contrast-agent 4.4.0 → 4.8.0

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+return unless RUBY_VERSION < '2.6.0' # TODO: RUBY-714 remove guard w/ EOL of 2.5
+
 require 'contrast/agent/patching/policy/patch_status'
 require 'contrast/agent/module_data'
 require 'contrast/agent/rewriter'
@@ -41,7 +43,9 @@ module Contrast
               module_name = mod.cs__name
               return unless module_name
 
-              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START, Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+              if module_name.start_with?(Contrast::Utils::ObjectShare::CONTRAST_MODULE_START,
+                                         Contrast::Utils::ObjectShare::ANONYMOUS_CLASS_MARKER)
+
                 status.no_rewrite!
                 return
 
@@ -64,8 +68,7 @@ module Contrast
             # To get around this, we have those methods tell us the class
             # isn't ready
             def mid_defining? mod
-              mod.instance_variable_defined?(:@cs__defining_class) &&
-                  mod.instance_variable_get(:@cs__defining_class)
+              mod.instance_variable_defined?(:@cs__defining_class) && mod.instance_variable_get(:@cs__defining_class)
             end
 
             def agent_should_rewrite?

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'set'
@@ -11,10 +11,9 @@ module Contrast
   module Agent
     module Assess
       module Policy
-        # This class controls the actions we take on Sources, as determined by
-        # our Assess policy. It indicates what actions we should take in order
-        # to mark data as User Input and treat it as untrusted, starting the
-        # dataflows used in Assess vulnerability detection.
+        # This class controls the actions we take on Sources, as determined by our Assess policy. It indicates what
+        # actions we should take in order to mark data as User Input and treat it as untrusted, starting the dataflows
+        # used in Assess vulnerability detection.
         module SourceMethod
           include Contrast::Components::Interface
           access_component :analysis, :logging
@@ -27,22 +26,17 @@ module Contrast
           COOKIE_KEY_TYPE    = 'COOKIE_KEY'
 
           class << self
-            # This is called from within our woven proc. It will be called as if it
-            # were inline in the Rack application.
+            # This is called from within our woven proc. It will be called as if it were inline in the Rack
+            # application.
             #
-            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy]
-            #   the policy that applies to the method being called
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+            #   method being called
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [Object, nil] the tracked Return or nil if no changes
-            #   were made
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [Object, nil] the tracked Return or nil if no changes were made
             def source_patchers method_policy, object, ret, args
-              return if method_policy.source_node.nil?
-
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless current_context&.analyze_request? && ASSESS.enabled?
+              return unless analyze?(method_policy, object, ret, args)
 
               source_node = method_policy.source_node
               target = determine_target(source_node, object, ret, args)
@@ -62,29 +56,26 @@ module Contrast
                 # double check that we were able to finalize the replaced return
                 return unless Contrast::Agent::Assess::Tracker.trackable?(target)
               end
-              apply_source(current_context, source_node, target, object, ret, source_node.type, nil, *args)
+              apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
+                           source_node.type, nil, *args)
               restore_frozen_state ? ret : nil
             end
 
             private
 
-            # This is our method that actually taints the object our
-            # source_node targets.
+            # This is our method that actually taints the object our source_node targets.
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param context [Contrast::Utils::ThreadTracker] the current request context
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param target [Object] the target of the Source Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param source_type [String] the type of this source, from the
-            #   source_node, or a KEY_TYPE if invoked for a map
-            # @param source_name [String, nil] the name of this source, i.e.
-            #   the key used to accessed if from a map or nil if a type like
-            #   BODY
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
+            #   map
+            # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
+            #   nil if a type like BODY
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_source context, source_node, target, object, ret, source_type, source_name = nil, *args
               return unless context && source_node && target
 
@@ -95,37 +86,34 @@ module Contrast
                 apply_tags(source_node, target, object, ret, source_type, source_name, *args)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(target)
                 apply_hash_tags(context, source_node, target, object, ret, source_type, *args)
-                # While we don't taint arrays themselves, we may taint the things
-                # they hold. Let's pass their keys and values back to ourselves and
-                # try again
+                # While we don't taint arrays themselves, we may taint the things they hold. Let's pass their keys and
+                # values back to ourselves and try again
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
-                target.each { |value| apply_source(context, source_node, value, object, ret, source_type, source_name, *args) }
+                target.each do |value|
+                  apply_source(context, source_node, value, object, ret, source_type, source_name, *args)
+                end
               end
             rescue StandardError => e
               logger.warn('Unable to apply source', e, node_id: source_node.id)
             end
 
