contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/config/ruby_configuration.rb

@@ -6,9 +6,6 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # specific settings that apply to Ruby
     class RubyConfiguration < BaseConfiguration
-      # These commands being detected will result the agent disabling instrumentation, generally any command
-      # that doesn't result in the application listening on a port can be added here, this normally includes tasks
-      # that are ran pre-startup(like migrations) or to show information about the application(such as routes)
       DISABLED_RAKE_TASK_LIST = %w[
         about assets:clean assets:clobber assets:environment
         assets:precompile assets:precompile:all db:create db:drop db:fixtures:load db:migrate
@@ -22,25 +19,66 @@ module Contrast
 
       DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
 
-      KEYS = {
-          disabled_agent_rake_tasks: DISABLED_RAKE_TASK_LIST,
-          exceptions: Contrast::Config::ExceptionConfiguration,
-          # controls whether or not we patch interpolation, either by rewrite or by funchook
-          interpolate: Contrast::Utils::ObjectShare::TRUE,
-          # controls whether or not we patch the rb_yield block to track split propagation
-          propagate_yield: Contrast::Utils::ObjectShare::TRUE,
-          # control whether or not we run file scanning rules on require
-          require_scan: Contrast::Utils::ObjectShare::TRUE,
-          # controls whether or not we track frozen Strings by replacing them
-          track_frozen_sources: Contrast::Utils::ObjectShare::TRUE,
-          # controls tracking outside of request
-          non_request_tracking: Contrast::Utils::ObjectShare::FALSE,
-          uninstrument_namespace: DEFAULT_UNINSTRUMENTED_NAMESPACES
-
-      }.cs__freeze
-
-      def initialize hsh
-        super(hsh, KEYS)
+      attr_writer :disabled_agent_rake_tasks, :exceptions, :interpolate, :propagate_yield, :require_scan,
+                  :track_frozen_sources, :non_request_tracking, :uninstrument_namespace
+
+      def initialize hsh = {}
+        @disabled_agent_rake_tasks = traverse_config(hsh, :disabled_agent_rake_tasks)
+        @exceptions = Contrast::Config::ExceptionConfiguration.new(traverse_config(hsh, :exceptions))
+        @interpolate = traverse_config(hsh, :interpolate)
+        @propagate_yield = traverse_config(hsh, :propagate_yield)
+        @require_scan = traverse_config(hsh, :require_scan)
+        @track_frozen_sources = traverse_config(hsh, :track_frozen_sources)
+        @non_request_tracking = traverse_config(hsh, :non_request_tracking)
+        @uninstrument_namespace = traverse_config(hsh, :uninstrument_namespace)
+      end
+
+      # These commands being detected will result the agent disabling instrumentation, generally any command
+      # that doesn't result in the application listening on a port can be added here, this normally includes tasks
+      # that are ran pre-startup(like migrations) or to show information about the application(such as routes)
+      # @return [Array, DISABLED_RAKE_TASK_LIST]
+      def disabled_agent_rake_tasks
+        @disabled_agent_rake_tasks.nil? ? DISABLED_RAKE_TASK_LIST : @disabled_agent_rake_tasks
+      end
+
+      # @return [Contrast::Config::ExceptionConfiguration]
+      def exceptions
+        @exceptions ||= Contrast::Config::ExceptionConfiguration.new
+      end
+
+      # controls whether or not we patch interpolation, either by rewrite or by funchook
+      # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
+      def interpolate
+        @interpolate.nil? ? Contrast::Utils::ObjectShare::TRUE : @interpolate
+      end
+
+      # controls whether or not we patch the rb_yield block to track split propagation
+      # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
+      def propagate_yield
+        @propagate_yield.nil? ? Contrast::Utils::ObjectShare::TRUE : @propagate_yield
+      end
+
+      # control whether or not we run file scanning rules on require
+      # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
+      def require_scan
+        @require_scan.nil? ?  Contrast::Utils::ObjectShare::TRUE  : @require_scan
+      end
+
+      # controls whether or not we track frozen Strings by replacing them
+      # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
+      def track_frozen_sources
+        @track_frozen_sources.nil? ?  Contrast::Utils::ObjectShare::TRUE : @track_frozen_sources
+      end
+
+      # controls tracking outside of request
+      # @return [Boolean, Contrast::Utils::ObjectShare::FALSE]
+      def non_request_tracking
+        @non_request_tracking.nil? ?  Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
+      end
+
+      # @return [Array, DEFAULT_UNINSTRUMENTED_NAMESPACES]
+      def uninstrument_namespace
+        @uninstrument_namespace.nil? ? DEFAULT_UNINSTRUMENTED_NAMESPACES : @uninstrument_namespace
       end
     end
   end

