contrast-agent 4.9.1 → 4.13.0

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -6,35 +6,35 @@ require 'contrast/agent/assess/policy/trigger_validation/trigger_validation'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/sha256_builder'
+require 'contrast/utils/assess/trigger_method_utils'
 
 module Contrast
   module Agent
     module Assess
       module Policy
-        # A trigger method is one which can perform a dangerous action, as
-        # described by the Contrast::Agent::Assess::Policy::TriggerNode class.
-        # Each such method will call to this module just after invocation in
-        # order to determine if the call was done safely. In those cases where
-        # it was not, a Finding report is issued to the Service
+        # A trigger method is one which can perform a dangerous action, as described by the
+        # Contrast::Agent::Assess::Policy::TriggerNode class. Each such method will call to this module just after
+        # invocation in order to determine if the call was done safely. In those cases where it was not, a Finding
+        # report is issued to the Service.
         module TriggerMethod
           extend Contrast::Components::Logger::InstanceMethods
+          extend Contrast::Utils::Assess::TriggerMethodUtils
 
-          # The level of TeamServer compliance our traces meet when in the
-          # abnormal condition of being dataflow rules without routes
+          # The level of TeamServer compliance our traces meet when in the abnormal condition of being dataflow rules
+          # without routes.
           MINIMUM_FINDING_VERSION = 3
-          # The level of TeamServer compliance our traces meet
+          # The level of TeamServer compliance our traces meet.
           CURRENT_FINDING_VERSION = 4
 
           class << self
-            # This is called from within our woven proc. It will be called as if it
-            # were inline in the Rack application.
+            # This is called from within our woven proc. It will be called as if it were inline in the Rack
+            # application.
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node that applies to the method being called
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node that applies to the method
+            #   being called
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
+            # @param args [Array<Object>] the Arguments with which the method was invoked
             def apply_trigger_rule trigger_node, object, ret, args
               return if trigger_node.nil?
 
@@ -52,19 +52,16 @@ module Contrast
               apply_trigger(trigger_node, source, object, ret, *args)
             end
 
-            # This converts the source of the finding, and the events leading
-            # up to it into a Finding
+            # This converts the source of the finding, and the events leading up to it into a Finding
             #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
+            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode] the node to direct applying this
+            #   trigger event
             # @param source [Object] the source of the Trigger Event
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [Contrast::Api::Dtm::Finding, nil] the
-            #   Contrast::Api::Dtm::Finding to send to TeamServer or nil if
-            #   conditions were not met
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [Contrast::Api::Dtm::Finding, nil] the Contrast::Api::Dtm::Finding to send to TeamServer or
+            #   nil if conditions were not met
             def build_finding trigger_node, source, object, ret, *args
               return unless Contrast::Agent::Assess::Policy::TriggerValidation.valid?(trigger_node, object, ret, args)
 
@@ -85,13 +82,14 @@ module Contrast
               logger.error('Unable to build a finding', e, rule: trigger_node.rule_id, node_id: trigger_node.id)
             end
 
-            # Given a finding, append it to an activity message and send it to
-            # the Service for processing.
+            # Given a finding, append it to an activity message and send it to the Service for processing. If an
+            # activity message does not exist, b/c we're invoked outside of a request context, build an activity and
+            # immediately report it with the finding.
+            #
+            # TODO: RUBY-1351
             #
-            # @param finding [Contrast::Api::Dtm::Finding] the Finding to
-            #    report.
-            # @param request [Contrast::Agent::Request] our wrapper around the
-            #   Rack::Request.
+            # @param finding [Contrast::Api::Dtm::Finding] the Finding to report.
+            # @param request [Contrast::Agent::Request] our wrapper around the Rack::Request.
             def report_finding finding, request = nil
               context = Contrast::Agent::REQUEST_TRACKER.current
               if context
@@ -107,94 +105,28 @@ module Contrast
                 logger.debug('Attempted to report finding without request', finding: finding)
               end
 
