contrast-agent 4.9.1 → 4.13.0

data/lib/contrast/framework/rails/support.rb

@@ -13,6 +13,8 @@ module Contrast
       class Support
         extend Contrast::Framework::BaseSupport
         extend Contrast::Framework::Rails::Patch::Support
+        include Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Logger::InstanceMethods
 
         class << self
           RAILS_MODULE_NAME_VERSION = Gem::Version.new('6.0.0')
@@ -49,31 +51,36 @@ module Contrast
           # Find the current route, based on the provided Request wrapper
           #
           # @param request[Contrast::Agent::Request]
-          # @return [Contrast::Api::Dtm::RouteCoverage]
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil]
           def current_route request
             return unless ::Rails.cs__respond_to?(:application)
 
+            # ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
             match, _params, route, path = get_full_route(request.rack_request)
+            unless route
+              logger.warn('Unable to determine the current route of this request')
+              return
+            end
 
             original_url = request.rack_request.path_info
-
+            mounted_app = route&.app&.app
             # Route is either the final rails route, or a router that points to a Sinatra controller.
-            if Contrast::Framework::Sinatra::Support.sinatra_controller?(route.app.app)
-              # Create a request copied from current request, but with the base path removed from path_info.
-              new_req = ::ActionDispatch::Request.new(request.env)
-              new_req.path_info = new_req.path_info.gsub((path << match).join, '')
-
-              return Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
+            if mounted_app && Contrast::Framework::Sinatra::Support.sinatra_controller?(mounted_app)
+              return mounted_sinatra_route(request, match, path, route, original_url)
+            end
+            if mounted_app && Contrast::Framework::Grape::Support.grape_controller?(mounted_app)
+              return mounted_grape_route(request, match, path, route, original_url)
             end
 
             Contrast::Api::Dtm::RouteCoverage.from_action_dispatch_journey(route, original_url)
-          rescue StandardError => _e
+          rescue StandardError => e
+            logger.warn('Unable to determine the current route of this request', e)
             nil
           end
 
           # Copy a request for modification.
           #
-          # @param [::ActionDispatch::Request] original env.
+          # @param env [::ActionDispatch::Request] original env.
           # @return [::ActionDispatch::Request] a copy of original env with rails env merged.
           def retrieve_request env
             rails_env = ::Rails.application.env_config.merge(env)
@@ -91,18 +98,21 @@ module Contrast
 
           # Determine if route is a Rails engine route.
           #
-          # @param [Object] app or route that points to a ::Rails::Engine
+          # @param route [Object] app or route that points to a ::Rails::Engine
           # @return [bool] whether the router is an engine or not.
           def engine_route? route
+            return false unless route&.app&.app
+
             route.app.is_a?(::ActionDispatch::Routing::Mapper::Constraints) && route.app.app < ::Rails::Engine
           end
 
           # Recursively get final route traversing engines as required.
           #
           # @param request [::Rack::Request] the rack request as will be handed to rails controller.
-          # @param top_router [::ActionDispatch::Journer::Router] the current router relative to the previous.
+          # @param top_router [::ActionDispatch::Journey::Router] the current router relative to the previous.
           # @param path [Array<String>] the chunks of path that have been seen.
-          # @return [Array<array>] the final set of rails route classes.
+          # @return [Array<Object>] the final set of rails route classes.
+          #   ActionDispatch::Journey::Path::Pattern::MatchData, Hash, ActionDispatch::Journey::Route, Array<String>
           def get_full_route request, top_router = ::Rails.application.routes.router, path = []
             return if (route_matches = top_router.send(:find_routes, request)).empty?
 
