contrast-agent 5.2.0 → 6.1.0

data/lib/contrast/tasks/config.rb

@@ -2,10 +2,12 @@
 # frozen_string_literal: true
 
 require 'yaml'
+require 'contrast/configuration'
+require 'contrast/agent/reporting/reporter'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
-  module Config
+  module Config # rubocop:disable Metrics/ModuleLength
     extend Rake::DSL
     DEFAULT_CONFIG = {
         'api' => {
@@ -29,6 +31,9 @@ module Contrast
         }
     }.cs__freeze
 
+    SKIP_LOG = %w[service_key api_key].cs__freeze
+    REQUIRED = %i[url api_key service_key user_name].cs__freeze
+
     namespace :contrast do
       namespace :config do
         desc 'Create a contrast_security.yaml in the applications root directory'
@@ -38,9 +43,7 @@ module Contrast
           if File.exist?(target_path)
             puts 'WARNING: contrast_security.yaml already exists'
           else
-            File.open(target_path, 'w') do |f|
-              f.write(YAML.dump(DEFAULT_CONFIG))
-            end
+            File.write(target_path, YAML.dump(DEFAULT_CONFIG))
 
             puts "Created contrast_security.yaml at #{ target_path }"
             puts 'Open the file and enter your Contrast Security api keys or set them via environment variables'
@@ -49,5 +52,98 @@ module Contrast
         end
       end
     end
+
+    namespace :contrast do
+      namespace :config do
+        desc 'Validate the provided Contrast configuration and confirm connectivity'
+        task validate: :environment do
+          puts 'Validating Agent Configuration...'
+          Contrast::Config.validate_config
+          puts '...done!'
+          puts 'Validating Contrast Reporter Headers...'
+          reporter = Contrast::Config.validate_headers
+          puts '...done!'
+          puts 'Testing Reporter Client Connection...'
+          Contrast::Config.test_connection(reporter) if reporter
+          puts '...done!'
+        end
+      end
+
+      def self.validate_config
+        config = Contrast::Configuration.new
+        abort('Unable to Build Config') unless config
+        missing = []
+        api_hash = config.root.api.to_hash
+        api_hash.each_key do |key|
+          value = mask_keys api_hash, key
+          if value.is_a?(Contrast::Config::ApiProxyConfiguration)
+            Contrast::Config.validate_proxy(value)
+          elsif value.is_a?(Contrast::Config::CertificationConfiguration)
+            Contrast::Config.validate_cert(value)
+            next
+          elsif value.is_a?(Contrast::Config::RequestAuditConfiguration)
+            Contrast::Config.validate_audit(value)
+            next
+          elsif value.nil? && REQUIRED.includes?(key.to_sym)
+            missing << key
+          end
+        end
+        abort("Missing required API configuration values: #{ missing.join(', ') }") unless missing.empty?
+      end
+
+      def self.validate_proxy config
+        puts "Proxy Enabled: #{ config.enable }"
+        return unless config.enable
+
+        puts "Proxy URL: #{ config.url }"
+        abort('Proxy Enabled but no Proxy URL given') unless config.url
+      end
+
+      def self.validate_cert config
+        puts "Certification Enabled: #{ config.enable }"
+        return unless config.enable
+
+        puts "CA File: #{ config.ca_file }"
+        abort('CA file path not provided') unless config.ca_file
+        puts "Cert File: #{ config.cert_file }"
+        abort('Cert file path not provided') unless config.cert_file
+        puts "Key File: #{ config.key_file }"
+        abort('Key file path not provided') unless config.key_file
+      end
+
+      def self.validate_audit config
+        puts "Request Audit Enabled: #{ config.enable }"
+        return unless config.enable
+
+        config.each do |k, v|
+          puts "#{ k }::#{ v }"
+        end
+      end
+
+      def self.validate_headers
+        missing = []
+        reporter = Contrast::Agent::Reporter.new
+        reporter_headers = reporter.client.headers.to_hash
+        reporter_headers.each_key do |key|
+          value = mask_keys reporter_headers, key
+          missing << key if value.nil?
+        end
+        abort("Missing required header values: #{ missing.join(', ') }") unless missing.empty?
+        reporter
+      end
+
+      def self.test_connection reporter
+        connection = reporter.connection
+        abort('Failed to Initialize Connection please check error logs for details') unless connection
+        abort('Failed to Start Client please check error logs for details') unless reporter.client.startup! connection
+      end
+
+      def self.mask_keys hash, key
+        value = hash[key]
+        redacted_value = Contrast::Configuration::REDACTED if SKIP_LOG.include?(key.to_s)
+        puts "#{ key }::#{ redacted_value || value }" unless value.is_a?(Contrast::Config::BaseConfiguration)
+        value
+      end
+    end
   end
 end

