contrast-agent 4.9.0 → 4.12.0

data/lib/contrast/agent/assess/policy/propagator/database_write.rb

@@ -11,10 +11,10 @@ module Contrast
           # results in new source nodes to track which columns in the database
           # have been tainted.
           class DatabaseWrite < Contrast::Agent::Assess::Policy::Propagator::Base
-
-
             class << self
               def propagate propagation_node, preshift, target
+                return unless Contrast::ASSESS.require_dynamic_sources?
+
                 class_type = preshift.object.cs__class
                 class_name = class_type.cs__name
                 tainted_columns = {}

data/lib/contrast/agent/assess/policy/propagator/match_data.rb

@@ -14,16 +14,15 @@ module Contrast
               def square_bracket_tagger propagation_node, preshift, ret, _block
                 case ret
                 when Array
-                  ret.each_with_index do |return_value, index|
+                  idx = 0
+                  while idx < ret.length
+                    return_value = ret[idx]
+                    index = idx
+                    idx += 1
                     next unless return_value
 
-                    target_matchdata_index = if preshift.args[0].is_a?(Range)
-                                               arg_range = preshift.args[0]
-                                               arg_range.to_a.empty? ? index + 1 : arg_range.to_a[index]
-                                             else
-                                               preshift.args[index]
-                                             end
-                    square_bracket_single(target_matchdata_index, preshift, return_value, propagation_node)
+                    square_bracket_single(target_matchdata_index(preshift, index), preshift, return_value,
+                                          propagation_node)
                   end
                 when String
                   target_matchdata_index = preshift.args[0]
@@ -34,7 +33,11 @@ module Contrast
               end
 
               def captures_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, index|
+                idx = 0
+                while idx < ret.length
+                  return_value = ret[idx]
+                  index = idx
+                  idx += 1
                   next unless return_value
 
                   targetted_index = index + 1
@@ -44,7 +47,11 @@ module Contrast
               end
 
               def to_a_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, index|
+                idx = 0
+                while idx < ret.length
+                  return_value = ret[idx]
+                  index = idx
+                  idx += 1
                   next unless return_value
 
                   square_bracket_single(index, preshift, return_value, propagation_node)
@@ -53,7 +60,11 @@ module Contrast
               end
 
               def values_at_tagger propagation_node, preshift, ret, _block
-                ret.each_with_index do |return_value, return_index|
+                idx = 0
+                while idx < ret.length
+                  return_value = ret[idx]
+                  return_index = idx
+                  idx += 1
                   next unless return_value
 
                   original_group_arg_index = preshift.args[return_index]
@@ -64,6 +75,15 @@ module Contrast
 
               private
 
+              def target_matchdata_index preshift, index
+                if preshift.args[0].is_a?(Range)
+                  arg_range = preshift.args[0]
+                  arg_range.to_a.empty? ? index + 1 : arg_range.to_a[index]
+                else
+                  preshift.args[index]
+                end
+              end
+
               def square_bracket_single argument_index, preshift, return_value, propagation_node
                 original_start_index = preshift.object.begin(argument_index)
                 original_end_index = preshift.object.end(argument_index)

data/lib/contrast/agent/assess/policy/propagator/remove.rb

@@ -26,7 +26,6 @@ module Contrast
                 return unless (properties = Contrast::Agent::Assess::Tracker.properties!(target))
 
                 source_string = source.is_a?(String) ? source : source.to_s
-
                 # If the lengths are the same, we should just copy the tags because nothing was removed, but a new
                 # instance could have been created. copy_from will handle the case where the source is the target.
                 if source_string.length == target.length
@@ -34,10 +33,7 @@ module Contrast
                   return
                 end
 
-                source_chars = source_string.chars
                 source_idx = 0
-
-                target_chars = target.chars
                 target_idx = 0
 
                 remove_ranges = []
@@ -45,10 +41,9 @@ module Contrast
 
                 # loop over the target, the result of the delete every range of characters that it differs from the
                 # source represents a section that was deleted. these sections need to have their tags updated
-                target_len = target_chars.length
-                while target_idx < target_len
-                  target_char = target_chars[target_idx]
-                  source_char = source_chars[source_idx]
+                while target_idx < target.length
+                  target_char = target[target_idx]
+                  source_char = source_string[source_idx]
                   if target_char == source_char
                     target_idx += 1
                     if start
@@ -63,7 +58,7 @@ module Contrast
 