@@ -132,6 +142,43 @@ module Contrast
             end
             route_list
           end
+
+          # @param request[Contrast::Agent::Request]
+          # @param match [ActionDispatch::Journey::Path::Pattern::MatchData]
+          # @param path [Array<String>] the path of this request, built out from each nested
+          #   ActionDispatch::Journey::Path::Pattern::MatchData
+          # @param route [::ActionDispatch::Journey::Route]
+          # @param original_url [String] the full url of this request, including the mount
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil]
+          def mounted_sinatra_route request, match, path, route, original_url
+            new_req = unmounted_route(request, match, path)
+            Contrast::Framework::Sinatra::Support.current_route(new_req, route.app.app, original_url)
+          end
+
+          # @param request[Contrast::Agent::Request]
+          # @param match [ActionDispatch::Journey::Path::Pattern::MatchData]
+          # @param path [Array<String>] the path of this request, built out from each nested
+          #   ActionDispatch::Journey::Path::Pattern::MatchData
+          # @param route [::ActionDispatch::Journey::Route]
+          # @param original_url [String] the full url of this request, including the mount
+          # @return [Contrast::Api::Dtm::RouteCoverage, nil]
+          def mounted_grape_route request, match, path, route, original_url
+            new_req = unmounted_route(request, match, path)
+            Contrast::Framework::Grape::Support.current_route(new_req, route.app.app, original_url)
+          end
+
+          # Create a request copied from current request, but with the base path removed from path_info, as that's
+          # the mount.
+          #
+          # @param request[Contrast::Agent::Request]
+          # @param match []
+          # @param path [String] the path of this request
+          # @return [::ActionDispatch::Request]
+          def unmounted_route request, match, path
+            new_req = ::ActionDispatch::Request.new(request.env)
+            new_req.path_info = new_req.path_info.gsub((path << match).join, '')
+            new_req
+          end
         end
       end
     end

data/lib/contrast/framework/sinatra/support.rb

@@ -106,7 +106,7 @@ module Contrast
           def _route_recurse controller, method, route
             return if controller.nil? || controller.cs__class == NilClass
 
-            route_patterns = controller.routes.fetch(method, []).map(&:first)
+            route_patterns = controller.routes.fetch(method) { [] }.map(&:first)
             route_pattern = route_patterns&.find do |matcher|
               matcher.params(route) # ::Mustermann::Sinatra match.
             end

data/lib/contrast/logger/application.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/exclude_key'
+
 module Contrast
   module Logger
     # Our decorator for the Ougai logger allowing for the logging of the
@@ -29,6 +31,8 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
+          next if Contrast::Utils::ExcludeKey.excludable? env_key.to_s
+
           env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/logger/log.rb

@@ -13,6 +13,75 @@ require 'contrast/logger/time'
 require 'contrast/components/config'
 