-              # If we're out of request context, then we need to report this
-              # finding ourselves, so we'll send it in the one-off activity we
-              # created.
+              # If we're out of request context, then we need to report this finding ourselves, so we'll send it in the
+              # one-off activity we created.
               Contrast::Agent.messaging_queue.send_event_eventually(activity)
             end
 
             private
 
-            # A request is reportable if it is not from ActionController::Live
-            #
-            # @param env [Hash] the env of the Request
-            # @return [Boolean]
-            def reportable? env
-              !(defined?(ActionController::Live) &&
-                env &&
-                env['action_controller.instance'].cs__class.included_modules.include?(ActionController::Live))
-            end
-
-            # Find the request for this finding. This assumes, for now, that if
-            # there is an active request, then that is the request to report.
-            # Otherwise, we'll use the first request found in the events of the
-            # source_object.
-            #
-            # @param source [Object,nil] some Object used as the source of a
-            #   trigger event
-            # @return [Contrast::Agent::Request,nil] the request from which the
-            #   dataflow on the request originated.
-            def find_request source
-              return Contrast::Agent::REQUEST_TRACKER.current.request if Contrast::Agent::REQUEST_TRACKER.current
-              return unless (properties = Contrast::Agent::Assess::Tracker.properties(source))
-
-              properties.events.each do |event|
-                next unless event.cs__is_a?(Contrast::Agent::Assess::Events::SourceEvent)
-
-                return event.request if event.request
-              end
-              nil
-            end
-
             def settings
               Contrast::Agent::FeatureState.instance
             end
 
-            # This is our method that actually checks the taint on the object
-            # our trigger_node targets.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            def apply_trigger trigger_node, source, object, ret, *args
-              return unless trigger_node
-              return if trigger_node.rule_disabled?
-              return if trigger_node.dataflow? && source.nil?
-
-              if trigger_node.regexp_rule?
-                apply_regexp_rule(trigger_node, source, object, ret, *args)
-              elsif trigger_node.custom_trigger?
-                trigger_node.apply_custom_trigger(trigger_node, source, object, ret, *args)
-              elsif trigger_node.dataflow?
-                apply_dataflow_rule(trigger_node, source, object, ret, *args)
-              else # trigger rule - just calling the method is dangerous
-                build_finding(trigger_node, source, object, ret, *args)
-              end
-            rescue StandardError => e
-              logger.warn('Unable to apply trigger', e, node_id: trigger_node.id)
-            end
-
-            # Given the marker from the trigger_node (the pointer indicating
-            # the entity from which the taint originated), return the entity on
-            # which this trigger needs to operate.
+            # Given the marker from the trigger_node (the pointer indicating the entity from which the taint
+            # originated), return the entity on which this trigger needs to operate.
             #
-            # In an effort to speed up this lookup, we've changed the marker
-            # for parameters to be implicit - if it is not a return or an
-            # object, it must be a parameter, which we can reference either by
-            # index or by name.
+            # In an effort to speed up this lookup, we've changed the marker for parameters to be implicit - if it is
+            # not a return or an object, it must be a parameter, which we can reference by index.
             #
-            # @param marker [String] the source marker that indicates which
-            #   Object
+            # @param marker [String] the source marker that indicates which Object
             # @param object [Object] the Object on which the method was invoked
             # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            # @return [Object] the literal object that this Trigger Event
-            #   verifies
+            # @param args [Array<Object>] the Arguments with which the method was invoked
+            # @return [Object] the literal object that this Trigger Event verifies
             def determine_source marker, object, ret, args
               case marker
               when Contrast::Utils::ObjectShare::RETURN_KEY
@@ -217,61 +149,6 @@ module Contrast
               end
             end
 