data/lib/contrast/config/sampling_configuration.rb

@@ -6,16 +6,26 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # sampling functionality of the Agent.
     class SamplingConfiguration < BaseConfiguration
-      KEYS = {
-          enable: EMPTY_VALUE,
-          baseline: EMPTY_VALUE,
-          request_frequency: EMPTY_VALUE,
-          response_frequency: EMPTY_VALUE,
-          window_ms: EMPTY_VALUE
-      }.cs__freeze
+      # @return [Integer, nil]
+      attr_reader :baseline
+      # @return [Integer, nil]
+      attr_reader :request_frequency
+      # @return [Integer, nil]
+      attr_reader :response_frequency
+      # @return [Integer, nil]
+      attr_reader :window_ms
 
-      def initialize hsh
-        super(hsh, KEYS)
+      def initialize hsh = {}
+        @enable = traverse_config(hsh, :enable)
+        @baseline = traverse_config(hsh, :baseline)
+        @request_frequency = traverse_config(hsh, :request_frequency)
+        @response_frequency = traverse_config(hsh, :response_frequency)
+        @window_ms = traverse_config(hsh, :window_ms)
+      end
+
+      # @return [Boolean, false]
+      def enable
+        !!@enable
       end
     end
   end

data/lib/contrast/config/server_configuration.rb

@@ -6,17 +6,26 @@ module Contrast
     # Common Configuration settings. Those in this section pertain to the
     # server identification functionality of the Agent.
     class ServerConfiguration < BaseConfiguration
-      KEYS = {
-          name: EMPTY_VALUE,
-          path: EMPTY_VALUE,
-          type: EMPTY_VALUE,
-          tags: EMPTY_VALUE,
-          environment: EMPTY_VALUE,
-          version: EMPTY_VALUE
-      }.cs__freeze
+      # @return [String, nil]
+      attr_accessor :name
+      # @return [String, nil]
+      attr_accessor :path
+      # @return [String, nil]
+      attr_accessor :type
+      # @return [Array, nil]
+      attr_accessor :tags
+      # @return [String, nil]
+      attr_accessor :environment
+      # @return [String, nil]
+      attr_accessor :version
 
-      def initialize hsh
-        super(hsh, KEYS)
+      def initialize hsh = {}
+        @path = traverse_config(hsh, :path)
+        @name = traverse_config(hsh, :name)
+        @type = traverse_config(hsh, :type)
+        @tags = traverse_config(hsh, :tags)
+        @environment = traverse_config(hsh, :environment)
+        @version = traverse_config(hsh, :version)
       end
     end
   end

data/lib/contrast/config/service_configuration.rb

@@ -10,20 +10,36 @@ module Contrast
     class ServiceConfiguration < BaseConfiguration
       # We don't set these b/c we've been asked to handle the default values of
       # these settings differently, logging when we have to use them.
-      DEFAULT_HOST       = '127.0.0.1'
+      DEFAULT_HOST       = '127.0.0.1' # rubocop:disable Style/IpAddresses
       DEFAULT_PORT       = '30555'
 
-      KEYS = {
-          enable: EMPTY_VALUE,
-          host: EMPTY_VALUE,
-          port: EMPTY_VALUE,
-          socket: EMPTY_VALUE,
-          logger: Contrast::Config::LoggerConfiguration,
-          bypass: false
-      }.cs__freeze
+      attr_writer :logger, :bypass
+      # @return [String, nil]
+      attr_accessor :socket
+      # @return [String, nil]
+      attr_accessor :port
+      # @return [String, nil]
+      attr_accessor :host
+      # @return [Boolean, nil]
+      attr_accessor :enable
 