data/lib/contrast/utils/assess/object_store.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Utils
+    module Assess
+      # keep track of object properties and events data
+      class ObjectStore
+        def initialize capacity = 500
+          @capacity = capacity
+          @cache = {}
+        end
+
+        def get
+          @cache
+        end
+
+        def [] key
+          @cache[key]
+        end
+
+        def delete key
+          @cache.delete(key)
+        end
+
+        # We would keep object ids with capacity.
+        # If a reference is kept to an object only by it's id,
+        # It would be CG-ted safely.
+        def []= key, value
+          @cache[key] = value
+          @cache.shift if @cache.length > @capacity
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/assess/propagation_method_utils.rb

@@ -10,6 +10,7 @@ module Contrast
         APPEND_ACTION = 'APPEND'
         CENTER_ACTION = 'CENTER'
         INSERT_ACTION = 'INSERT'
+        BUFFER_ACTION = 'BUFFER'
         KEEP_ACTION = 'KEEP'
         NEXT_ACTION = 'NEXT'
         NOOP_ACTION = 'NOOP'
@@ -30,6 +31,7 @@ module Contrast
             INSERT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Insert,
             KEEP_ACTION => Contrast::Agent::Assess::Policy::Propagator::Keep,
             NEXT_ACTION => Contrast::Agent::Assess::Policy::Propagator::Next,
+            BUFFER_ACTION => Contrast::Agent::Assess::Policy::Propagator::Buffer,
             NOOP_ACTION => nil,
             PREPEND_ACTION => Contrast::Agent::Assess::Policy::Propagator::Prepend,
             REPLACE_ACTION => Contrast::Agent::Assess::Policy::Propagator::Replace,
@@ -94,6 +96,10 @@ module Contrast
         def can_propagate? propagation_node, preshift, target
           return false unless appropriate_target?(propagation_node, target)
           return true if Contrast::Utils::Assess::TrackingUtil.tracked?(target)
+          if propagation_node.use_original_object?
+            # return true since we don't have preshift while using the original object.
+            return true
+          end
           return false unless preshift
 
           propagation_node.sources.each do |source|

data/lib/contrast/utils/class_util.rb

@@ -50,8 +50,8 @@ module Contrast
         # After implementing the LRU Cache, we firstly need to check if already had that object cached and if we have
         # it - we can return it directly; otherwise we'll calculate and store the result before returning.
         #
-        # TODO: RUBY-1327
-        # Once we move to 2.7+, we can combine the caches using ID b/c the memory location stops being the id
+        # Combining of the caches have close performance, but keeping the two with current implementation has
+        # a slight advantage in performance. For now we can keep the things the way they are.
         #
         # @param object [Object, nil] the entity to convert to a String
         # @return [String, Object] the human readable form of the String, as defined by
@@ -86,28 +86,15 @@ module Contrast
           end
         end
 
-        # The method const_defined? can cause autoload, which is bad for us. The method autoload? doesn't traverse
-        # namespaces. This method lets us provide a constant, as a String, and parse it to determine if it has been
-        # truly truly defined, meaning it existed before this method was invoked, not as a result of it.
+        # The method Module.const_defined? can raise an exception if the constant is poorly named. As such, we need to
+        # handle the case where that exception is raised.
         #
-        # TODO: RUBY-1326
-        # This is required to handle a bug in Ruby prior to 2.7.0. When we drop support for 2.6.X, we should remove
-        # this code. https://bugs.ruby-lang.org/issues/10741
         # @param name [String] the name of the constant to look up
         # @return [Boolean]
         def truly_defined? name
           return false unless name
 