                 # once we're done looping over the target, anything left over is extra from the source that was
                 # deleted. tags applying to it need to be removed.
-                remove_ranges << (source_idx...source_chars.length) if source_idx != source_chars.length
+                remove_ranges << (source_idx...source_string.length) if source_idx != source_string.length
 
                 # handle deleting the removed ranges
                 properties.delete_tags_at_ranges(remove_ranges)

data/lib/contrast/agent/assess/policy/propagator/split.rb

@@ -17,7 +17,6 @@ module Contrast
           class Split < Contrast::Agent::Assess::Policy::Propagator::Base
             extend Contrast::Components::Scope::InstanceMethods
             extend Contrast::Components::Logger::InstanceMethods
-            #cs__const_set('AGENT', Contrast::AGENT)
 
             SPLIT_TRACKER = Contrast::Utils::ThreadTracker.new
 
@@ -111,7 +110,9 @@ module Contrast
               # Load patch.
               def instrument_string_split
                 @_instrument_string_split ||= begin
-                  require 'cs__assess_yield_track/cs__assess_yield_track' if ::Contrast::AGENT.patch_yield? && Funchook.available?
+                  if ::Contrast::AGENT.patch_yield? && Funchook.available?
+                    require 'cs__assess_yield_track/cs__assess_yield_track'
+                  end
                   true
                 rescue StandardError => e
                   logger.error('Error loading split rb_yield patch', e)

data/lib/contrast/agent/assess/policy/propagator/substitution.rb

@@ -16,6 +16,7 @@ module Contrast
           # a 'get it right' state soon.
           class Substitution
             include Contrast::Components::Logger::InstanceMethods
+            extend Contrast::Components::Logger::InstanceMethods
 
             CAPTURE_GROUP_REGEXP = /\\[[:digit:]]/.cs__freeze
             CAPTURE_NAME_REGEXP = /\\k<[[:alpha:]]/.cs__freeze

data/lib/contrast/agent/assess/policy/rewriter_patch.rb

@@ -22,7 +22,6 @@ module Contrast
         module RewriterPatch
           extend Contrast::Components::Logger::InstanceMethods
 
-
           class << self
             def rewrite_interpolations
               return unless agent_should_rewrite?

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -17,7 +17,6 @@ module Contrast
         module SourceMethod
           extend Contrast::Components::Logger::InstanceMethods
 
-
           PARAMETER_TYPE     = 'PARAMETER'
           PARAMETER_KEY_TYPE = 'PARAMETER_KEY'
           HEADER_TYPE        = 'HEADER'
@@ -26,8 +25,7 @@ module Contrast
           COOKIE_KEY_TYPE    = 'COOKIE_KEY'
 
           class << self
-            # This is called from within our woven proc. It will be called as if it were inline in the Rack
-            # application.
+            # This is called from within our woven proc. It will be called as if it were inline in the Rack application.
             #
             # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
             #   method being called
@@ -37,29 +35,27 @@ module Contrast
             # @return [Object, nil] the tracked Return or nil if no changes were made
             def source_patchers method_policy, object, ret, args
               return unless analyze?(method_policy, object, ret, args)
+              return unless (source_node = method_policy.source_node)
+              return unless (target = determine_target(source_node, object, ret, args))
 
-              source_node = method_policy.source_node
-              target = determine_target(source_node, object, ret, args)
-              restore_frozen_state = false
+              return_val = nil
               if target.cs__frozen? && !Contrast::Agent::Assess::Tracker.trackable?(target)
                 return unless ::Contrast::ASSESS.track_frozen_sources?
                 return unless source_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+                return unless (dup = safe_dup(ret))
+                return unless Contrast::Agent::Assess::Tracker.trackable?(dup)
 
-                dup = safe_dup(ret)
-                return unless dup
-
-                restore_frozen_state = true
-                ret = dup
-                target = ret
-                Contrast::Agent::Assess::Tracker.pre_freeze(ret)
-                ret.cs__freeze
-                # double check that we were able to finalize the replaced return
-                return unless Contrast::Agent::Assess::Tracker.trackable?(target)
+                Contrast::Agent::Assess::Tracker.pre_freeze(dup)
+                return_val = dup.cs__freeze
+                target = dup
               end
+
               apply_source(Contrast::Agent::REQUEST_TRACKER.current, source_node, target, object, ret,
                            source_node.type, nil, *args)
-              restore_frozen_state ? ret : nil
+
+              return_val
             end
+            Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :source_patchers)
 
             private
 

data/lib/contrast/agent/assess/policy/trigger/xpath.rb

@@ -1,7 +1,6 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-
 module Contrast
   module Agent
     module Assess