-      def initialize hsh
-        super(hsh, KEYS)
+      def initialize hsh = {}
+        @enable = traverse_config(hsh, :enable)
+        @host = traverse_config(hsh, :host)
+        @port = traverse_config(hsh, :port)
+        @socket = traverse_config(hsh, :socket)
+        @logger = Contrast::Config::LoggerConfiguration.new(traverse_config(hsh, :logger))
+        @bypass = traverse_config(hsh, :bypass)
+      end
+
+      # @return [Contrast::Config::LoggerConfiguration]
+      def logger
+        @logger ||= Contrast::Config::LoggerConfiguration.new
+      end
+
+      # @return [Boolean, false]
+      def bypass
+        @bypass.nil? ? false : @bypass
       end
     end
   end

data/lib/contrast/configuration.rb

@@ -217,10 +217,12 @@ module Contrast
     def convert_to_hash convert = root, hash = {}
       case convert
       when Contrast::Config::BaseConfiguration
-        convert.cs__class::KEYS.each_key do |key|
-          next if Contrast::Utils::ExcludeKey.excludable? key.to_s
+        # to_hash returns @configuration_map
+        convert.to_hash.each_key do |key|
+          next if Contrast::Utils::ExcludeKey.excludable?(key.to_s)
 
-          hash[key] = convert_to_hash(convert.send(key), {})
+          # change '-' to '_' for ProtectRulesConfiguration
+          hash[key] = convert_to_hash(convert.send(key.tr('-', '_').to_sym), {})
         end
         hash
       else

data/lib/contrast/extension/assess/string.rb

@@ -13,7 +13,7 @@ module Contrast
       # methods which are too complex to fit into one of the standard
       # Contrast::Agent::Assess::Policy::Propagator molds without cluttering up the
       # String Class or exposing our methods there.
-      class StringPropagator # rubocop:disable Style/StaticClass
+      class StringPropagator
         extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
@@ -43,6 +43,7 @@ module Contrast
               offset = 0
               inputs.each do |input|
                 properties.copy_from(input, result, offset)
+                add_dynamic_sources_info input, result
                 offset += input.length
                 parent_event = Contrast::Agent::Assess::Tracker.properties(input)&.event
                 parent_events << parent_event if parent_event
@@ -58,6 +59,24 @@ module Contrast
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
           end
+
+          private
+
+          # When there is a string interpolation on input coming from tainted database,
+          # the Contrast::Agent::Assess::Properties::Updated.copy_from method won't copy
+          # the dynamic source properties needed in the build findings from TS to display
+          # the column and Table information as database source information.
+          #
+          # @param source [Object] the source object with the required properties.
+          # @param target [Object] the result form the interpolation and the object
+          # that needs to keep the source properties, in order to be reporter on
+          # trigger event.
+          # @return updated_properties [Hash<DynamicSourceInfo>, nil]
+          def add_dynamic_sources_info source, target
+            return unless (dynamic_props = Contrast::Agent::Assess::Tracker.properties(source)&.properties)
+
+            Contrast::Agent::Assess::Tracker.properties(target)&.add_properties(dynamic_props)
+          end
         end
       end
     end

data/lib/contrast/extension/module.rb

@@ -13,5 +13,4 @@ class Module
   alias_method :cs__const_defined?, :const_defined?
   alias_method :cs__const_get, :const_get
   alias_method :cs__const_set, :const_set
-  alias_method :cs__autoload?, :autoload?
 end

data/lib/contrast/framework/manager.rb

@@ -125,7 +125,7 @@ module Contrast
       # @return [Contrast::Api::Dtm::RouteCoverage] the current route as a Dtm.
       def get_route_dtm request
         @_frameworks.lazy.map { |framework_support| framework_support.current_route(request) }.
-            reject(&:nil?).first
+            reject(&:nil?).first # rubocop:disable Style/CollectionCompact
       end
 