 module Contrast
+  # This module allows us to dynamically weave timing into our code, so that only when the time is actually needed do
+  # we pay the penalty for that timing block
+  module TraceTiming
+    def methods_to_time
+      @_methods_to_time ||= []
+    end
+
+    # Store info about methods for later patching.
+    METHOD_INFO = Struct.new(:clazz, :method_name, :custom_msg, :aliased)
+
+    # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
+    # logger set to TRACE.
+    #
+    # @params: clazz [Class] the class of the method to time.
+    # @params: method [Symbol] the method to time.
+    # @params: method [String] optional custom logging message.
+    def add_method_to_trace_timing clazz, method, msg = nil
+      methods_to_time.append(METHOD_INFO.new(clazz, method, msg, false))
+      enable_trace_timing if logger.level == ::Ougai::Logging::TRACE
+    end
+
+    # Add a method to the list of methods to be trace timed if logger set to TRACE. Enables trace timing after if
+    # logger set to TRACE.
+    #
+    # @params: method_spec [METHOD_INFO] specs about the method to be timed.
+    # @params: class_method [Boolean] whether this is or isn't a class/module method.
+    def trace_time_class_method meth_spec, class_method
+      untimed_func_symbol = "untimed_#{ meth_spec.method_name }".to_sym
+      send_to = class_method ? meth_spec.clazz.cs__singleton_class : meth_spec.clazz
+      meth_spec.clazz.class_eval do
+        include Contrast::Components::Logger::InstanceMethods
+        extend Contrast::Components::Logger::InstanceMethods
+
+        send_to.send(:alias_method, untimed_func_symbol, meth_spec.method_name)
+        meth_spec.aliased = true
+
+        log_message = "Elapsed time for #{ meth_spec.method_name }."
+        log_message = meth_spec.custom_message if meth_spec.custom_msg
+
+        send_to.send(:define_method, meth_spec.method_name) do |*args, **kwargs, &block| # rubocop:disable Performance/Kernel/DefineMethod
+          start = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+          rv = if kwargs.empty?
+                 send(untimed_func_symbol, *args, &block)
+               else
+                 send(untimed_func_symbol, *args, **kwargs, &block)
+               end
+          delta = Process.clock_gettime(Process::CLOCK_MONOTONIC) - start
+          logger.trace(log_message, elapsed: delta * 1000)
+          rv
+        end
+      end
+    end
+
+    # Enable trace timing of methods specified in @_methods_to_time via aliasing.
+    def enable_trace_timing
+      methods_to_time.each do |meth_spec|
+        next if meth_spec.aliased
+
+        is_class_method = meth_spec.clazz.singleton_methods(false).include?(meth_spec.method_name)
+        trace_time_class_method meth_spec, is_class_method
+      end
+    end
+  end
+end
+
+module Contrast
+  # Used as a wrapper around our logging. The module option specifically adds in a new method for error that raises the
+  # logged exception, used in testing so that we can see if anything unexpected happens without it being swallowed
+  # while still providing safe options for customers.
   module Logger
     # For development set following env var to raise logged exceptions instead of just logging.
     if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
@@ -20,22 +89,22 @@ module Contrast
         alias_method :cs__error, :error
         alias_method :cs__warn, :warn
 
-        def error msg, exc, **kwargs
-          cs__error(msg, exc, **kwargs)
-          raise exc if exc && exc.cs__class < Exception
-        end
-
-        def warn msg, exc, **kwargs
-          cs__warn(msg, exc, **kwargs)
-          raise exc if exc && exc.cs__class < Exception
+        def error *args, **kwargs
+          if kwargs.empty?
+            cs__error(*args)
+          else
+            cs__error(*args, **kwargs)
+          end
+          args.each { |arg| raise arg if arg && arg.cs__class < Exception }
         end
       end
     end
 
-    # This class functions to serve as a wrapper around our logging, as we need
-    # to be able to dynamically update level based on updates to TeamServer.
+    # This class functions to serve as a wrapper around our logging, as we need to be able to dynamically update
+    # level based on updates to TeamServer.
     class Log
       include Singleton
+      include ::Contrast::TraceTiming
 
       DEFAULT_NAME     = 'contrast.log'
       DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
@@ -49,8 +118,8 @@ module Contrast
         update
       end
 
-      # Given new settings from TeamServer, update our logging to use the new
-      # file and level, assuming they weren't set by local configuration.
+      # Given new settings from TeamServer, update our logging to use the new file and level, assuming they weren't
+      # set by local configuration.
       #
       # @param log_file [String] the file to which to log, as provided by TeamServer settings
       # @param log_level [String] the level at which to log, as provided by TeamServer settings
@@ -67,6 +136,8 @@ module Contrast
         @previous_path  = current_path
         @previous_level = current_level_const
 
+        enable_trace_timing if current_level_const == ::Ougai::Logging::TRACE
+
         @_logger = build(path: current_path, level_const: current_level_const)
         # If we're logging to a new path, then let's start it w/ our helpful
         # data gathering messages
@@ -76,6 +147,9 @@ module Contrast
           logger.error('Unable to process update to LoggerManager.', e)
         else
           puts 'Unable to process update to LoggerManager.'
+          raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+
+          puts e.message
           puts e.backtrace.join("\n")
         end
       end
@@ -158,7 +232,8 @@ module Contrast
       # @return [::Ougai::Logging::Severity] the level at which to log
       def find_valid_level log_level
         config = ::Contrast::CONFIG.root.agent.logger
-        config_level = config.level&.length&.positive? ? config.level : nil
+        config_level = config&.level&.length&.positive? ? config.level : nil
+
         valid_level(config_level || log_level)
       end
 