-            # This is our method that actually checks the taint on the object
-            # our trigger_node targets for our Regexp based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            def apply_regexp_rule trigger_node, source, object, ret, *args
-              return unless source.is_a?(String)
-              return if trigger_node.good_value && source.match?(trigger_node.good_value)
-              return if trigger_node.bad_value && source !~ trigger_node.bad_value
-
-              build_finding(trigger_node, source, object, ret, *args)
-            end
-
-            # This is our method that actually checks the taint on the object
-            # our trigger_node targets for our Dataflow based rules.
-            #
-            # @param trigger_node [Contrast::Agent::Assess::Policy::TriggerNode]
-            #   the node to direct applying this trigger event
-            # @param source [Object] the source of the Trigger Event
-            # @param object [Object] the Object on which the method was invoked
-            # @param ret [Object] the Return of the invoked method
-            # @param args [Array<Object>] the Arguments with which the method
-            #   was invoked
-            def apply_dataflow_rule trigger_node, source, object, ret, *args
-              return unless source
-
-              if Contrast::Agent::Assess::Tracker.trackable?(source)
-                return unless Contrast::Agent::Assess::Tracker.tracked?(source)
-                return unless trigger_node.violated?(source)
-
-                build_finding(trigger_node, source, object, ret, *args)
-              elsif Contrast::Utils::DuckUtils.iterable_hash?(source)
-                source.each_pair do |key, value|
-                  apply_dataflow_rule(trigger_node, key, object, ret, *args)
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              elsif Contrast::Utils::DuckUtils.iterable_enumerable?(source)
-                source.each do |value|
-                  apply_dataflow_rule(trigger_node, value, object, ret, *args)
-                end
-              else
-                logger.debug('Trigger source is untrackable. Unable to inspect.',
-                             node_id: trigger_node.id,
-                             source_id: source.__id__,
-                             source_type: source.cs__class.to_s,
-                             frozen: source.cs__frozen?)
-                logger.trace(source.to_s[0..99])
-              end
-            end
-
             def append_events finding, trigger_node, source, object, ret, args
               append_from_source(finding, source)
               finding.events << Contrast::Agent::Assess::Events::EventFactory.build(trigger_node, source, object, ret,
@@ -287,8 +164,7 @@ module Contrast
 
               build_events finding, properties.event if properties.event
 
-              # Google::Protobuf::Map doesn't support merge!, so we have to do this
-              # long form
+              # Google::Protobuf::Map doesn't support merge!, so we have to do this long form
               source_props = properties.properties
               return unless source_props
 
@@ -304,8 +180,8 @@ module Contrast
               event.parent_events&.each do |parent_event|
                 build_events(finding, parent_event)
               end
-              # events could technically be nil, but we would have failed
-              # the rule check before getting here. not worth the nil check
+              # events could technically be nil, but we would have failed the rule check before getting here. not
+              # worth the nil check
               finding.events << event.to_dtm_event
             end
 
@@ -324,21 +200,18 @@ module Contrast
               finding.preflight = Contrast::Utils::PreflightUtil.create_preflight(finding)
             end
 
-            # Because our APIs are not versioned, TeamServer relies on a field,
-            # version, to tell it what, if any, validation it can preform on
-            # the findings we send it. Examine the finding and determine the
-            # level to which it conforms.
+            # Because our APIs are not versioned, TeamServer relies on a field, version, to tell it what, if any,
+            # validation it can preform on the findings we send it. Examine the finding and determine the level to
+            # which it conforms.
             #
             # @param finding [Contrast::Api::Dtm::Finding]
             # @return [int] the version of compliance
             def determine_compliance_version finding
               return MINIMUM_FINDING_VERSION unless finding
-              # as routes are the only variable between findings, in the case
-              # where we couldn't determine one, any finding with a route is at
-              # maximum compliance
+              # as routes are the only variable between findings, in the case where we couldn't determine one, any
+              # finding with a route is at maximum compliance
               return CURRENT_FINDING_VERSION if finding.routes.any?
-              # any finding without events is not of a dataflow type and
-              # therefore at maximum compliance
+              # any finding without events is not of a dataflow type and therefore at maximum compliance
               return CURRENT_FINDING_VERSION unless finding.events.any?
 