-          segments = name.split(Contrast::Utils::ObjectShare::DOUBLE_COLON)
-          previous_module = Module
-          segments.each do |segment|
-            return false if previous_module.cs__autoload?(segment)
-            return false unless previous_module.cs__const_defined?(segment)
-
-            previous_module = previous_module.cs__const_get(segment)
-          end
-
-          true
+          Module.cs__const_defined?(name)
         rescue NameError # account for nonsense / poorly formatted constants
           false
         end

data/lib/contrast/utils/input_classification.rb

@@ -0,0 +1,73 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will include all the similar information for all input classifications
+        # between different rules
+        module InputClassificationBase
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+
+          # Input Classification stage is done to determine if an user input is
+          # WORTHWATCHING or to be ignored.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+          def classify input_type, value, input_analysis # rubocop:disable Lint/UnusedMethodArgument
+            return false unless input_analysis.request
+
+            true
+          end
+
+          # Creates new isntance of InputAnalysisResult with basic info.
+          #
+          # @param rule_id [String] The name of the Protect Rule.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          # @param path [String] the path of the current request context.
+          #
+          # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          def new_ia_result rule_id, input_type, path, value = nil
+            res = Contrast::Agent::Reporting::InputAnalysisResult.new
+            res.rule_id = rule_id
+            res.input_type = input_type
+            res.path = path
+            res.value = value
+            res
+          end
+
+          # This methods checks if input is value that matches a key in the input.
+          #
+          # @param request [Contrast::Agent::Request] the current request context.
+          # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [String, Array<String>] the value of the input.
+          #
+          # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
+          def add_needed_key request, result, input_type, value
+            case input_type
+            when COOKIE_VALUE
+              result.key = request.cookies.key(value)
+            when PARAMETER_VALUE
+              result.key = request.parameters.key(value)
+            else
+              result.key
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/utils/invalid_configuration_util.rb

@@ -53,7 +53,7 @@ module Contrast
         ruby_finding = Contrast::Agent::Reporting::Finding.new rule_id
         ruby_finding.hash_code = hash_code
         set_new_finding_properties(ruby_finding, user_provided_options, call_location)
-        Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+        Contrast::Agent.reporter&.send_event(new_preflight)
         Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
       end
 

data/lib/contrast/utils/log_utils.rb

@@ -3,6 +3,7 @@
 
 require 'socket'
 require 'contrast/agent/version'
+require 'contrast/logger/aliased_logging'
 
 module Contrast
   module Utils
@@ -37,6 +38,7 @@ module Contrast
         logger.extend(Contrast::Logger::Application)
         logger.extend(Contrast::Logger::Request)
         logger.extend(Contrast::Logger::Time)
+        logger.extend(Contrast::Logger::AliasedLogging) if Contrast::Utils::Telemetry.exceptions_enabled?
       end
 
       # Determine the valid path to which to log, given the precedence of config > settings > default.
@@ -160,7 +162,7 @@ module Contrast
           message << msg[0]
           message << severity
           message << extract_metadata(msg[1], msg[2])
-          message.join('|') + "\n"
+          "#{ message.join('|') }\n"
         end
       end
 

data/lib/contrast/utils/middleware_utils.rb

@@ -8,6 +8,13 @@ module Contrast
     module MiddlewareUtils
       private
 
+      # TODO: RUBY-1609 update this part of the method for Ruby Version and Year
+      LANGUAGE_DEPRECATION_VERSION = '2.7'
+      LANGUAGE_DEPRECATION_YEAR = '2023'
+      LANGUAGE_DEPRECATION_WARNING =
+        "[Contrast Security] [DEPRECATION] Support for Ruby #{ LANGUAGE_DEPRECATION_VERSION } will be removed in "\
+        "April #{ LANGUAGE_DEPRECATION_YEAR }. Please contact Customer Support prior if you require continued support."
+
       def setup_agent
         ::Contrast::SETTINGS.reset_state
 