@@ -174,8 +249,7 @@ module Contrast
         DEFAULT_LEVEL
       end
 
-      # Log that the Agent log has changed and include some default information
-      # at the start of the log.
+      # Log that the Agent log has changed and include some default information at the start of the log.
       def log_update
         logger.debug('Initialized new contrast agent logger')
         logger.debug_with_time('middleware: log environment') do

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the PropagationMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module PropagationMethodUtils
+        APPEND_ACTION = 'APPEND'
+        CENTER_ACTION = 'CENTER'
+        INSERT_ACTION = 'INSERT'
+        KEEP_ACTION = 'KEEP'
+        NEXT_ACTION = 'NEXT'
+        NOOP_ACTION = 'NOOP'
+        PREPEND_ACTION = 'PREPEND'
+        REPLACE_ACTION = 'REPLACE'
+        REMOVE_ACTION = 'REMOVE'
+        REVERSE_ACTION = 'REVERSE'
+        SPLAT_ACTION = 'SPLAT'
+        SPLIT_ACTION = 'SPLIT'
+        DB_WRITE_ACTION = 'DB_WRITE'
+        CUSTOM_ACTION = 'CUSTOM'
+
+        ZERO_LENGTH_ACTIONS = [DB_WRITE_ACTION, CUSTOM_ACTION, KEEP_ACTION, REPLACE_ACTION, SPLAT_ACTION].cs__freeze
+
+        PROPAGATION_ACTIONS = {
+            APPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Append,
+            CENTER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Center,
+            INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
+            KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
+            NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            NOOP_ACTION => nil,
+            PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
+            REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
+            REMOVE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Remove,
+            REVERSE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Reverse,
+            SPLAT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Splat,
+            SPLIT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Split
+        }.cs__freeze
+
+        def determine_target propagation_node, ret, object, args
+          target = propagation_node.targets[0]
+          case target
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          else
+            args[target]
+          end
+        end
+
+        # Custom actions tend to be the more complex of our propagations. Often, the method has to make decisions
+        # about the target based on the context with which the method was called. As such, defer determining if the
+        # target is valid to that method.
+        #
+        # In all other cases, a target is valid for propagation if it is not nil
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @return [Boolean]
+        def valid_target? target, propagation_node
+          return true if propagation_node.action == CUSTOM_ACTION
+
+          !!target
+        end
+
+        # If the action required needs a length and the target does not have one, the length is not valid
+        #
+        # @param target [Object] the thing to which to propagate
+        # @param action [String] the name of the action taken during this propagation
+        # @return [Boolean]
+        def valid_length? target, action
+          return true if ZERO_LENGTH_ACTIONS.include?(action)
+
+          if Contrast::Utils::DuckUtils.quacks_to?(target, :length)
+            target.length != 0 # rubocop:disable Style/ZeroLengthPredicate
+          else
+            !target.to_s.empty?
+          end
+        end
+
+        # Before we do any work, we should check if we even need to. If the source and target of this patcher are
+        # not tracked, there's no need to do anything. A copy of nothing is still nothing.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param preshift [Contrast::Agent::Assess::PreShift] The capture of the state of the code just prior to
+        #   the invocation of the patched method.
+        # @param target [Object] the thing to which to propagate
+        # @return [Boolean]
+        def can_propagate? propagation_node, preshift, target
+          return false unless appropriate_target?(propagation_node, target)
+          return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          return false unless preshift
+
+          propagation_node.sources.each do |source|
+            case source
+            when Contrast::Utils::ObjectShare::OBJECT_KEY
+              return true if Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.object)
+            else
+              # has to be P, there's no ret source type (yet? ever?)
+              return true if preshift.args && Contrast::Utils::Assess::TrackingUtil.tracked?(preshift.args[source])
+            end
+          end
+          false
+        end
+
+        # We cannot propagate to frozen things that have not been updated to work with our property tracking,
+        # unless they're duplicable and the return. We probably shouldn't propagate to frozen things at all, as
+        # they're supposed to be immutable, but third parties do jenky things, so allow it as long as it is safe to
+        # do.
+        #
+        # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode] the node that governs this
+        #   propagation event.
+        # @param target [Object] the Target to which to propagate.
+        # @return [Boolean] if the target can be propagated to
+        def appropriate_target? propagation_node, target
+          # special handle Returns b/c we can do unfreezing magic during propagation
+          return true if propagation_node.targets[0] == Contrast::Utils::ObjectShare::RETURN_KEY
+
+          Contrast::Agent::Assess::Tracker.trackable?(target)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/property/tagged_utils.rb