       # Iterate through current frameworks and return the current request's route. This will be the first non-nil
@@ -135,7 +135,7 @@ module Contrast
       # @return [Contrast::Agent::Reporting::RouteCoverage] the current route as a Dtm.
       def get_route_information request
         @_frameworks.lazy.map { |framework_support| framework_support.current_route_coverage(request) }.
-            reject(&:nil?).first
+            reject(&:nil?).first # rubocop:disable Style/CollectionCompact
       end
 
       # Sometimes the framework we want to instrument is loaded after our agent code. To catch that case, we'll detect

data/lib/contrast/logger/application.rb

@@ -19,7 +19,7 @@ module Contrast
           env_key = env_key.to_s
           next unless ENV_KEYS.include?(env_key) ||
               (env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) &&
-                  !env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER + 'API'))
+                  !env_key.start_with?("#{ Contrast::Components::Config::CONTRAST_ENV_MARKER }API"))
 
           info('Environment settings', key: env_key, value: env_value)
         end

data/lib/contrast/logger/cef_log.rb

@@ -0,0 +1,151 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'logger'
+require 'singleton'
+
+require 'contrast/extension/module'
+require 'contrast/logger/application'
+require 'contrast/logger/format'
+require 'contrast/logger/request'
+require 'contrast/logger/time'
+require 'contrast/logger/log'
+require 'contrast/components/config'
+require 'contrast/utils/log_utils'
+
+module Contrast
+  # Used as a wrapper around our logging. The module option specifically adds in a new method for error that raises the
+  # logged exception, used in testing so that we can see if anything unexpected happens without it being swallowed
+  # while still providing safe options for customers.
+  module Logger
+    # For development set following env var to raise logged exceptions instead of just logging.
+    if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+      ::Logger.class_eval do
+        alias_method :cs__error, :error
+        alias_method :cs__warn, :warn
+
+        def error *args, **kwargs
+          if kwargs.empty?
+            cs__error(*args)
+          else
+            cs__error(*args, **kwargs)
+          end
+          args.each { |arg| raise arg if arg && arg.cs__class < Exception }
+        end
+      end
+    end
+
+    # This is the CEF Logger implementation. It uses the default ::Logger.
+    class CEFLog
+      include Singleton
+      include ::Contrast::Utils::LogUtils
+      include ::Contrast::Utils::CEFLogUtils
+
+      attr_reader :previous_path, :previous_level
+
+      def initialize
+        build_logger
+      end
+
+      # Given new settings from TeamServer, update our logging to use the new file and level, assuming they weren't
+      # set by local configuration.
+      #
+      # @param log_level [String] the level at which to log, as provided by TeamServer settings
+      def build_logger log_level = nil
+        current_level_const = find_valid_level(log_level)
+        level_change = current_level_const != previous_level
+
+        # don't needlessly recreate logger
+        return if @cef_logger && !level_change
+
+        @previous_level = current_level_const
+
+        @_cef_logger = build(path: DEFAULT_CEF_NAME, level_const: current_level_const)
+        # If we're logging to a new path, then let's start it w/ our helpful
+        # data gathering messages
+        # log_update if path_change
+      rescue StandardError => e
+        # rubocop:disable Rails/Output