-            # While we don't taint hashes themselves, we may taint the things
-            # they hold. Let's pass their keys and values back to ourselves and
-            # try again
+            # While we don't taint hashes themselves, we may taint the things they hold. Let's pass their keys and
+            # values back to ourselves and try again
             #
-            # @param context [Contrast::Utils::ThreadTracker] the current request
-            #   context
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param context [Contrast::Utils::ThreadTracker] the current request context
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param target [Object] the target of the Source Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param source_type [String] the type of this source, from the
-            #   source_node, or a KEY_TYPE if invoked for a map
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param source_type [String] the type of this source, from the source_node, or a KEY_TYPE if invoked for a
+            #   map
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_hash_tags context, source_node, target, object, ret, source_type, *args
               to_replace = []
               target.each_pair do |key, value|
-                # We only do this for Strings b/c of the way Hash lookup works.
-                # To replace another object would break hash lookup and,
-                # therefore, the application
+                # We only do this for Strings b/c of the way Hash lookup works. To replace another object would break
+                # hash lookup and, therefore, the application
                 if replace_hash_key?(key, target)
                   key = key.dup
                   to_replace << key
@@ -136,10 +124,8 @@ module Contrast
               handle_hash_key(target, to_replace)
             end
 
-            # Given an unfrozen hash, if the key is a String, we should replace
-            # it with one that we can finalize, allowing us to track that key.
-            # This method handles checking if that replace can and should
-            # occur.
+            # Given an unfrozen hash, if the key is a String, we should replace it with one that we can finalize,
+            # allowing us to track that key. This method handles checking if that replace can and should occur.
             #
             # @param key [Object] the key in the hash that may need replacing.
             # @param hash [Hash] the hash to which the key belongs.
@@ -160,9 +146,8 @@ module Contrast
               nil
             end
 
-            # Hash is designed to keep one instance of the string key in it.
-            # We need to remove the existing one and replace it with our new
-            # tracked one.
+            # Hash is designed to keep one instance of the string key in it. We need to remove the existing one and
+            # replace it with our new tracked one.
             def handle_hash_key target, to_replace
               to_replace.each do |key|
                 Contrast::Agent::Assess::Tracker.pre_freeze(key)
@@ -175,25 +160,19 @@ module Contrast
             def apply_tags source_node, target, object, ret, source_type, source_name, *args
               # don't apply tags if we can't track the thing
               return unless Contrast::Agent::Assess::Tracker.trackable?(target)
-              # don't apply second source -- probably needs tuning later if we
-              # use more than 'UNTRUSTED' in our sources
+              # don't apply second source -- probably needs tuning later if we use more than 'UNTRUSTED' in our sources
               return if Contrast::Agent::Assess::Tracker.tracked?(target)
               return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
-              # otherwise for each tag this source_node applies, create a tag range
-              # on the target object
-              # I realize this looping is counter-intuitive from the above
-              # message, that's why we're revisiting.
+              # otherwise for each tag this source_node applies, create a tag range on the target object. I realize
+              # this looping is counter-intuitive from the above message, that's why we're revisiting.
               source_node.tags.each do |tag|
                 next unless Contrast::Agent::Assess::Policy::SourceValidation.valid?(tag, source_type, source_name)
 
                 length = Contrast::Utils::StringUtils.ret_length(target)
                 properties.add_tag(tag, 0...length)
                 properties.add_properties(source_node.properties)
-                logger.trace('Source detected',
-                             node_id: source_node.id,
-                             target_id: target.__id__,
-                             tag: tag)
+                logger.trace('Source detected', node_id: source_node.id, target_id: target.__id__, tag: tag)
               end
               # make a representation of this method that TeamServer can render
               properties.build_event(source_node, target, object, ret, args, source_type, source_name)
@@ -201,15 +180,13 @@ module Contrast
 
             # Find the name of the source
             #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [String, nil] the human readable name of the target to
-            #   which this source event applies, or nil if none provided by the
-            #   node
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
+            #   none provided by the node
             def determine_source_name source_node, object, ret, *args
               return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
 
