: signature.to_controlled_hash,
+              source: source || '',
+              stack: stack.map(&:to_controlled_hash),
+              tags: tags.join(','),
+              taintRanges: taint_ranges.map(&:to_controlled_hash),
+              target: target || '',
+              thread: thread,
+              time: time,
+              type: type
+          }
+        end
+
+        # @raise [ArgumentError]
+        def validate
+          validate_base
+          validate_dataflow
+        end
+
+        private
+
+        # Find the action and type of this event, used by TeamServer to display type of the event and the
+        # transformation if made.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def display_params! event
+          @action = event.policy_node.build_action
+          @type = case event.policy_node.node_type
+                  when :TYPE_TAG
+                    'TAG'
+                  when :TYPE_PROPAGATION
+                    'PROPAGATION'
+                  else # :TYPE_METHOD
+                    'METHOD'
+                  end
+        end
+
+        # Build the dataflow components of this FindingEvent.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def dataflow! event
+          taint_target = taint_target!(event)
+          truncate_obj = Contrast::Utils::ObjectShare::OBJECT_KEY != taint_target
+          @object = Contrast::Agent::Reporting::FindingEventObject.convert(event.object, truncate_obj)
+          truncate_ret = Contrast::Utils::ObjectShare::RETURN_KEY != taint_target
+          @ret = Contrast::Agent::Reporting::FindingEventObject.convert(event.ret, truncate_ret)
+          event_args!(event, taint_target)
+          taint_ranges!(event)
+        end
+
+        # Convert the arguments of the given ContrastEvent to the reportable form for this FindingEvent. We'll
+        # truncate any argument that isn't the taint target of this event.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        # @param taint_target [String,nil] the target of the taint in this event.
+        def event_args! event, taint_target
+          @args = []
+          idx = 0
+          while idx < event.args.length
+            @args << Contrast::Agent::Reporting::FindingEventObject.convert(event.args[idx], taint_target != idx)
+            idx += 1
+          end
+        end
+
+        # Convert the sources of the event to sources here
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def event_sources! event
+          @event_sources = []
+          return unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+          source = Contrast::Agent::Reporting::FindingEventSource.convert(event)
+          event_sources << source if source
+        end
+
+        # Convert the parent id's of the given ContrastEvent to the reportable form for this FindingEvent.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def parent_ids! event
+          @parent_object_ids = []
+          event.parent_events&.each do |parent_event|
+            parent_object_ids << Contrast::Agent::Reporting::FindingEventParentObject.new(parent_event.event_id.to_i)
+          end
+        end
+
+        # Convert the properties of the given ContrastEvent to the reportable form for this FindingEvent.
+        # TODO: RUBY-99999 How do properties get to events? Do they? I thought Stored-XSS needed it.
+        #
+        # @param _event [Contrast::Agent::Assess::ContrastEvent]
+        def properties! _event
+          @properties = []
+        end
+
+        # Convert the stack of the given ContrastEvent to the reportable form for this FindingEvent.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def stack! event
+          @stack = []
+          event.stack_trace.each do |stack_event|
+            if (report = Contrast::Agent::Reporting::FindingEventStack.convert(stack_event))
+              stack << report
+            end
+          end
+        end
+
+        # Convert the taint ranges of the given ContrastEvent to the reportable form for this FindingEvent.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        def taint_ranges! event
+          @tags = []
+          @taint_ranges = []
+          event&.tags&.each_pair do |tag_key, tag_ranges|
+            tags << tag_key
+            tag_ranges.each do |range|
+              taint_ranges << Contrast::Agent::Reporting::FindingEventTaintRange.convert(range)
+            end
+          end
+        end
+
+        # Find the source and target for this FindingEvent based on the provided event.
+        #
+        # @param event [Contrast::Agent::Assess::ContrastEvent]
+        # @return [String,nil] the target of the taint in this event.
+        def taint_target! event
+          return unless (node = event.policy_node)
+
+          @source = node.source_string if node.source_string
+          @target = node.target_string if node.target_string
+          return node.targets[0] if node.targets&.any?
+
+          node.sources[0] if node.sources&.any?
+        end
+
+        # @raise [ArgumentError]
+        def validate_base
+          raise(ArgumentError, "#{ self } did not have a proper action. Unable to continue.") unless action
+          raise(ArgumentError, "#{ self } did not have a proper eventId. Unable to continue.") unless event_id
+          raise(ArgumentError, "#{ self } did not have a proper thread. Unable to continue.") unless thread
+          raise(ArgumentError, "#{ self } did not have a proper time. Unable to continue.") unless time
+          raise(ArgumentError, "#{ self } did not have a proper type. Unable to continue.") unless type
+        end
+
+        # @raise [ArgumentError]
+        def validate_dataflow
+          unless parent_object_ids
+            raise(ArgumentError, "#{ self } did not have a proper parentObjectIds. Unable to continue.")