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -11,30 +11,28 @@ module Contrast
   module Agent
     module Assess
       module Policy
-        # A trigger method is one which can perform a dangerous action, as
-        # described by the Contrast::Agent::Assess::Policy::TriggerNode class.
-        # Each such method will call to this module just after invocation in
-        # order to determine if the call was done safely. In those cases where
-        # it was not, a Finding report is issued to the Service
+        # A trigger method is one which can perform a dangerous action, as described by the
+        # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
+        # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
+        # report is issued to the Service.
         module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
 
-          # The level of TeamServer compliance our traces meet when in the
-          # abnormal condition of being dataflow rules without routes
+          # The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules
+          # without routes.
           MINIMUM_FINDING_VERSION = 3
-          # The level of TeamServer compliance our traces meet
+          # The level of TeamServer compliance our traces meet.
           CURRENT_FINDING_VERSION = 4
 
           class << self
-            # This is called from within our woven proc. It will be called as if it
-            # were inline in the Rack application.
+            # This is called from within our woven proc. It will be called as if it were inline in the Rack
+            # application.
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node that applies to the method being called
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node that applies to the method
+            #   being called
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_trigger_rule trigger_node, object, ret, args
               return if trigger_node.nil?
 
@@ -52,19 +50,16 @@ module Contrast
               apply_trigger(trigger_node, source, object, ret, *args)
             end
 
-            # This converts the source of the finding, and the events leading
-            # up to it into a Finding
+            # This converts the source of the finding, and the events leading up to it into a Finding
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+            #   trigger event
             # @param source [Object] the source of the Trigger Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [Contrast::Api::Dtm::Finding, nil] the
-            #   Contrast::Api::Dtm::Finding to send to TeamServer or nil if
-            #   conditions were not met
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [Contrast::Api::Dtm::Finding, nil] the Contrast::Api::Dtm::Finding to send to TeamServer or
+            #   nil if conditions were not met
             def build_finding trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
 
@@ -85,13 +80,12 @@ module Contrast
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
 
-            # Given a finding, append it to an activity message and send it to
-            # the Service for processing.
+            # Given a finding, append it to an activity message and send it to the Service for processing. If an
+            # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
+            # immediately report it with the finding.
             #
-            # @param finding [Contrast::Api::Dtm::Finding] the Finding to
-            #    report.
-            # @param request [Contrast::Agent::Request] our wrapper around the
-            #   Rack::Request.
+            # @param finding [Contrast::Api::Dtm::Finding] the Finding to report.
+            # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
             def report_finding finding, request = nil
               context = Contrast::Agent::REQUEST_TRACKER.current
               if context
@@ -107,9 +101,8 @@ module Contrast
                 logger.debug('Attempted to report finding without request', finding: finding)
               end
 
-              # If we're out of request context, then we need to report this
-              # finding ourselves, so we'll send it in the one-off activity we
-              # created.
+              # If we're out of request context, then we need to report this finding ourselves, so we'll send it in the
+              # one-off activity we created.
               Contrast::Agent.messaging_queue.send_event_eventually(activity)
             end
 
@@ -125,15 +118,12 @@ module Contrast
                 env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
             end
 
-            # Find the request for this finding. This assumes, for now, that if
-            # there is an active request, then that is the request to report.
-            # Otherwise, we'll use the first request found in the events of the
+            # Find the request for this finding. This assumes, for now, that if there is an active request, then that
+            # is the request to report. Otherwise, we'll use the first request found in the events of the
             # source_object.
             #
-            # @param source [Object,nil] some Object used as the source of a
-            #   trigger event
-            # @return [Contrast::Agent::Request,nil] the request from which the
-            #   dataflow on the request originated.
+            # @param source [Object,nil] some Object used as the source of a trigger event
+            # @return [Contrast::Agent::Request,nil] the request from which the dataflow on the request originated.
             def find_request source
               return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
               return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
@@ -150,16 +140,14 @@ module Contrast
               Contrast::Agent::FeatureState.instance
             end
 