               MINIMUM_FINDING_VERSION

data/lib/contrast/agent/assess/policy/trigger_node.rb

@@ -14,7 +14,7 @@ module Contrast
         # specifically for those methods which result in the trigger of a
         # vulnerability (indicate points in the application where uncontrolled
         # user input can do damage).
-        class TriggerNode < PolicyNode
+        class TriggerNode < PolicyNode # rubocop:disable Metrics/ClassLength
           JSON_BAD_VALUE = 'bad_value'
           JSON_GOOD_VALUE = 'good_value'
           JSON_DISALLOWED_TAGS = 'disallowed_tags'
@@ -104,8 +104,7 @@ module Contrast
 
             properties = Contrast::Agent::Assess::Tracker.properties(source)
             # find the ranges that violate the rule (untrusted, etc)
-            vulnerable_ranges = ranges_with_all_tags(Contrast::Utils::StringUtils.ret_length(source), properties,
-                                                     required_tags)
+            vulnerable_ranges = ranges_with_all_tags(properties, required_tags)
             # if there aren't any vulnerable ranges, nope out
             return false if vulnerable_ranges.empty?
 
@@ -170,49 +169,56 @@ module Contrast
 
             tags.each do |tag|
               raise(ArgumentError, "Rule #{ rule_id } had an invalid tag. #{ tag } is not a known value.") unless
-                  Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
-                      Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
+                Contrast::Api::Decorators::TraceTaintRangeTags::VALID_TAGS.include?(tag) ||
+                    Contrast::Api::Decorators::TraceTaintRangeTags::VALID_SOURCE_TAGS.include?(tag)
             end
           end
 
           # Find the ranges that satisfy all of the given tags.
           #
-          # @param length [Integer] the length of the object which may have the
-          #   given tags -- used as the maximum index to search for all of the
-          #   tags.
           # @param properties [Contrast::Agent::Assess::Properties] the
           #   properties to check for the tags
           # @param required_tags [Set<String>] the list of tags on which to match
           # @return [Array<Contrast::Agent::Assess::Tag>] the ranges satisfied
           #   by the given conditions
-          def ranges_with_all_tags length, properties, required_tags
+          def ranges_with_all_tags properties, required_tags
             return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless matches_tags?(properties, required_tags)
 
-            ranges = []
             chunking = false
+            ranges = []
+            # find the start and end range of required tags:
+            search_ranges = find_required_ranges properties, required_tags
+            start_range = search_ranges.first
+            end_range = search_ranges.last + 1
+
             # find all the indicies on the source that have all the given tags
-            (0..length).each do |idx|
-              tags_at = properties.tags_at(idx).to_a
+            while start_range < end_range
+
+              tags_at = properties.tags_at(start_range).to_a
               # only those that have all the required tags in the tags_at
               # satisfy the requirement
               satisfied = tags_at.any? && required_tags.all? { |tag| tags_at.any? { |found| found.label == tag } }
               # if this range matches all the required tags and we're already
               # chunking, meaning the previous range matched, do nothing
-              next if satisfied && chunking
+              if satisfied && chunking
+                start_range += 1
+                next
+              end
 
               # if we are satisfied and we were not chunking, this represents
               # the start of the next range, so create a new entry.
               if satisfied
-                ranges << Contrast::Agent::Assess::Tag.new('required', 0, idx)
+                ranges << Contrast::Agent::Assess::Tag.new('required', 0, start_range)
                 chunking = true
-              # if we are chunking and not satisfied, this represents the end
-              # of the range, meaning the last index is what satisfied the
-              # range. Because the range is exclusive end, we can just use this
-              # index.
+                # if we are chunking and not satisfied, this represents the end
+                # of the range, meaning the last index is what satisfied the
+                # range. Because the range is exclusive end, we can just use this
+                # index.
               elsif chunking
-                ranges[-1]&.update_end(idx)
+                ranges[-1]&.update_end(start_range)
                 chunking = false
               end
+              start_range += 1
             end
             ranges
           end
@@ -265,6 +271,33 @@ module Contrast
 