+        if @_cef_logger
+          @_cef_logger.error('Unable to process update to LoggerManager.', e)
+        else
+          puts 'Unable to process update to LoggerManager.'
+          raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+
+          puts e.message
+          puts e.backtrace.join("\n")
+        end
+        # rubocop:enable Rails/Output
+      end
+
+      def cef_logger
+        @_cef_logger
+      end
+
+      def log msg, level = @_cef_logger.level
+        case level
+        when ::Logger::Severity::INFO
+          @_cef_logger.info(msg)
+        when ::Logger::Severity::ERROR
+          @_cef_logger.error(msg)
+        when ::Logger::Severity::WARN
+          @_cef_logger.warn(msg)
+        when ::Logger::Severity::FATAL
+          @_cef_logger.fatal(msg)
+        else
+          @_cef_logger.debug(msg)
+        end
+      end
+
+      def virtual_patch_message patch, outcome
+        message = "Virtual Patch #{ patch.fetch(:name, '') } - #{ patch[:uuid] } was triggered by this request."
+        log [message, patch, outcome], ::Logger::Severity::DEBUG
+      end
+
+      def bot_blocking_message matching_bot, outcome
+        message = "User agent #{ matching_bot[:user_agent] } matched the disallowed value #{ matching_bot[:bot] }"
+        log [message, matching_bot, outcome], ::Logger::Severity::DEBUG
+      end
+
+      def ip_denylisted_message remote_ip, block_entry, outcome
+        message = "IP Address #{ remote_ip } matched the disallowed value" \
+                  "#{ block_entry[:ip] } in the IP Blacklist #{ block_entry[:uuid] }"
+        log [message, block_entry, outcome], ::Logger::Severity::DEBUG
+      end
+
+      def successful_attack rule_id, outcome, input_type = nil, input_value = nil
+        if input_type.present? && input_value.present?
+          successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
+                                         "#{ rule_id } - #{ input_value }"
+          log [successful_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
+        else
+          successful_attack_wo_input = "An effective attack was detected against #{ rule_id }"
+          log [successful_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
+        end
+      end
+
+      def ineffective_attack rule_id, outcome, input_type = nil, input_value = nil
+        if input_type.present? && input_value.present?
+          ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
+                                          "but did not successfully exploit #{ rule_id } - #{ input_value }"
+          log [ineffective_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
+        else
+          ineffective_attack_wo_input = "An unsuccessful attack was detected against #{ rule_id }"
+          log [ineffective_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
+        end
+      end
+
+      # newer - currently not in the agent, currently is a probe for us
+      def suspicious_attack rule_id, outcome, input_type = nil, input_value = nil
+        if input_type.present? && input_value.present?
+          suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
+                                   "as suspicious using #{ rule_id } - #{ input_value }"
+          log [suspicious_attack_with, rule_id, outcome], ::Logger::WARN
+        elsif input_value.present?
+          suspicious_attack_without = "Suspicious activity indicates a potential attack using #{ rule_id }"
+          log [suspicious_attack_without, rule_id, outcome], ::Logger::WARN
+        end
+      end
+    end
+  end
+end

