contrast-agent 5.2.0 → 6.1.0

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -36,7 +36,7 @@ module Contrast
             # @param ret [Object] the Return of the invoked method
             # @param args [Array<Object>] the Arguments with which the method was invoked
             # @return [Object, nil] the tracked Return or nil if no changes were made
-            def source_patchers method_policy, object, ret, args
+            def apply_source method_policy, object, ret, args
               return unless analyze?(method_policy, object, ret, args)
               return unless (source_node = method_policy.source_node)
 
@@ -56,11 +56,11 @@ module Contrast
                 target = dup
               end
 
-              apply_source(source_node, target, source_data, source_node.type, nil, *args)
+              process_source(source_node, target, source_data, source_node.type, nil, *args)
 
               return_val
             end
-            Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :source_patchers)
+            Contrast::Components::Logger.add_trace_log_timing_for(SourceMethod, :apply_source)
 
             private
 
@@ -75,7 +75,7 @@ module Contrast
             # @param source_name [String, nil] the name of this source, i.e. the key used to accessed if from a map or
             #   nil if a type like BODY
             # @param args [Array<Object>] the Arguments with which the method was invoked
-            def apply_source source_node, target, source_data, source_type, source_name = nil, *args
+            def process_source source_node, target, source_data, source_type, source_name = nil, *args
               context = Contrast::Agent::REQUEST_TRACKER.current
               return unless context && source_node && target
 
@@ -90,7 +90,7 @@ module Contrast
                 # values back to ourselves and try again
               elsif Contrast::Utils::DuckUtils.iterable_enumerable?(target)
                 target.each do |value|
-                  apply_source(source_node, value, source_data, source_type, source_name, *args)
+                  process_source(source_node, value, source_data, source_type, source_name, *args)
                 end
               end
             rescue StandardError => e
@@ -116,8 +116,8 @@ module Contrast
                   key = key.dup
                   to_replace << key
                 end
-                apply_source(source_node, key, source_data, key_type(source_type), key, *args)
-                apply_source(source_node, value, source_data, source_type, key, *args)
+                process_source(source_node, key, source_data, key_type(source_type), key, *args)
+                process_source(source_node, value, source_data, source_type, key, *args)
               end
               handle_hash_key(target, to_replace)
             end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -12,6 +12,7 @@ require 'contrast/agent/reporting/reporting_events/preflight'
 require 'contrast/agent/reporting/reporting_events/preflight_message'
 require 'contrast/agent/reporting/reporting_events/route_discovery'
 require 'contrast/agent/reporting/reporting_utilities/reporting_storage'
+require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 
 module Contrast
   module Agent
@@ -152,16 +153,9 @@ module Contrast
               ruby_finding.attach_data trigger_node, source, object, ret, request, *args
               hash_code = Contrast::Utils::HashDigest.generate_event_hash(ruby_finding, source, request)
               ruby_finding.hash_code = hash_code
-              # save the current finding
-              Contrast::Agent::Reporting::ReportingStorage[hash_code] = ruby_finding
-
-              new_preflight = Contrast::Agent::Reporting::Preflight.new
-              new_preflight_message = Contrast::Agent::Reporting::PreflightMessage.new
-              new_preflight_message.routes << Contrast::Agent::Reporting::RouteDiscovery.convert(request.route)
-              new_preflight_message.hash_code = hash_code
-              new_preflight_message.data = "#{ trigger_node.rule_id },#{ hash_code }"
-              new_preflight.messages << new_preflight_message
-              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+
+              new_preflight = Contrast::Agent::Reporting::BuildPreflight.build(ruby_finding, request)
+              Contrast::Agent.reporter&.send_event(new_preflight)
             end
 
             private

data/lib/contrast/agent/assess/property/tagged.rb

@@ -40,7 +40,7 @@ module Contrast
           # @param ranges [Array<Range>] the ranges to delete
           # @param shift [Boolean] move remaining tags to the left to account
           #   for the deletion
-          def delete_tags_at_ranges ranges, shift = true
+          def delete_tags_at_ranges ranges, shift: true
             return unless tracked?
 