@@ -226,14 +203,50 @@ module Contrast
               end
             end
 
+            # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
+            # information to build the context of this invocation, we're not disabled, and we can't immediately
+            # determine the invocation was done safely.
+            #
+            # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+            #   method being called
+            # @param object [Object] the Object on which the method was invoked
+            # @param ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [boolean] if the invocation of this method should be analyzed
+            def analyze? method_policy, object, ret, args
+              return false unless method_policy&.source_node
+              return false unless ASSESS.enabled?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+
+              !safe_invocation?(method_policy.source_node, object, ret, args)
+            end
+
+            # Determine if the method was invoked safely.
+            #
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
+            # @param _object [Object] the Object on which the method was invoked
+            # @param _ret [Object] the Return of the invoked method
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [boolean] if the invocation of this method was safe
+            def safe_invocation? source_node, _object, _ret, args
+              # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
+              # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
+              # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
+              # instance, uses action_dispatch. to store several values. Technically, you can't call
+              # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
+              source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
+                  args&.any? &&
+                  !args[0].to_s.start_with?('HTTP_')
+            end
+
             # Find the literal target of the propagation
             #
-            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode]
-            #   the node to direct applying this source event
+            # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+            #   event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             # @return [Object] the target to which this source event applies
             def determine_target source_node, object, ret, args
               source_target = source_node.targets[0]
@@ -247,12 +260,10 @@ module Contrast
               end
             end
 
-            # Simple helper method to flip the type from value to key when the
-            # source is the key of a Hash
+            # Simple helper method to flip the type from value to key when the source is the key of a Hash
             #
             # @param source_type [String] the original value source type
-            # @return [String] the key form of the source type, if one exists,
-            #   else the original source type
+            # @return [String] the key form of the source type, if one exists, else the original source type
             def key_type source_type
               case source_type
               when PARAMETER_TYPE

data/lib/contrast/agent/assess/policy/source_node.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/assess/policy/source_validation/cross_site_validator.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/source_method'
@@ -8,11 +8,13 @@ module Contrast
     module Assess
       module Policy
         module SourceValidation
-          # Validator used to assert a CROSS_SITE tag is actually applicable to
-          # the given method before applying the tag to its target
+          # Validator used to assert a CROSS_SITE tag is actually applicable to the given method before applying the
+          # tag to its target
           module CrossSiteValidator
-            # prevent the application of a tag if it is from a source known to
-            # not apply a tag in a provided context.
+            # Prevent the application of a tag if it is from a source known to not apply a tag in a provided context.
+            # Note that for Rack, the Header will be HTTP_REFERER. Rails does some help in
+            # ActionDispatch::Http::Headers to convert keys like `referer` to `HTTP_REFERER` before they get to the
+            # Rack::Request#get_header method
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
             def self.valid? tag, source_type, source_name
               return true unless tag == 'CROSS_SITE'
@@ -20,7 +22,7 @@ module Contrast
               return true unless source_type == Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE
               return false unless source_name
 
-              source_name.casecmp?('referer')
+              source_name == 'HTTP_REFERER'
             end
           end
         end

data/lib/contrast/agent/assess/policy/source_validation/source_validation.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/policy/source_validation/cross_site_validator'
@@ -11,9 +11,7 @@ module Contrast
         # certain tags in a given context. This provides a single place from
         # which those validations can be called.
         module SourceValidation
-          VALIDATORS = [
-            Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator
-          ].cs__freeze
+          VALIDATORS = [Contrast::Agent::Assess::Policy::SourceValidation::CrossSiteValidator].cs__freeze
 
           # Determines if the conditions in which this source was called are
           # valid and should result in the application of a tag

data/lib/contrast/agent/assess/policy/trigger/reflected_xss.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -24,7 +24,7 @@ module Contrast
               }.cs__freeze
               TEMPLATE_PROPAGATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
-              def xss_tilt_trigger context, trigger_node, _source, object, ret, *args
+              def xss_tilt_trigger trigger_node, _source, object, ret, *args
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret))
 
                 scope = args[0]
@@ -44,7 +44,11 @@ module Contrast
                 end
 
                 if Contrast::Agent::Assess::Tracker.tracked?(ret)
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, ret, erb_template_prerender, ret, interpolated_inputs)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node,
+                                                                               ret,
+                                                                               erb_template_prerender,
+                                                                               ret,
+                                                                               interpolated_inputs)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/interface'
@@ -19,31 +19,30 @@ module Contrast
             include Contrast::Components::Interface
 
             class << self
-              def xpath_expression_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_expression_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
 
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
 
-              def xpath_oga_trigger context, trigger_node, _source, object, ret, *args
+              def xpath_oga_trigger trigger_node, _source, object, ret, *args
                 return ret unless args
 