@@ -0,0 +1,142 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the Tagged property module
+      # and some other module methods from the same place, so we can ease the main module
+      # This module includes simple methods for the tags like
+      # adding tags, getting tags, deleting tags and similar
+      module TaggedUtils
+        # Given a tag name and range object, add a new tag to this
+        # collection. If the given range touches an existing tag,
+        # we'll combine the two, adjusting the existing one and
+        # dropping this new one.
+        #
+        # @param label [String] the name of the tag
+        # @param range [Range] the Range that the tag covers, inclusive to
+        #   exclusive
+        def add_tag label, range
+          length = range.end - range.begin
+          tag = Contrast::Agent::Assess::Tag.new(label, length, range.begin)
+          existing = fetch_tag(label)
+          tags[label] = Contrast::Utils::TagUtil.ordered_merge(existing, tag)
+        end
+
+        def set_tags label, tag_ranges
+          tags[label] = tag_ranges
+        end
+
+        # Returns a list of all current tags.
+        #
+        # @return [Hash<Contrast::Agent::Assess::Tag>]
+        def get_tags # rubocop:disable Naming/AccessorMethodName
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          tags
+        end
+
+        # We'll use this as a helper method to retrieve tags from the hash.
+        # Because the hash auto-populates an empty array when we try to
+        # access a tag in it, we cannot use the [] method without side
+        # effect. To get around this, we'll use a fetch work around.
+        #
+        # @param label [Symbol] the label to look up
+        # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
+        #   that label
+        def fetch_tag label
+          get_tags.fetch(label, nil) if tracked?
+        end
+
+        # Remove all tags with a given label
+        def delete_tags label
+          tags.delete(label) if tracked?
+        end
+
+        # Reset the tag hash
+        def clear_tags
+          tags.clear if tracked?
+        end
+
+        # Returns a list of all current tag labels, most likely to be used for
+        # a splat operation
+        def tag_keys
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          tags.keys
+        end
+
+        # Calls merge to combine touching or overlapping tags
+        # Deletes empty tags
+        def cleanup_tags
+          return unless tracked?
+
+          Contrast::Utils::TagUtil.merge_tags(tags)
+          tags.delete_if { |_, value| value.empty? }
+        end
+
+        # Find all of the ranges that span a given index. This is used
+        # in propagation when we need to shift tags about. For instance, in
+        # the append method when we need to see if any tag at the end needs
+        # to be expanded out to the size of the new String.
+        #
+        # Note: Tags do not know their key, so this is only the range covered
+        #
+        # @param idx [Integer] the index to check for tags
+        # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
+        #   covering the given index. This is only the ranges, not the names.
+        def tags_at idx
+          return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
+
+          at = []
+          tags.each_value do |tag_array|
+            tag_array.each do |tag|
+              if tag.covers?(idx)
+                at << tag
+              elsif tag.above?(idx)
+                break
+              end
+            end
+          end
+          at
+        end
+
+        # given a range, select all tags in that range the selected tags are
+        # shifted such that the start index of the new tag (0) aligns with
+        # the given start index in the range
+        #
+        # current tags: 5-15
+        # range       : 5-10
+        # result      : 0-05
+        #
+        # Note that we disable Lint/DuplicateBranch in this branch in order
+        # list out all tag range cases in the proper order to make this
+        # easier to understand
+        #
+        # @param range [Range] the span to check, inclusive to exclusive
+        # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
+        #   key to tags
+        def tags_at_range range
+          return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
+
+          at = Hash.new { |h, k| h[k] = [] }
+          tags.each_pair do |key, value|
+            add = nil
+            value.each do |tag|
+              within_range = resize_to_range(tag, range)
+              if within_range
+                add ||= []
+                add << within_range
+              end
+            end
+            next unless add&.any?
+
+            at[key] = add
+          end
+          at
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/source_method_utils.rb

