contrast-agent 5.3.0 → 6.1.1

data/lib/contrast/api/decorators/address.rb

@@ -28,7 +28,7 @@ module Contrast
             @_build_receiver ||= begin
               address = new
               address.host = 'localhost'
-              address.ip = '127.0.0.1'
+              address.ip = '127.0.0.1' # rubocop:disable Style/IpAddresses
               begin
                 Timeout.timeout(1) do
                   address.host = Contrast::Utils::StringUtils.force_utf8(Socket.gethostname)

data/lib/contrast/api/decorators/agent_startup.rb

@@ -27,11 +27,11 @@ module Contrast
           def build name, path, type
             msg = new
             msg.server_version   = Contrast::Agent::VERSION
-            msg.server_name      = Contrast::Utils::StringUtils.protobuf_format name
-            msg.server_path      = Contrast::Utils::StringUtils.protobuf_format path
-            msg.server_type      = Contrast::Utils::StringUtils.protobuf_format type
+            msg.server_name      = Contrast::Utils::StringUtils.protobuf_format(name)
+            msg.server_path      = Contrast::Utils::StringUtils.protobuf_format(path)
+            msg.server_type      = Contrast::Utils::StringUtils.protobuf_format(type)
             config!(msg)
-            msg.finding_tags = Contrast::Utils::StringUtils.protobuf_format ::Contrast::ASSESS.tags
+            msg.finding_tags = Contrast::Utils::StringUtils.protobuf_format(::Contrast::ASSESS.tags)
             msg
           end
 
@@ -41,11 +41,12 @@ module Contrast
           #
           # @param msg [Contrast::Api::Dtm::AgentStartup]
           def config! msg
-            msg.version      = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.version
-            msg.server_tags  = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.tags
-            msg.library_tags = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.inventory.tags
-            msg.environment  = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.server.environment
-            msg.application_tags = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.tags
+            msg.version      = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.server.version)
+            msg.server_tags  = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.server.tags)
+            msg.library_tags = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.inventory.tags)
+            msg.environment  = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.server.environment)
+            msg.application_tags =
+              Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.tags)
           end
         end
       end

data/lib/contrast/api/decorators/application_settings.rb

@@ -23,7 +23,7 @@ module Contrast
         # Convert protobuf protect rule settings into a hash that settings state understands
         def translated_protection_mode_by_id
           protection_rules = self.protection_rules.map { |pr, _hash| [pr.id, pr.mode] } # [[RULE_ID, MODE]]
-          protection_rules.select! { |(_id, mode)| MODE_ALLOWLIST.include? mode } # [REMOVE IF MODE INVALID]
+          protection_rules.select! { |(_id, mode)| MODE_ALLOWLIST.include?(mode) } # [REMOVE IF MODE INVALID]
           protection_rules.to_h # {RULE_ID => MODE}
         end
 

data/lib/contrast/api/decorators/application_startup.rb

@@ -24,12 +24,12 @@ module Contrast
           # @return [Contrast::Api::Dtm::ApplicationCreate]
           def build
             msg = new
-            msg.code     = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.code
-            msg.group    = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.group
-            msg.metadata = Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.metadata
+            msg.code     = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.code)
+            msg.group    = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.group)
+            msg.metadata = Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.metadata)
             msg.mode     = Contrast::Api::Dtm::InstrumentationMode.build
             msg.app_version =
-                Contrast::Utils::StringUtils.protobuf_format ::Contrast::CONFIG.root.application.version.to_s # rubocop:disable Layout/AssignmentIndentation Layout/FirstArgumentIndentation:
+                Contrast::Utils::StringUtils.protobuf_format(::Contrast::CONFIG.root.application.version.to_s) # rubocop:disable Layout/AssignmentIndentation Layout/FirstArgumentIndentation:
             session!(msg)
             msg
           end

data/lib/contrast/api/decorators/http_request.rb

@@ -94,7 +94,7 @@ module Contrast
           return true if ::Contrast::AGENT.omit_body?
           return false if request.document_type != :NORMAL
 
-          request.content_type&.include?('multipart/form-data')
+          request.media_type&.include?('multipart/form-data')
         end
 
         def append_pair map, key, value

data/lib/contrast/api/decorators/response_type.rb

@@ -0,0 +1,17 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/api/dtm.pb'
+require 'protobuf/message'
+
+module Contrast
+  module Api
+    module Dtm
+      class AttackResult < ::Protobuf::Message
+        class ResponseType < ::Protobuf::Enum
+          define :SUSPICIOUS, 6
+        end
+      end
+    end
+  end
+end

data/lib/contrast/api/decorators.rb

@@ -28,3 +28,4 @@ require 'contrast/api/decorators/rasp_rule_sample'
 require 'contrast/api/decorators/user_input'
 require 'contrast/api/decorators/address'
 require 'contrast/api/decorators/http_request'
+require 'contrast/api/decorators/response_type'