data/lib/contrast/tasks/config.rb

@@ -2,6 +2,8 @@
 # frozen_string_literal: true
 
 require 'yaml'
+require 'contrast/configuration'
+require 'contrast/agent/reporting/reporter'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
@@ -29,6 +31,8 @@ module Contrast
         }
     }.cs__freeze
 
+    SKIP_LOG = %w[service_key api_key].cs__freeze
+
     namespace :contrast do
       namespace :config do
         desc 'Create a contrast_security.yaml in the applications root directory'
@@ -38,9 +42,7 @@ module Contrast
           if File.exist?(target_path)
             puts 'WARNING: contrast_security.yaml already exists'
           else
-            File.open(target_path, 'w') do |f|
-              f.write(YAML.dump(DEFAULT_CONFIG))
-            end
+            File.write(target_path, YAML.dump(DEFAULT_CONFIG))
 
             puts "Created contrast_security.yaml at #{ target_path }"
             puts 'Open the file and enter your Contrast Security api keys or set them via environment variables'
@@ -49,5 +51,90 @@ module Contrast
         end
       end
     end
+
+    namespace :contrast do
+      namespace :config do
+        desc 'Validate the provided Contrast configuration and confirm connectivity'
+        task validate: :environment do
+          puts 'Validating Agent Configuration...'
+          Contrast::Config.validate_config
+          puts '...done!'
+          puts 'Validating Contrast Reporter Headers...'
+          reporter = Contrast::Config.validate_headers
+          puts '...done!'
+          puts 'Testing Client Connection...'
+          Contrast::Config.test_connection(reporter) if reporter
+          puts '...done!'
+        end
+      end
+      def self.validate_config # rubocop:disable Metrics/PerceivedComplexity
+        config = Contrast::Configuration.new
+        abort('Unable to Build Config') unless config
+
+        required = %i[url api_key service_key user_name]
+
+        missing = []
+        config.root.api.each do |key, value|
+          puts "#{ key }::#{ value }" unless value.is_a?(Contrast::Config::BaseConfiguration) || SKIP_LOG.includes?(key)
+          if value.is_a?(Contrast::Config::ApiProxyConfiguration)
+            Contrast::Config.validate_proxy(value)
+          elsif value.is_a?(Contrast::Config::CertificationConfiguration)
+            Contrast::Config.validate_cert(value)
+            next
+          elsif value.is_a?(Contrast::Config::RequestAuditConfiguration)
+            Contrast::Config.validate_audit(value)
+            next
+          elsif value == Contrast::Config::BaseConfiguration::EMPTY_VALUE && required.includes?(key.to_sym)
+            missing << key
+          end
+        end
+        abort("Missing required API configuration values: #{ missing.join(', ') }") unless missing.empty?
+      end
+
+      def self.validate_proxy config
+        puts "Proxy Enabled: #{ config.enable }"
+        return unless config.enable
+
+        puts "Proxy URL: #{ config.url }"
+        abort('Proxy Enabled but no Proxy URL given') unless config.url
+      end
+
+      def self.validate_cert config
+        puts "Certification Enabled: #{ config.enable }"
+        return unless config.enable
+
+        puts "CA File: #{ config.ca_file }"
+        abort('CA file path not provided') unless config.ca_file
+        puts "Cert File: #{ config.cert_file }"
+        abort('Cert file path not provided') unless config.cert_file
+        puts "Key File: #{ config.key_file }"
+        abort('Key file path not provided') unless config.key_file
+      end
+
+      def self.validate_audit config
+        puts "Request Audit Enabled: #{ config.enable }"
+        return unless config.enable
+
+        config.each do |k, v|
+          puts "#{ k }::#{ v }"
+        end
+      end
+
+      def self.validate_headers
+        missing = []
+        reporter = Contrast::Agent::Reporter.new
+        reporter.client.headers.to_hash.each_pair do |key, value|
+          puts "#{ key }::#{ value }"
+          missing << key if value.nil?
+        end
+        abort("Missing required header values: #{ missing.join(', ') }") unless missing.empty?
+        reporter
+      end
+
+      def self.test_connection reporter
+        abort('Failed to Initialize Connection please check error logs for details') unless reporter.connection
+        abort('Failed to Start Client please check error logs for details') unless reporter.client.startup!
+      end
+    end
   end
 end

data/lib/contrast/utils/assess/object_store.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # keep track of object properties and events data
+      class ObjectStore
+        def initialize capacity = 500
+          @capacity = capacity
+          @cache = {}
+        end
+
+        def get
+          @cache
+        end
+
+        def [] key
+          @cache[key]
+        end
+
+        def delete key
+          @cache.delete(key)
+        end
+
+        # We would keep object ids with capacity.
+        # If a reference is kept to an object only by it's id,
+        # It would be CG-ted safely.
+        def []= key, value
+          @cache[key] = value
+          @cache.shift if @cache.length > @capacity
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -10,6 +10,7 @@ module Contrast
         APPEND_ACTION = 'APPEND'
         CENTER_ACTION = 'CENTER'
         INSERT_ACTION = 'INSERT'
+        BUFFER_ACTION = 'BUFFER'
         KEEP_ACTION = 'KEEP'
         NEXT_ACTION = 'NEXT'
         NOOP_ACTION = 'NOOP'
@@ -30,6 +31,7 @@ module Contrast
             INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
             KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
             NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            BUFFER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Buffer,
             NOOP_ACTION => nil,
             PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
             REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
@@ -94,6 +96,10 @@ module Contrast
         def can_propagate? propagation_node, preshift, target
           return false unless appropriate_target?(propagation_node, target)
           return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          if propagation_node.use_original_object?
+            # return true since we don't have preshift while using the original object.
+            return true
+          end
           return false unless preshift
 
           propagation_node.sources.each do |source|