@@ -51,21 +58,15 @@ module Contrast
       # deprecated and soon to be removed functionality. This method handles doing that by leveraging the standard
       # Kernel#warn approach
       def inform_deprecations
-        # Ruby 2.6 will be dropped in april of 2022. We'll begin the deprecation warnings
-        # now so that customers have time to reach out if they'll be impacted.
-        # TODO: RUBY-1188 remove this part of the method, leaving it empty if there are no other deprecations, when we
-        #   drop 2.6 support.
-        return unless RUBY_VERSION < '2.7.0'
-
-        Kernel.warn('[Contrast Security] [DEPRECATION] Support for Ruby 2.6 will be removed in April 2022. '\
-                    'Please contact Customer Support prior if you require continued support.')
+        # Warn customers that they're on a version that's losing support in the next year.
+        Kernel.warn(LANGUAGE_DEPRECATION_WARNING) if RUBY_VERSION.start_with?(LANGUAGE_DEPRECATION_VERSION)
       end
 
       # Displays Telemetry disclaimer if Telemetry is enabled.
       # if .telemetry file doesn't exist we create one and then show the disclaimer.
       # if the file already exists we do nothing.
       def telemetry_disclaimer
-        return unless Contrast::Agent::Telemetry.enabled?
+        return unless Contrast::Agent::Telemetry::Base.enabled?
         return unless Contrast::Utils::Telemetry.create_telemetry_file
 
         logger.info Contrast::Utils::Telemetry.disclaimer

data/lib/contrast/utils/net_http_base.rb

@@ -22,7 +22,7 @@ module Contrast
       # @param use_custom_cert [Boolean] flag used to indicate whether the client is to use
       # self signed certificates provided by config [default = false]
       # @return [Net::HTTP, nil] Return open connection or nil
-      def initialize_connection service_name, url, use_proxy = false, use_custom_cert = false
+      def initialize_connection service_name, url, use_proxy: false, use_custom_cert: false
         return unless url
 
         addr = URI(url)

data/lib/contrast/utils/object_share.rb

@@ -23,6 +23,7 @@ module Contrast
       HTTPS_START =   'https:'
       NEW_LINE =      "\n"
       NIL_STRING =    'nil'
+      NIL_64_STRING = 'bmls'
       PERIOD =        '.'
       POUND_SIGN =    '#'
       QUESTION_MARK = '?'
@@ -38,6 +39,7 @@ module Contrast
       COLON_SLASH_SLASH = '://'
       DOLLAR_SIGN =    '$'
       CARROT =         '^'
+      BANG =           '!'
 
       WRITE_FLAG =    'w'
 
@@ -47,7 +49,6 @@ module Contrast
       CACHE = 'cache'
 
       CONTRAST_PATCHED_METHOD_START = 'cs__patched_'
-      DOUBLE_COLON = '::'
 
       EMPTY_ARRAY = [].freeze
       EMPTY_HASH = {}.freeze

data/lib/contrast/utils/os.rb

@@ -53,11 +53,6 @@ module Contrast
         def linux?
           (unix? and !mac?)
         end
-
-        def jruby?
-          @_jruby = RUBY_ENGINE == 'jruby' if @_jruby.nil?
-          @_jruby
-        end
       end
     end
   end

data/lib/contrast/utils/patching/policy/patch_utils.rb

@@ -35,10 +35,9 @@ module Contrast
         # Given a method, return a symbol in the format
         # <method_start>_unbound_<method_name>
         def build_unbound_method_name patcher_method
-          (Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START +
-            'unbound' +
-            Contrast::Utils::ObjectShare::UNDERSCORE +
-            patcher_method.to_s).to_sym
+          "#{ Contrast::Utils::ObjectShare::CONTRAST_PATCHED_METHOD_START }unbound"\
+          "#{ Contrast::Utils::ObjectShare::UNDERSCORE }"\
+          "#{ patcher_method }".to_sym
         end
 
         # ===== PATCH APPLIERS =====
@@ -138,7 +137,7 @@ module Contrast
           if method_policy.source_node
             # If we were given a frozen return, and it was the target of a source, and we have frozen sources enabled,
             # we'll need to replace the return. Note, this is not the default case.
-            source_ret = Contrast::Agent::Assess::Policy::SourceMethod.source_patchers(method_policy, object, ret, args)
+            source_ret = Contrast::Agent::Assess::Policy::SourceMethod.apply_source(method_policy, object, ret, args)
           end
           if method_policy.propagation_node
             propagated_ret = Contrast::Agent::Assess::Policy::PropagationMethod.apply_propagation(

data/lib/contrast/utils/response_utils.rb

@@ -36,39 +36,24 @@ module Contrast
         return unless body
         return if defined?(Rack::File) && body.is_a?(Rack::File)
 