             # Stage one - delete the tags w/o changing their

data/lib/contrast/agent/assess/rule/provider/hardcoded_value_rule.rb

@@ -113,12 +113,17 @@ module Contrast
               class_name = clazz.cs__name
 
               finding = assign_finding class_name, constant_string
-              Contrast::Agent::Assess::Policy::TriggerMethod.report_finding(finding)
+              activity = Contrast::Api::Dtm::Activity.new
+              activity.findings << finding
+              Contrast::Agent.messaging_queue.send_event_eventually(activity, force: true)
             rescue StandardError => e
               logger.error('Unable to build a finding for Hardcoded Rule', e)
               nil
             end
 
+            # @param class_name [String] the name of the class in which the hardcoded value is present
+            # @param constant_string [String] the name of the constant
+            # @return [Contrast::Api::Dtm::Finding]
             def assign_finding class_name, constant_string
               finding = Contrast::Api::Dtm::Finding.new
               finding.rule_id = Contrast::Utils::StringUtils.protobuf_safe_string(rule_id)
@@ -158,7 +163,7 @@ module Contrast
 
             def save_and_report_finding ruby_finding, new_preflight
               Contrast::Agent::Reporting::ReportingStorage[hash] = ruby_finding
-              Contrast::Agent.reporter&.send_event_immediately(new_preflight)
+              Contrast::Agent.reporter&.send_event(new_preflight)
             end
           end
         end

data/lib/contrast/agent/assess/rule/response/auto_complete_rule.rb

@@ -32,7 +32,7 @@ module Contrast
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
               body = response.body
-              forms = html_elements(body, FORM_START_REGEXP, true)
+              forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
               forms.each do |form|
                 # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
                 # skip out on the first violation.

data/lib/contrast/agent/assess/rule/response/base_rule.rb

@@ -4,6 +4,7 @@
 require 'rack'
 require 'json'
 require 'contrast/agent/reporting/reporting_utilities/dtm_message'
+require 'contrast/agent/reporting/reporting_utilities/build_preflight'
 require 'contrast/utils/hash_digest'
 require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
@@ -32,8 +33,13 @@ module Contrast
 
               if Contrast::Agent::Reporter.enabled?
                 report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(finding)
-                # TODO: RUBY-99999 preflight
-                Contrast::Agent.reporter.send_event(report)
+                if report.is_a?(Contrast::Agent::Reporting::Finding)
+                  request = Contrast::Agent::REQUEST_TRACKER.current&.request
+                  preflight = Contrast::Agent::Reporting::BuildPreflight.build(report, request)
+                  Contrast::Agent.reporter&.send_event(preflight)
+                else
+                  Contrast::Agent.reporter&.send_event(report)
+                end
               else
                 Contrast::Agent::REQUEST_TRACKER.current.activity.findings << finding
               end
@@ -58,7 +64,7 @@ module Contrast
 
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
-            # @param response [Contrast::Agent::Response] the response of the application
+            # @param _response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? _response; end
 
@@ -92,6 +98,8 @@ module Contrast
               evidence.each_pair do |key, value|
                 finding.properties[key] = if value.cs__is_a?(Hash)
                                             Contrast::Utils::StringUtils.protobuf_format(value.to_json)
+                                          elsif value.cs__is_a?(Array)
+                                            value.map { Contrast::Utils::StringUtils.protobuf_format(_1) }.to_s
                                           else
                                             Contrast::Utils::StringUtils.protobuf_format(value)
                                           end

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -45,7 +45,7 @@ module Contrast
             # @param section [String,nil] html section to find element
             # @param element_start_str [String] element to find in html section
             # @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
-            def html_elements section, element_start_str = '', capture_overflow = false
+            def html_elements section, element_start_str = '', capture_overflow: false
               elements = []
               section_start = 0
               return [] unless section
@@ -61,7 +61,7 @@ module Contrast
                 next unless element_stop
 
                 section_close = section_start + 6 + element_stop
-                elements << capture(section, section_start, section_close, element_stop, capture_overflow)
+                elements << capture(section, section_start, section_close, element_stop, overflow: capture_overflow)
                 section_start = section_close
               end
               elements
@@ -82,7 +82,7 @@ module Contrast
             # @param body_close [Integer] the end of the range to take from the body
             # @param tag_stop [Integer] the index of the end of the html tag from its start
             # @return [Hash]
-            def capture body, body_start, body_close, tag_stop, overflow = false
+            def capture body, body_start, body_close, tag_stop, overflow: false
               tag = {}
               # Capture the 50 characters in front of the form, or up to the start if the form starts before 50.
               if overflow

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -36,50 +36,64 @@ module Contrast
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
-              has_header, evidence = process_header(response)
-              return evidence unless evidence.nil?
+              return unless header?(response) && meta_tag?(response)
 
-              has_tag, evidence = process_body(response)
-              return evidence unless evidence.nil?
-              return {} if !has_header && !has_tag
+              header_evidence = header_evidence(response)
+              return if header_evidence.nil?
 