                 # convert the options arg in Oga::XML::CharacterNode#initialize into an
                 # array of its values so we can check if any are unsafe
                 args = args.first.values if args.first.cs__is_a?(Hash)
-                process(context, trigger_node, object, ret, *args)
+                process(trigger_node, object, ret, *args)
               end
 
               private
 
-              def process context, trigger_node, object, ret, *args
+              def process trigger_node, object, ret, *args
                 args.each do |arg|
                   next unless arg.cs__is_a?(String) || arg.cs__is_a?(Symbol)
                   next unless Contrast::Agent::Assess::Tracker.tracked?(arg)
                   next unless trigger_node.violated?(arg)
 
-                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(
-                      context, trigger_node, arg, object, ret, *args)
+                  Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(trigger_node, arg, object, ret, *args)
                 end
 
                 ret

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/events/event_factory'
@@ -27,24 +27,6 @@ module Contrast
           CURRENT_FINDING_VERSION = 4
 
           class << self
-            # Append the given finding to the given context to be reported when
-            # the Context's activity is sent to the Service or, in the absence
-            # of that Context, generate an Activity and queue it manually
-            # @param finding [Contrast::Api::Dtm::Finding]
-            def report_finding finding
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              if context
-                context.activity.findings << finding
-              else
-                activity = Contrast::Api::Dtm::Activity.new
-                activity.findings << finding
-
-                Contrast::Agent.messaging_queue.send_event_eventually(activity)
-              end
-              logger.debug('Finding reported',
-                           rule: finding.rule_id)
-            end
-
             # This is called from within our woven proc. It will be called as if it
             # were inline in the Rack application.
             #
@@ -57,38 +39,23 @@ module Contrast
             def apply_trigger_rule trigger_node, object, ret, args
               return if trigger_node.nil?
 
-              current_context = Contrast::Agent::REQUEST_TRACKER.current
-              return unless current_context&.analyze_request? && ASSESS.enabled?
-
               if trigger_node.sources&.any?
                 trigger_node.sources.each do |marker|
                   source = determine_source(marker, object, ret, args)
-                  apply_trigger(current_context,
-                                trigger_node,
-                                source,
-                                object,
-                                ret,
-                                *args)
+                  apply_trigger(trigger_node, source, object, ret, *args)
                 end
               else
-                apply_trigger(current_context,
-                              trigger_node,
-                              nil,
-                              object,
-                              ret,
-                              *args)
+                apply_trigger(trigger_node, nil, object, ret, *args)
               end
             end
 
-            def apply_eval_trigger context, trigger_node, source, object, ret, *args
-              apply_trigger(context, trigger_node, source, object, ret, *args)
+            def apply_eval_trigger trigger_node, source, object, ret, *args
+              apply_trigger(trigger_node, source, object, ret, *args)
             end
 
             # This converts the source of the finding, and the events leading
             # up to it into a Finding
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -99,44 +66,94 @@ module Contrast
             # @return [Contrast::Api::Dtm::Finding, nil] the
             #   Contrast::Api::Dtm::Finding to send to TeamServer or nil if
             #   conditions were not met
-            def build_finding context, trigger_node, source, object, ret, *args
+            def build_finding trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
-              return unless reportable?(context)
+
+              request = find_request(source)
+              return unless reportable?(request&.env)
 
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(trigger_node.rule_id)
-              build_from_source(finding, source)
-              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret, args).to_dtm_event
-              build_hash(finding, source)
-              finding.routes << context.route if context.route
+
+              append_events(finding, trigger_node, source, object, ret, args)
+              append_route(finding, request)
+              append_hash(finding, source, request)
               finding.version = determine_compliance_version(finding)
-              logger.trace('Finding created',
-                           node_id: trigger_node.id,
-                           source_id: source.__id__,
-                           rule: trigger_node.rule_id)
-              report_finding(finding)
+              logger.trace('Finding created', node_id: trigger_node.id, source_id: source.__id__,
+                                              rule: trigger_node.rule_id)
+              report_finding(finding, request)
             rescue StandardError => e
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
 
+            # Given a finding, append it to an activity message and send it to
+            # the Service for processing.
+            #
+            # @param finding [Contrast::Api::Dtm::Finding] the Finding to
+            #    report.
+            # @param request [Contrast::Agent::Request] our wrapper around the
+            #   Rack::Request.
+            def report_finding finding, request = nil
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                context.activity.findings << finding
+                return
+              end
+
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              if request
+                activity.http_request = request.dtm
+              else
+                logger.debug('Attempted to report finding without request', finding: finding)
+              end
+
+              # If we're out of request context, then we need to report this
+              # finding ourselves, so we'll send it in the one-off activity we
+              # created.
+              Contrast::Agent.messaging_queue.send_event_eventually(activity)
+            end
+
             private
 