             true
           end
+
+          # Range finder helper for #ranges_with_all_tags
+          #
+          # @param properties [Contrast::Agent::Assess::Properties] the properties to check for the tags
+          # @param required_tags [Set<String>] the list of tags on which to match
+          # @return [Array] of required tags ranges to search
+          def find_required_ranges properties, required_tags
+            start_range = 0
+            end_range = 0
+            required_tags_arr = required_tags.to_a
+            idx = 0
+
+            while idx < required_tags_arr.length
+              # find the start and end range of required tags:
+              start_temp = properties.fetch_tag(required_tags_arr[idx])[0].start_idx
+              end_temp = properties.fetch_tag(required_tags_arr[idx])[0].end_idx
+              # first iteration only
+              start_range = start_temp if idx.zero?
+              end_range = end_temp if idx.zero?
+
+              # find the tag with smallest ranges
+              start_range = start_temp if start_range < start_temp
+              end_range = end_temp if end_range > end_temp
+              idx += 1
+            end
+            [start_range, end_range]
+          end
         end
       end
     end

data/lib/contrast/agent/assess/property/evented.rb

@@ -50,7 +50,8 @@ module Contrast
             return unless (current_request = Contrast::Agent::REQUEST_TRACKER.current)
 
             if current_request.observed_route.sources.any? do |source|
-                 source.type == event.forced_source_type && source.name == event.forced_source_name
+                 source.type == event.forced_source_type &&
+                       source.name == event.forced_source_name # rubocop:disable Security/Module/Name
                end
 
               return

data/lib/contrast/agent/assess/property/tagged.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/assess/tag'
 require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'contrast/utils/tag_util'
+require 'contrast/utils/assess/property/tagged_utils'
 
 module Contrast
   module Agent
@@ -13,6 +14,7 @@ module Contrast
         # This module serves to hold the functionality required for the
         # management of our dataflow tags.
         module Tagged
+          include Contrast::Utils::Assess::TaggedUtils
           # Is any tag present?
           # Creating Tags is expensive and we check for Tags all the time on
           # untracked things. ALWAYS!!! call this method before checking if an
@@ -45,125 +47,6 @@ module Contrast
             false
           end
 
-          # Find all of the ranges that span a given index. This is used
-          # in propagation when we need to shift tags about. For instance, in
-          # the append method when we need to see if any tag at the end needs
-          # to be expanded out to the size of the new String.
-          #
-          # Note: Tags do not know their key, so this is only the range covered
-          #
-          # @param idx [Integer] the index to check for tags
-          # @return [Array<Contrast::Agent::Assess::Tag>] a set of all the Tags
-          #   covering the given index. This is only the ranges, not the names.
-          def tags_at idx
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
-
-            at = []
-            tags.each_value do |tag_array|
-              tag_array.each do |tag|
-                if tag.covers?(idx)
-                  at << tag
-                elsif tag.above?(idx)
-                  break
-                end
-              end
-            end
-            at
-          end
-
-          # given a range, select all tags in that range the selected tags are
-          # shifted such that the start index of the new tag (0) aligns with
-          # the given start index in the range
-          #
-          # current tags: 5-15
-          # range       : 5-10
-          # result      : 0-05
-          #
-          # Note that we disable Lint/DuplicateBranch in this branch in order
-          # list out all tag range cases in the proper order to make this
-          # easier to understand
-          #
-          # @param range [Range] the span to check, inclusive to exclusive
-          # @return [Hash{String => Contrast::Agent::Assess::Tag}] the hash of
-          #   key to tags
-          def tags_at_range range
-            return Contrast::Utils::ObjectShare::EMPTY_HASH unless tracked?
-
-            at = Hash.new { |h, k| h[k] = [] }
-            tags.each_pair do |key, value|
-              add = nil
-              value.each do |tag|
-                within_range = resize_to_range(tag, range)
-                if within_range
-                  add ||= []
-                  add << within_range
-                end
-              end
-              next unless add&.any?
-
-              at[key] = add
-            end
-            at
-          end
-
-          # Given a tag name and range object, add a new tag to this
-          # collection. If the given range touches an existing tag,
-          # we'll combine the two, adjusting the existing one and
-          # dropping this new one.
-          #
-          # @param label [String] the name of the tag
-          # @param range [Range] the Range that the tag covers, inclusive to
-          #   exclusive
-          def add_tag label, range
-            length = range.end - range.begin
-            tag = Contrast::Agent::Assess::Tag.new(label, length, range.begin)
-            existing = fetch_tag(label)
-            tags[label] = Contrast::Utils::TagUtil.ordered_merge(existing, tag)
-          end
-
-          def set_tags label, tag_ranges
-            tags[label] = tag_ranges
-          end
-
-          # Remove all tags with a given label
-          def delete_tags label
-            tags.delete(label) if tracked?
-          end
-
-          # Reset the tag hash
-          def clear_tags
-            tags.clear if tracked?
-          end
-
-          # Returns a list of all current tag labels, most likely to be used for
-          # a splat operation
-          def tag_keys
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless tracked?
-
-            tags.keys
-          end
-
-          # Calls merge to combine touching or overlapping tags
-          # Deletes empty tags
-          def cleanup_tags
-            return unless tracked?
-
-            Contrast::Utils::TagUtil.merge_tags(tags)
-            tags.delete_if { |_, value| value.empty? }
-          end
-
-          # We'll use this as a helper method to retrieve tags from the hash.
-          # Because the hash auto-populates an empty array when we try to
-          # access a tag in it, we cannot use the [] method without side
-          # effect. To get around this, we'll use a fetch work around.
-          #
-          # @param label [Symbol] the label to look up
-          # @return [Array<Contrast::Agent::Assess::Tag>] all the tags with
-          #   that label
-          def fetch_tag label
-            tags.fetch(label, nil) if tracked?
-          end
-
           # Remove all tags within the given ranges.
           # This does not delete an entire tag if part of that tag is
           # outside this range, meaning we may reduce sizes of tags
@@ -218,19 +101,6 @@ module Contrast
             end
           end
 