-            # This is our method that actually checks the taint on the object
-            # our trigger_node targets.
+            # This is our method that actually checks the taint on the object our trigger_node targets.
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+            #   trigger event
             # @param source [Object] the source of the Trigger Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_trigger trigger_node, source, object, ret, *args
               return unless trigger_node
               return if trigger_node.rule_disabled?
@@ -178,23 +166,17 @@ module Contrast
               logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
             end
 
-            # Given the marker from the trigger_node (the pointer indicating
-            # the entity from which the taint originated), return the entity on
-            # which this trigger needs to operate.
+            # Given the marker from the trigger_node (the pointer indicating the entity from which the taint
+            # originated), return the entity on which this trigger needs to operate.
             #
-            # In an effort to speed up this lookup, we've changed the marker
-            # for parameters to be implicit - if it is not a return or an
-            # object, it must be a parameter, which we can reference either by
-            # index or by name.
+            # In an effort to speed up this lookup, we've changed the marker for parameters to be implicit - if it is
+            # not a return or an object, it must be a parameter, which we can reference by index.
             #
-            # @param marker [String] the source marker that indicates which
-            #   Object
+            # @param marker [String] the source marker that indicates which Object
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [Object] the literal object that this Trigger Event
-            #   verifies
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [Object] the literal object that this Trigger Event verifies
             def determine_source marker, object, ret, args
               case marker
               when Contrast::Utils::ObjectShare::RETURN_KEY
@@ -217,16 +199,15 @@ module Contrast
               end
             end
 
-            # This is our method that actually checks the taint on the object
-            # our trigger_node targets for our Regexp based rules.
+            # This is our method that actually checks the taint on the object our trigger_node targets for our Regexp
+            # based rules.
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+            #   trigger event
             # @param source [Object] the source of the Trigger Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_regexp_rule trigger_node, source, object, ret, *args
               return unless source.is_a?(String)
               return if trigger_node.good_value && source.match?(trigger_node.good_value)
@@ -235,16 +216,15 @@ module Contrast
               build_finding(trigger_node, source, object, ret, *args)
             end
 
-            # This is our method that actually checks the taint on the object
-            # our trigger_node targets for our Dataflow based rules.
+            # This is our method that actually checks the taint on the object our trigger_node targets for our Dataflow
+            # based rules.
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+            #   trigger event
             # @param source [Object] the source of the Trigger Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_dataflow_rule trigger_node, source, object, ret, *args
               return unless source
 
@@ -266,9 +246,8 @@ module Contrast
                 logger.debug('Trigger source is untrackable. Unable to inspect.',
                              node_id: trigger_node.id,
                              source_id: source.__id__,
-                             source_type: source.cs__class.to_s,
+                             source_type: source.cs__class.cs__name,
                              frozen: source.cs__frozen?)
-                logger.trace(source.to_s[0..99])
               end
             end
 
@@ -287,8 +266,7 @@ module Contrast
 
               build_events finding, properties.event if properties.event
 
-              # Google::Protobuf::Map doesn't support merge!, so we have to do this
-              # long form
+              # Google::Protobuf::Map doesn't support merge!, so we have to do this long form
               source_props = properties.properties
               return unless source_props
 
@@ -304,8 +282,8 @@ module Contrast
               event.parent_events&.each do |parent_event|
                 build_events(finding, parent_event)
               end
-              # events could technically be nil, but we would have failed
-              # the rule check before getting here. not worth the nil check
+              # events could technically be nil, but we would have failed the rule check before getting here. not
+              # worth the nil check
               finding.events << event.to_dtm_event
             end
 
@@ -324,21 +302,18 @@ module Contrast
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end
 
-            # Because our APIs are not versioned, TeamServer relies on a field,
-            # version, to tell it what, if any, validation it can preform on
-            # the findings we send it. Examine the finding and determine the
-            # level to which it conforms.
+            # Because our APIs are not versioned, TeamServer relies on a field, version, to tell it what, if any,
+            # validation it can preform on the findings we send it. Examine the finding and determine the level to
+            # which it conforms.
             #
             # @param finding [Contrast::Api::Dtm::Finding]
             # @return [int] the version of compliance
             def determine_compliance_version finding
               return MINIMUM_FINDING_VERSION unless finding
-              # as routes are the only variable between findings, in the case
-              # where we couldn't determine one, any finding with a route is at
-              # maximum compliance
+              # as routes are the only variable between findings, in the case where we couldn't determine one, any
+              # finding with a route is at maximum compliance
               return CURRENT_FINDING_VERSION if finding.routes.any?
-              # any finding without events is not of a dataflow type and
-              # therefore at maximum compliance
+              # any finding without events is not of a dataflow type and therefore at maximum compliance
               return CURRENT_FINDING_VERSION unless finding.events.any?
 