+          end
+          unless taint_ranges && !taint_ranges.empty?
+            raise(ArgumentError, "#{ self } did not have a proper taintRanges. Unable to continue.")
+          end
+          raise(ArgumentError, "#{ self } did not have a proper args. Unable to continue.") unless args
+          raise(ArgumentError, "#{ self } did not have a proper object. Unable to continue.") unless object
+          raise(ArgumentError, "#{ self } did not have a proper signature. Unable to continue.") unless signature
+          raise(ArgumentError, "#{ self } did not have a proper stack. Unable to continue.") unless stack
+          raise(ArgumentError, "#{ self } did not have a proper tags. Unable to continue.") unless tags && !tags.empty?
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb

@@ -0,0 +1,94 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'base64'
+require 'contrast/agent/assess/contrast_object'
+
+module Contrast
+  module Agent
+    module Reporting
+      # This is the new FindingEventObject class which will include all the needed information for the new reporting
+      # system to relay this information in the Finding/Trace messages. These FindingEventObjects are used by
+      # TeamServer to construct the vulnerability information for the assess feature. They represent those parts of the
+      # objects that were acted on in a Dataflow Finding.
+      class FindingEventObject
+        # @return [Integer] the id of the Object this represents.
+        attr_reader :hash
+        # @return [Boolean] if the Object is tracked or not
+        attr_reader :tracked
+        # @return [String] the base64 of the human readable representation of the Object this represents.
+        attr_reader :value
+
+        # We'll truncate any object that isn't important to the taint ranges of this event, so that we don't murder
+        # TeamServer by, for instance, hypothetically sending the entire rendered HTML page >_>  <_<  >_>
+        ELLIPSIS = '...'
+        UNTRUNCATED_PORTION_LENGTH = 25
+        TRUNCATION_LENGTH = (UNTRUNCATED_PORTION_LENGTH * 2) + ELLIPSIS.length
+
+        class << self
+          # @param object [Contrast::Agent::Assess::ContrastObject] the object to translate
+          # @param truncate [Boolean] if the value of this FindingEventObject should be truncated or not
+          # @return [Contrast::Agent::Reporting::FindingEventObject]
+          def convert object, truncate
+            report = new
+            report.attach_data(object, truncate)
+            report
+          end
+        end
+
+        # Parse the data from a Contrast::Agent::Assess::ContrastObject to attach what is required for reporting to
+        # TeamServer to this Contrast::Agent::Reporting::FindingEventObject
+        #
+        # @param object [Contrast::Agent::Assess::ContrastObject, nil]
+        def attach_data object, truncate
+          @hash = object&.object.__id__
+          @tracked = !!object&.tracked?
+          @value = reportable_value(object&.object, truncate)
+        end
+
+        # Convert the instance variables on the class, and other information, into the identifiers required for
+        # TeamServer to process the JSON form of this message.
+        #
+        # @return [Hash]
+        # @raise [ArgumentError]
+        def to_controlled_hash
+          validate
+          {
+              hash: hash,
+              tracked: tracked,
+              value: value
+          }
+        end
+
+        def validate
+          raise(ArgumentError, "#{ self } did not have a proper hash. Unable to continue.") unless hash
+          raise(ArgumentError, "#{ self } did not have a proper tracked. Unable to continue.") if tracked.nil?
+          return if value
+
+          raise(ArgumentError, "#{ self } did not have a proper value. Unable to continue.")
+        end
+
+        private
+
+        # Parse, truncate, and translate the given value to be reported to TeamServer. The field is expected to be
+        # base64 encoded.
+        #
+        # @param value [String, nil] the contrast_string of the object this represents.
+        # @param truncate [Boolean] if the string should be truncated or not.
+        # @return [String]
+        def reportable_value value, truncate
+          return Contrast::Utils::ObjectShare::NIL_STRING unless value
+
+          if truncate && value.length > TRUNCATION_LENGTH
+            tmp = []
+            tmp << value[0, UNTRUNCATED_PORTION_LENGTH]
+            tmp << ELLIPSIS
+            tmp << value[value.length - UNTRUNCATED_PORTION_LENGTH, UNTRUNCATED_PORTION_LENGTH]
+            value = tmp.join
+          end
+          Base64.strict_encode64(value)
+        end
+      end
+    end
+  end
+end