             # A request is reportable if it is not from ActionController::Live
             #
-            # @param context [Contrast::Agent::RequestContext] the current request context
+            # @param env [Hash] the env of the Request
             # @return [Boolean]
-            def reportable? context
-              env = context.request.env
+            def reportable? env
               !(defined?(ActionController::Live) &&
                 env &&
                 env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
             end
 
+            # Find the request for this finding. This assumes, for now, that if
+            # there is an active request, then that is the request to report.
+            # Otherwise, we'll use the first request found in the events of the
+            # source_object.
+            #
+            # @param source [Object,nil] some Object used as the source of a
+            #   trigger event
+            # @return [Contrast::Agent::Request,nil] the request from which the
+            #   dataflow on the request originated.
+            def find_request source
+              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
+              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
+
+              properties.events.each do |event|
+                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
+
+                return event.request if event.request
+              end
+              nil
+            end
+
+            def settings
+              Contrast::Agent::FeatureState.instance
+            end
+
             # This is our method that actually checks the taint on the object
             # our trigger_node targets.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -144,19 +161,19 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_trigger context, trigger_node, source, object, ret, *args
-              return unless context && trigger_node
+            def apply_trigger trigger_node, source, object, ret, *args
+              return unless trigger_node
               return if trigger_node.rule_disabled?
               return if trigger_node.dataflow? && source.nil?
 
               if trigger_node.regexp_rule?
-                apply_regexp_rule(context, trigger_node, source, object, ret, *args)
+                apply_regexp_rule(trigger_node, source, object, ret, *args)
               elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(context, trigger_node, source, object, ret, *args)
+                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
               elsif trigger_node.dataflow?
-                apply_dataflow_rule(context, trigger_node, source, object, ret, *args)
+                apply_dataflow_rule(trigger_node, source, object, ret, *args)
               else # trigger rule - just calling the method is dangerous
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               end
             rescue StandardError => e
               logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
@@ -204,8 +221,6 @@ module Contrast
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Regexp based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -213,19 +228,17 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_regexp_rule context, trigger_node, source, object, ret, *args
+            def apply_regexp_rule trigger_node, source, object, ret, *args
               return unless source.is_a?(String)
               return if trigger_node.good_value && source.match?(trigger_node.good_value)
               return if trigger_node.bad_value && source !~ trigger_node.bad_value
 
-              build_finding(context, trigger_node, source, object, ret, *args)
+              build_finding(trigger_node, source, object, ret, *args)
             end
 
             # This is our method that actually checks the taint on the object
             # our trigger_node targets for our Dataflow based rules.
             #
-            # @param context [Contrast::Agent::RequestContext] the current
-            #   request context
             # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
             #   the node to direct applying this trigger event
             # @param source [Object] the source of the Trigger Event
@@ -233,22 +246,22 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method
             #   was invoked
-            def apply_dataflow_rule context, trigger_node, source, object, ret, *args
+            def apply_dataflow_rule trigger_node, source, object, ret, *args
               return unless source
 
               if Contrast::Agent::Assess::Tracker.trackable?(source)
                 return unless Contrast::Agent::Assess::Tracker.tracked?(source)
                 return unless trigger_node.violated?(source)
 
-                build_finding(context, trigger_node, source, object, ret, *args)
+                build_finding(trigger_node, source, object, ret, *args)
               elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
                 source.each_pair do |key, value|
-                  apply_dataflow_rule(context, trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
                 source.each do |value|
-                  apply_dataflow_rule(context, trigger_node, value, object, ret, *args)
+                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
                 end
               else
                 logger.debug('Trigger source is untrackable. Unable to inspect.',
@@ -260,7 +273,13 @@ module Contrast
               end
             end
 
-            def build_from_source finding, source
+            def append_events finding, trigger_node, source, object, ret, args
+              append_from_source(finding, source)
+              finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
+                                                                                    args).to_dtm_event
+            end
+
+            def append_from_source finding, source
               return unless source
               return unless Contrast::Agent::Assess::Tracker.trackable?(source)
 
@@ -291,8 +310,17 @@ module Contrast
               finding.events << event.to_dtm_event
             end
 
-            def build_hash finding, source
-              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source)
+            def append_route finding, request
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              if context
+                finding.routes << context.route if context.route
+              elsif request&.route
+                finding.routes << request.route
+              end
+            end
+
+            def append_hash finding, source, request
+              hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
               finding.hash_code = Contrast::Utils::StringUtils.force_utf8(hash_code)
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end