-              nil
+              tag_evidence = tag_evidence(response)
+              return if tag_evidence.nil?
+
+              { DATA => [header_evidence, tag_evidence] }
             end
 
-            # Process Header value to determine if it violates rule
+            # Is a cache-control header available?
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
-            def process_header response
-              # Rails 7 adds support for the cache_control header directly in the
-              # rack response, we should use that value
-              if framework_supported?
-                cache_control = response.rack_response.cache_control
-                has_header = !cache_control.empty?
-                not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
-                # evidence requires header value string, pull directly instead of rebuilding from hash
-                return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
-              else
-                # This rule is violated if the header is not there is there,
-                # but the value is not 'no-store' or 'no-cache'
-                cache_control = get_header_value(response)
-                has_header = !!cache_control
-                not_valid = has_header && !valid_header?(cache_control)
-                return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
+            # @return [Boolean]
+            def header? response
+              cache_control = cache_control_from(response)
+              framework_supported? ? !cache_control.blank? : !!cache_control
+            end
+
+            # Is a cache-control meta tag available?
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def meta_tag? response
+              return false if meta_tags(response).empty?
+
+              meta_tags(response).each do |tag|
+                return true if meta_cache_tag? tag[HTML_PROP]
               end
-              [has_header, nil]
+
+              false
             end
 
-            # Process Body to determine cache control exists as meta tag and if it violates rule
+            def meta_tags response
+              return @_meta_tags if defined? @meta_tags
+
+              @_meta_tags = html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR)
+            end
+
+            # Process Header value to determine if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence hash or nil
+            def header_evidence response
+              cache_control = cache_control_from(response)
+              value = framework_supported? ? cache_control : cache_control_to_s(cache_control)
+              # If header is valid, then this portion of the rule isn't violated.
+              return if valid_header?(value)
+
+              # evidence requires header value string, pull directly instead of rebuilding from hash
+              evidence(HEADER_TYPE, NAME, value)
+            end
+
+            # Process Body to determine if cache control meta tag violates rule
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
-            def process_body response
-              body = response.body
-              # check if the meta tag is include it
-              meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
-              meta_tags.each do |tag|
-                return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+            # @return [Hash, nil] the evidence hash or nil
+            def tag_evidence response
+              meta_tags(response).each do |tag|
+                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
               end
-              [!meta_tags.empty?, nil]
             end
 
             def potential_elements section, element_start
@@ -121,13 +135,23 @@ module Contrast
             end
 
             # This method accepts the violation and transforms it to the proper hash
-            # before return in as violation
+            # before returning a violation
             #
             # @param type [String] String of Header or META of the type
             # @param name [String] String of either cache-control or pragma
             # @param value [String] String of the violated value
             def evidence type, name, value
-              { DATA => { type: type, name: name, value: value }.to_s }
+              { type: type, name: name, value: value }.to_json
+            end
+
+            def cache_control_from response
+              # Rails 7 adds support for the cache_control header directly in the
+              # rack response, we should use that value
+              if framework_supported? && response.rack_response.cs__is_a?(Rack::Response)
+                response.rack_response.cache_control
+              else
+                get_header_value(response)
+              end
             end
 
             # Rebuilds the String value of the Cache-Control Header

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'rails'
-
 module Contrast
   module Agent
     module Assess
@@ -10,11 +8,13 @@ module Contrast
         module Response
           module Framework
             # Rails 7 supports managing potential unsafe Headers
-            # this module contains methods for checking if Rails 7 supercedes our rules
+            # this module contains methods for checking if Rails 7 supersedes our rules
             module RailsSupport
               RAILS_VERSION = Gem::Version.new('7.0.0')
 
               def framework_supported?
+                return false unless defined?(::Rails)
+
                 rails_version = ::Rails.version
                 return false unless !!rails_version
 

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb

@@ -32,7 +32,7 @@ module Contrast
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
               body = response.body
-              forms = html_elements(body, FORM_START_REGEXP, true)
+              forms = html_elements(body, FORM_START_REGEXP, capture_overflow: true)
               forms.each do |form|
                 # Because TeamServer will reject any subsequent form on the same page due to deduplication, we can
                 # skip out on the first violation.