-        case body
-        when Rack::BodyProxy
-          handle_rack_body_proxy(body)
-        when ActionDispatch::Response::RackBody
-          extract_body(body.body) if defined?(ActionDispatch::Response::RackBody)
-        when Rack::Response
-          extract_body(body.body)
-        when Contrast::Utils::DuckUtils.quacks_to?(body, :each)
-          acc = []
-          body.each { |tmp| acc << read_or_string(tmp) }
-          acc.compact.join(Contrast::Utils::ObjectShare::NEW_LINE)
-        when ActionView::OutputBuffer
-          # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
-          body.to_str
-        else
-          read_or_string(body)
-        end
-        # if body.is_a?(Rack::BodyProxy)
-        #   handle_rack_body_proxy(body)
-        # elsif (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
-        #       body.is_a?(Rack::Response)
-        #
-        #   extract_body(body.body)
-        # elsif Contrast::Utils::DuckUtils.quacks_to?(body, :each)
-        #   acc = []
-        #   body.each { |tmp| acc << read_or_string(tmp) }
-        #   acc.compact.join(Contrast::Utils::ObjectShare::NEW_LINE)
-        # elsif ActionView::OutputBuffer
-        #   # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
-        #   body.to_str
-        # else
-        #   read_or_string(body)
-        # end
+        return handle_rack_body_proxy(body) if body.is_a?(Rack::BodyProxy)
+        return extract_body(body.body) if sub_extractable?(body)
+        return enumerable_text_from(body) if Contrast::Utils::DuckUtils.quacks_to?(body, :each)
+        # https://stackoverflow.com/questions/15654676/how-to-convert-activesupportsafebuffer-to-string
+        return body.to_str if body.is_a?(ActionView::OutputBuffer)
+
+        read_or_string(body)
+      end
+
+      def sub_extractable? body
+        (defined?(ActionDispatch::Response::RackBody) && body.is_a?(ActionDispatch::Response::RackBody)) ||
+            body.is_a?(Rack::Response)
+      end
+
+      def enumerable_text_from body
+        entries = body.map { |entry| read_or_string(entry) }
+        entries.compact!
+        entries.join(Contrast::Utils::ObjectShare::NEW_LINE)
       end
 
       def handle_rack_body_proxy body

data/lib/contrast/utils/telemetry.rb

@@ -1,8 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/telemetry'
+require 'contrast/agent/telemetry/base'
 require 'contrast/utils/telemetry_identifier'
+require 'contrast/config/env_variables'
 
 module Contrast
   module Utils
@@ -37,7 +38,17 @@ module Contrast
         @_disclaimer = MESSAGE[:disclaimer]
       end
 
+      def self.exceptions_enabled?
+        # TODO: RUBY-1643 Obfuscate path
+        # Enabled this once the masking of stack frames is done.
+        # @_exceptions_enabled = telemetry_exceptions_enabled? if @_exceptions_enabled.nil?
+        @_exceptions_enabled = false if @_exceptions_enabled.nil?
+        @_exceptions_enabled
+      end
+
       class << self
+        include Contrast::Config::EnvVariables
+
         private
 
         # Create the mark file
@@ -48,7 +59,7 @@ module Contrast
         # @return[Boolean, nil] true if file is created, false if file already exist
         # and nil if Telemetry is disabled or on unsupported OS.
         def write_mark_file dir, file, config_dir
-          return unless Contrast::Agent::Telemetry.enabled?
+          return unless Contrast::Agent::Telemetry::Base.enabled?
           return if Contrast::Utils::OS.windows?
 