@@ -0,0 +1,83 @@
+# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # This module will include all methods for some internal validations in the SourceMethod module
+      # and some other module methods from the same place, so we can ease the main module
+      module SourceMethodUtils
+        # Safely duplicate the target, or return nil
+        #
+        # @param target [Object] the thing to check for duplication
+        def safe_dup target
+          target.dup
+        rescue StandardError => _e
+          nil
+        end
+
+        # Find the name of the source
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [String, nil] the human readable name of the target to which this source event applies, or nil if
+        #   none provided by the node
+        def determine_source_name source_node, object, ret, *args
+          return source_node.get_property('dynamic_source_name') if source_node.type == 'UNTRUSTED_DATABASE'
+
+          source_node_source = source_node.sources[0]
+          case source_node_source
+          when nil
+            nil
+          when Contrast::Utils::ObjectShare::RETURN_KEY
+            ret
+          when Contrast::Utils::ObjectShare::OBJECT_KEY
+            object
+          else
+            args[source_node_source]
+          end
+        end
+
+        # Determine if we should analyze this method invocation for a Source or not. We should if we have enough
+        # information to build the context of this invocation, we're not disabled, and we can't immediately
+        # determine the invocation was done safely.
+        #
+        # @param method_policy [Contrast::Agent::Patching::Policy::MethodPolicy] the policy that applies to the
+        #   method being called
+        # @param object [Object] the Object on which the method was invoked
+        # @param ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method should be analyzed
+        def analyze? method_policy, object, ret, args
+          return false unless method_policy&.source_node
+          return false unless ::Contrast::ASSESS.enabled?
+          return false unless Contrast::Agent::REQUEST_TRACKER.current&.analyze_request?
+
+          !safe_invocation?(method_policy.source_node, object, ret, args)
+        end
+
+        # Determine if the method was invoked safely.
+        #
+        # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source
+        #   event
+        # @param _object [Object] the Object on which the method was invoked
+        # @param _ret [Object] the Return of the invoked method
+        # @param args [Array<Object>] the Arguments with which the method was invoked
+        # @return [boolean] if the invocation of this method was safe
+        def safe_invocation? source_node, _object, _ret, args
+          # According the the Rack Specification https://github.com/rack/rack/blob/master/SPEC.rdoc, any header
+          # from the Request will start with HTTP_. As such, only Headers with that key should be considered for
+          # tracking, as the others have come from the Framework or Middleware stashing in the ENV. Rails, for
+          # instance, uses action_dispatch. to store several values. Technically, you can't call
+          # Rack::Request#get_header without a parameter, and that parameter should be a String, but trust no one.
+          source_node.id == 'Assess:Source:Rack::Request::Env#get_header' &&
+              args&.any? &&
+              !args[0].to_s.start_with?('HTTP_')
+        end
+      end
+    end
+  end
+end