-          # Because of the auto-fill thing, we should not allow direct access to
-          # the tags hash. Instead, the methods above should be used to do
-          # operations like add, delete, and fetch.
-          #
-          # CONTRAST-22914
-          # please do NOT expose this w/ an attr_reader / accessor. there are
-          # helper methods in this class that safely access the hash. the tags
-          # method is private to avoid the side effect of a direct lookup with
-          # `[]` adding an empty array to the hash.
-          def tags
-            @_tags ||= Hash.new { |h, k| h[k] = [] }
-          end
-
           # Remove the tag ranges covering the given range
           def remove_tags range
             return unless tracked?
@@ -334,6 +204,19 @@ module Contrast
 
           private
 
+          # Because of the auto-fill thing, we should not allow direct access to
+          # the tags hash. Instead, the methods above should be used to do
+          # operations like add, delete, and fetch.
+          #
+          # CONTRAST-22914
+          # please do NOT expose this w/ an attr_reader / accessor. there are
+          # helper methods in this class that safely access the hash. the tags
+          # method is private to avoid the side effect of a direct lookup with
+          # `[]` adding an empty array to the hash.
+          def tags
+            @_tags ||= Hash.new { |h, k| h[k] = [] }
+          end
+
           # Given a tag, compare it to a given range and, if any part of that tag is within the range, return a new tag
           # covering the union of the original tag and the range. This new tag will start at the
           # max(tag.start, range.start) and end at min(tag.end, range.end)

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -20,7 +20,6 @@ module Contrast
           module HardcodedValueRule
             include Contrast::Components::Logger::InstanceMethods
 
-
             def disabled?
               !::Contrast::ASSESS.enabled? || ::Contrast::ASSESS.rule_disabled?(rule_id)
             end

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -35,6 +35,12 @@ module Contrast
             end
           end
 
+          def validate
+            return if class_name
+
+            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
+          end
+
           def module_names
             @_module_names ||= Set.new(deadzones.map(&:class_name))
           end

data/lib/contrast/agent/disable_reaction.rb

@@ -8,7 +8,7 @@ module Contrast
     # A Reaction from TeamServer which indicates the Agent should be disabled,
     # typically because some configuration setting did not satisfy requirements
     # set by the Organization's Administrator
-    class DisableReaction
+    module DisableReaction
       extend Contrast::Components::Logger::InstanceMethods
 
       def self.run _reaction, level