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -1,10 +1,9 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/assess/rule/response/framework/rails_support'
 require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/utils/string_utils'
-require 'contrast/agent/assess/rule/response/framework/rails_support'
-require 'rails'
 
 module Contrast
   module Agent

data/lib/contrast/agent/at_exit_hook.rb

@@ -31,7 +31,7 @@ module Contrast
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context
 
-        Contrast::Agent.messaging_queue.send_event_immediately(context.activity)
+        Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
       end
     end
   end

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -24,13 +24,6 @@ module Contrast
           def method_scope
             :contrast
           end
-
-          # TODO: RUBY-99999 remove, used to clean up logs while debugging
-          # def validate
-          #   return if class_name
-          #
-          #   raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
-          # end
         end
       end
     end

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -35,12 +35,6 @@ module Contrast
             end
           end
 
-          def validate
-            return if class_name
-
-            raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")
-          end
-
           def module_names
             @_module_names ||= Set.new(deadzones.map(&:class_name))
           end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -51,7 +51,7 @@ module Contrast
 
         @urls = []
         @exclusion.urls.each do |url|
-          url_pattern = build_regexp(url, true, true)
+          url_pattern = build_regexp(url, start_anchor: true, end_anchor: true)
           @urls << url_pattern if url_pattern
         end
       end
@@ -66,7 +66,7 @@ module Contrast
         @wildcard_exclusions = []
         @exclusion.denylist.each do |code|
           class_name, method_name = code.split(Contrast::Utils::ObjectShare::COLON)
-          class_pattern = build_regexp(class_name, false, true)
+          class_pattern = build_regexp(class_name, start_anchor: false, end_anchor: true)
           method_pattern = build_regexp(method_name)
           next unless class_pattern && method_pattern
 
@@ -74,7 +74,7 @@ module Contrast
         end
       end
 
-      def build_regexp pattern, start_anchor = false, end_anchor = false
+      def build_regexp pattern, start_anchor: false, end_anchor: false
         pattern = Contrast::Utils::ObjectShare::CARROT + pattern if start_anchor
         pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
         Regexp.compile(pattern)

data/lib/contrast/agent/inventory/database_config.rb

@@ -44,20 +44,27 @@ module Contrast
               end
             end
           rescue StandardError => e
-            logger.error('Unable to append db config', e)
+            logger.warn('Unable to append db config', e)
             nil
           end
 
           private
 
           # We capture the active record configuration used by this application, as reported by
-          # ActiveRecord::Base.connection_config, so that we can record it once and report it as needed.
+          # ActiveRecord::Base.connection_db_config, so that we can record it once and report it as needed.
           #
           # @return [Hash]
           def active_record_config
             return @_active_record_config if instance_variable_defined?(:@_active_record_config)
 
-            @_active_record_config = ActiveRecord::Base.connection_config rescue nil # rubocop:disable Style/RescueModifier
+            @_active_record_config = if ActiveRecord::Base.cs__respond_to?(:connection_db_config)
+                                       ActiveRecord::Base.connection_db_config
+                                     else
+                                       # TODO: RUBY-99999 - Remove when Rails 6.0 is not supported
+                                       ActiveRecord::Base.connection_config
+                                     end
+          rescue StandardError
+            nil
           end
 
           # The classes we instrument in order to determine which, if any, database(s) an application connects to take

data/lib/contrast/agent/middleware.rb

@@ -13,7 +13,7 @@ require 'contrast/utils/heap_dump_util'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
-require 'contrast/agent/startup_metrics_telemetry_event'
+require 'contrast/agent/telemetry/events/startup_metrics_event'
 require 'contrast/utils/middleware_utils'
 
 require 'contrast/utils/timer'
@@ -78,9 +78,9 @@ module Contrast
           Contrast::Agent.thread_watcher.ensure_running?
         end
 
-        if Contrast::Agent::Telemetry.enabled?
+        if Contrast::Agent::Telemetry::Base.enabled?
           logger.debug_with_time('middleware: sending startup metrics telemetry event') do
-            event = Contrast::Agent::StartupMetricsTelemetryEvent.new
+            event = Contrast::Agent::Telemetry::StartupMetricsEvent.new
             Contrast::Agent.thread_watcher.telemetry_queue.send_event(event)
           end
         end
@@ -163,6 +163,8 @@ module Contrast
 
           # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
+          # All protect rules, which are trigger but require response to be reported
+          Contrast::Agent::EXPLOITS.report_recorded_exploits context unless Contrast::Agent::EXPLOITS.collection.empty?
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -59,8 +59,6 @@ module Contrast
           end
 
           def instrument!
-            return if instrumenting_module == :'Contrast::Framework::Rails::Rewrite' && RAILS_VER >= '2.6.0'
-
             require instrumentation_file_path
 
             if instrumenting_module

data/lib/contrast/agent/patching/policy/patch.rb

@@ -114,16 +114,15 @@ module Contrast
             #                          (equivalent to :alias, where `module = module.singleton class`)
             #                          (this is a.k.a. "class-method patch")
             #   :prepend            -> prepend instance method of module
-            #   [prepending singleton is easily supported too, just not implemented yet.]
+            #   :prepending singleton -> prepend singleton method of module
             # @return [Symbol] new alias for the underlying method (presumably, so the patched method can call it)
             def register_c_patch target_module_name, unbound_method, impl = :alias_instance
               # These could be set as AfterLoadPatches.
               method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
-              underlying_method_name = build_unbound_method_name(method_name).to_sym
+              underlying_method_name = underlying_method_name(method_name, impl)
 
               target_module = Module.cs__const_get(target_module_name)
-              target_module = target_module.cs__singleton_class if %i[prepend_singleton prepend].include? impl
-              target_module = target_module.cs__singleton_class if %i[alias_singleton prepend].include? impl
+              target_module = target_module.cs__singleton_class if %i[prepend_singleton alias_singleton].include? impl
 
               visibility = if target_module.private_instance_methods(false).include?(method_name)
                              :private
@@ -161,7 +160,7 @@ module Contrast
             # @param visibility [Symbol] method visibility
             def reflect_implementation impl, target_module, unbound_method, visibility
               method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
-              underlying_method_name = build_unbound_method_name(method_name).to_sym
+              underlying_method_name = underlying_method_name(method_name, impl)
 
               case impl
               when :alias_instance, :alias_singleton
@@ -174,14 +173,10 @@ module Contrast
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend_instance, :prepend_singleton
+                prepending_module = Module.new
+                prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                prepending_module.send(visibility, method_name)
 
-                unless target_module.instance_methods(false).include? underlying_method_name
-
-                  prepending_module = Module.new
-                  prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                  prepending_module.send(visibility, method_name)
-
-                end
                 # This prepends to the singleton class (it patches a class method)
                 target_module.prepend prepending_module
                 # rubocop:enable Performance/Kernel/DefineMethod
@@ -207,6 +202,12 @@ module Contrast
 
               !ASSESS&.enabled?
             end
+
+            def underlying_method_name method_name, impl
+              return method_name.to_sym if %i[prepend_instance prepend_singleton].include? impl
+
+              build_unbound_method_name(method_name).to_sym
+            end
           end
         end
       end

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -133,7 +133,7 @@ module Contrast
             # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
             # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
             #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
-            def patch_into_module module_data, redo_patch = false
+            def patch_into_module module_data, redo_patch: false
               status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
@@ -179,7 +179,7 @@ module Contrast
             # @param private [Boolean] Indicate if the query should include
             #   private, as well as public, instance methods
             # @return [Array<Symbol>]
-            def all_instance_methods mod, private = false
+            def all_instance_methods mod, private: false
               instance_methods = mod.instance_methods(false)
               # C magic rb_define_global_function creates private instance
               # methods. We need to instrument those dudes
@@ -206,8 +206,8 @@ module Contrast
             #   this module, sorted by type.
             def patch_into_instance_methods module_data, module_policy
               mod = module_data.mod
-              methods = all_instance_methods(mod, true)
-              methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
+              methods = all_instance_methods(mod, private: true)
+              methods.delete(:initialize) if mod.to_s.start_with?('RSpec') && mod.to_s.include?('Matchers')
               patch_into_methods(mod, methods, module_policy, true)
             end
 

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/scope'
+require 'contrast/utils/object_share'
 
 module Contrast
   module Agent
@@ -14,8 +15,20 @@ module Contrast
         class PolicyNode
           include Contrast::Components::Scope::InstanceMethods
 
-          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
-          attr_reader :properties, :method_scope
+          # Name of the class in which the method is being invoked.
+          attr_accessor :class_name
+          # Check for instance method.
+          #
+          # @return true | false
+          attr_accessor :instance_method
+          # The symbol representation of the invoked method.
+          attr_accessor :method_name
+          # Visibility of the invoked method [Private, Public, Protected]
+          attr_accessor :method_visibility
+          # Properties parsed from our JSON policy.
+          attr_reader :properties
+          # Scope of the method parsed from our JSON policy.
+          attr_reader :method_scope
 
           def node_class
             raise NoMethodError, 'specify the type of the feature for which this node patches'