               MINIMUM_FINDING_VERSION

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -14,7 +14,7 @@ module Contrast
         # specifically for those methods which result in the trigger of a
         # vulnerability (indicate points in the application where uncontrolled
         # user input can do damage).
-        class TriggerNode < PolicyNode
+        class TriggerNode < PolicyNode # rubocop:disable Metrics/ClassLength
           JSON_BAD_VALUE = 'bad_value'
           JSON_GOOD_VALUE = 'good_value'
           JSON_DISALLOWED_TAGS = 'disallowed_tags'
@@ -104,8 +104,7 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
-                                                     required_tags)
+            vulnerable_ranges = ranges_with_all_tags(properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
@@ -170,49 +169,56 @@ module Contrast
 
             tags.each do |tag|
               raise(ArgumentError, "Rule #{ rule_id } had an invalid tag. #{ tag } is not a known value.") unless
-                  Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
-                      Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
+                Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
+                    Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
             end
           end
 
           # Find the ranges that satisfy all of the given tags.
           #
-          # @param length [Integer] the length of the object which may have the
-          #   given tags -- used as the maximum index to search for all of the
-          #   tags.
           # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def ranges_with_all_tags length, properties, required_tags
+          def ranges_with_all_tags properties, required_tags
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
 
-            ranges = []
             chunking = false
+            ranges = []
+            # find the start and end range of required tags:
+            search_ranges = find_required_ranges properties, required_tags
+            start_range = search_ranges.first
+            end_range = search_ranges.last + 1
+
             # find all the indicies on the source that have all the given tags
-            (0..length).each do |idx|
-              tags_at = properties.tags_at(idx).to_a
+            while start_range < end_range
+
+              tags_at = properties.tags_at(start_range).to_a
               # only those that have all the required tags in the tags_at
               # satisfy the requirement
               satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
               # if this range matches all the required tags and we're already
               # chunking, meaning the previous range matched, do nothing
-              next if satisfied && chunking
+              if satisfied && chunking
+                start_range += 1
+                next
+              end
 
               # if we are satisfied and we were not chunking, this represents
               # the start of the next range, so create a new entry.
               if satisfied
-                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
                 chunking = true
-              # if we are chunking and not satisfied, this represents the end
-              # of the range, meaning the last index is what satisfied the
-              # range. Because the range is exclusive end, we can just use this
-              # index.
+                # if we are chunking and not satisfied, this represents the end
+                # of the range, meaning the last index is what satisfied the
+                # range. Because the range is exclusive end, we can just use this
+                # index.
               elsif chunking
-                ranges[-1]&.update_end(idx)
+                ranges[-1]&.update_end(start_range)
                 chunking = false
               end
+              start_range += 1
             end
             ranges
           end
@@ -265,6 +271,33 @@ module Contrast
 
             true
           end
+
+          # Range finder helper for #ranges_with_all_tags
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param required_tags [Set<String>] the list of tags on which to match
+          # @return [Array] of required tags ranges to search
+          def find_required_ranges properties, required_tags
+            start_range = 0
+            end_range = 0
+            required_tags_arr = required_tags.to_a
+            idx = 0
+
+            while idx < required_tags_arr.length
+              # find the start and end range of required tags:
+              start_temp = properties.fetch_tag(required_tags_arr[idx])[0].start_idx
+              end_temp = properties.fetch_tag(required_tags_arr[idx])[0].end_idx
+              # first iteration only
+              start_range = start_temp if idx.zero?
+              end_range = end_temp if idx.zero?
+
+              # find the tag with smallest ranges
+              start_range = start_temp if start_range < start_temp
+              end_range = end_temp if end_range > end_temp
+              idx += 1
+            end
+            [start_range, end_range]
+          end
         end
       end
     end

data/lib/contrast/agent/assess/property/evented.rb

@@ -50,7 +50,8 @@ module Contrast
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
 
             if current_request.observed_route.sources.any? do |source|
-                 source.type == event.forced_source_type && source.name == event.forced_source_name
+                 source.type == event.forced_source_type &&
+                       source.name == event.forced_source_name # rubocop:disable Security/Module/Name
                end
 
               return