           @dir = dir
@@ -73,6 +84,13 @@ module Contrast
         rescue StandardError => _e
           false
         end
+
+        def telemetry_exceptions_enabled?
+          opts_out_telemetry = return_value(:telemetry_opt_outs).to_s
+          return false if opts_out_telemetry.casecmp?('true') || opts_out_telemetry == '1'
+
+          true
+        end
       end
     end
   end

data/lib/contrast/utils/telemetry_client.rb

@@ -13,6 +13,7 @@ module Contrast
     # This module creates a Net::HTTP client and initiates a connection to the provided result
     class TelemetryClient < NetHttpBase
       ENDPOINT = 'api/v1/telemetry/metrics' # /TelemetryEvent.path
+      EXCEPTIONS = 'api/v1/telemetry/exceptions' # /TelemetryExceptions::Event.path
       SERVICE_NAME = 'Telemetry'
       include Contrast::Components::Logger::InstanceMethods
       # This method initializes the Net::HTTP client we'll need. it will validate
@@ -22,29 +23,34 @@ module Contrast
       # @param url [String]
       # @return [Net::HTTP, nil] Return open connection or nil
       def initialize_connection url
-        super(SERVICE_NAME, url, false, false)
+        super(SERVICE_NAME, url, use_proxy: false, use_custom_cert: false)
       end
 
       # This method will be responsible for building the request. Because the telemetry collector expects to receive
       # multiple events in a single request, we must always wrap the event in an array, even if there is only one.
       #
-      # @param event [Contrast::Agent::TelemetryEvent,Contrast::Agent::StartupMetricsTelemetryEvent]
+      # @param event [Contrast::Agent::Telemetry::Event, Array<Contrast::Agent::Telemetry::TelemetryException::Event>]
       # @return [Net::HTTP::Post]
       def build_request event
         return unless valid_event? event
 
-        string_body = [event.to_hash].to_json
+        string_body = if Array(event).all?(Contrast::Agent::Telemetry::TelemetryException::Event)
+                        event.map(&:to_controlled_hash).flatten!
+                      else
+                        [event.to_hash]
+                      end
+
         header = {
             'User-Agent' => "<#{ Contrast::Utils::ObjectShare::RUBY }>-<#{ Contrast::Agent::VERSION }>",
             'Content-Type' => 'application/json'
         }
-        request = Net::HTTP::Post.new(build_path(event.path), header)
-        request.body = string_body
+        request = Net::HTTP::Post.new(build_path(event), header)
+        request.body = string_body.to_json
         request
       end
 
       # This method will create the actual request and send it
-      # @param event[Contrast::Agent::TelemetryEvent]
+      # @param event[Contrast::Agent::Telemetry::Event]
       # @param connection[Net::HTTP]
       def send_request event, connection
         return if connection.nil? || event.nil?
@@ -68,10 +74,13 @@ module Contrast
       end
 
       # This method will be responsible for validating the event
-      # @param event[Contrast::Agent::TelemetryEvent,Contrast::Agent::StartupMetricsTelemetryEvent]
+      # @param event[Contrast::Agent::Telemetry::Event,Contrast::Agent::Telemetry::StartupMetricsEvent,
+      # array<Contrast::Agent::Telemetry::TelemetryException::Event>]
       def valid_event? event
-        return true if event.cs__is_a?(Contrast::Agent::TelemetryEvent)
-        return true if event.cs__is_a?(Contrast::Agent::StartupMetricsTelemetryEvent)
+        return true if event.cs__is_a?(Contrast::Agent::Telemetry::Event)
+        return true if event.cs__is_a?(Contrast::Agent::Telemetry::StartupMetricsEvent)
+        # Batch
+        return true if Array(event).all?(Contrast::Agent::Telemetry::TelemetryException::Event)
 
         false
       end
@@ -81,9 +90,12 @@ module Contrast
       # The telemetry instance accepts any path to #{ Contrast::Agent::Telemetry::URL }#{ ENDPOINT }, using the
       # remainder of the path to segregate messages.
       #
+      # @param event [Contrast::Agent::Telemetry::Event, Contrast::Agent::Telemetry::TelemetryException::Event]
       # @return [String] the fully qualified path to send the request
-      def build_path event_path
-        "#{ Contrast::Agent::Telemetry::URL }#{ ENDPOINT }#{ event_path }"
+      def build_path event
+        endpoint = Array(event).all?(Contrast::Agent::Telemetry::TelemetryException::Event) ? EXCEPTIONS : ENDPOINT
+        path = endpoint == EXCEPTIONS ? Contrast::Agent::Telemetry::TelemetryException::Event.path : event.path
+        "#{ Contrast::Agent::Telemetry::Base::URL }#{ endpoint }#{ path }"
       end
     end
   end