data/lib/contrast/components/agent.rb

@@ -75,7 +75,7 @@ module Contrast
 
         # Insert ourselves into the application, keeping our middleware at the outermost layer of the onion
         def insert_middleware app
-          app.middleware.insert_before 0, Contrast::Agent::Middleware
+          app.middleware.insert_before(0, Contrast::Agent::Middleware)
         end
 
         def enable_tracepoint

data/lib/contrast/components/app_context.rb

@@ -48,10 +48,6 @@ module Contrast
           end
         end
 
-        def session_id
-          @_session_id ||= build_app_startup_message.session_id
-        end
-
         def app_version
           @_app_version ||= Contrast::CONFIG.root.application.version
         end

data/lib/contrast/components/assess.rb

@@ -110,6 +110,20 @@ module Contrast
               []
         end
 
+        def track_original_object?
+          if @_track_original_object.nil?
+            @_track_original_object = !false?(::Contrast::CONFIG.root.assess.enable_original_object)
+          end
+
+          @_track_original_object
+        end
+
+        # The id for this process, based on the session metadata or id provided by the user, as indicated in
+        # application startup.
+        def session_id
+          ::Contrast::SETTINGS.assess_state.session_id
+        end
+
         private
 
         def forcibly_enabled?

data/lib/contrast/components/base.rb

@@ -56,7 +56,7 @@ module Contrast
       def file_exists? path
         return false unless path
 
-        File.exist? path
+        File.exist?(path)
       end
     end
   end

data/lib/contrast/components/config.rb

@@ -28,6 +28,12 @@ module Contrast
       CONTRAST_NAME = 'Contrast Agent'
 
       class Interface # :nodoc:
+        SESSION_VARIABLES = 'Invalid configuration. '\
+                            "Setting both application.session_id and application.session_metadata is not allowed.\n"
+        API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
+        API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
+        API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
+        API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
         def initialize
           build
         end
@@ -72,14 +78,21 @@ module Contrast
           @config.loggable
         end
 
+        # Typically, this would be accessed through Contrast::SETTINGS, but we're specifically checking for the user
+        # provided value here rather than that echoed back by TeamServer.
+        #
+        # @return [String,nil] the value of the session id set in the configuration, or nil if unset
+        def session_id
+          root.application.session_id
+        end
+
+        # @return [String,nil] the value of the session metadata set in the configuration, or nil if unset
+        def session_metadata
+          root.application.session_metadata
+        end
+
         private
 
-        SESSION_VARIABLES = 'Invalid configuration. '\
-                            "Setting both application.session_id and application.session_metadata is not allowed.\n"
-        API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
-        API_KEY = "Invalid configuration. Missing a required connection value 'api_key' is not set."
-        API_SERVICE_KEY = "Invalid configuration. Missing a required connection value 'service_tag' is not set."
-        API_USERNAME = "Invalid configuration. Missing a required connection value 'user_name' is not set."
         # The config has information about how to construct the logger. If the config is invalid, and you want to know
         # about it, then you have a circular dependency if you try to log it, so we use basic proto_logger to do this
         # job.
@@ -127,28 +140,6 @@ module Contrast
           end
         end
 
-        # Typically, this would be accessed through
-        # Contrast::Components::AppContext, but we're too early in the
-        # initialization of the Agent to use that mechanism, so we look it up
-        # directly for ourselves
-        #
-        # @return [String,nil] the value of the session id set in the
-        #   configuration, or nil if unset
-        def session_id
-          root.application.session_id
-        end
-
-        # Typically, this would be accessed through
-        # Contrast::Components::AppContext, but we're too early in the
-        # initialization of the Agent to use that mechanism, so we look it up
-        # directly for ourselves
-        #
-        # @return [String,nil] the value of the session metadata set in the
-        #   configuration, or nil if unset
-        def session_metadata
-          root.application.session_metadata
-        end
-
         # Typically, the following values would be accessed through Contrast::Components::AppContext
         # and Contrast::Components::API, but we're too early in the initialization of the Agent to use
         # that mechanism, so we look it up directly for ourselves.

data/lib/contrast/components/contrast_service.rb

@@ -18,7 +18,10 @@ module Contrast
         DEFAULT_SERVICE_LEVEL = :TRACE
         # The Rails ActionDispatch regexp for localhost IP + literal localhost
         # https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/request.rb#L32
-        LOCALHOST = Regexp.union [/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/, /^localhost$/]
+        LOCALHOST = Regexp.union([
+                                   /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/,
+                                   /^localhost$/
+                                 ])
 
         def use_bundled_service?
           # Validates the config to decide if it's suitable for starting
@@ -38,6 +41,15 @@ module Contrast
           @_use_agent_communication = true?(::Contrast::CONFIG.root.agent.service.bypass)
         end
 
+        # If we're using the agent directly and not using protect, then there is no need to start the service. Because
+        # we only know this at startup when hardcoded as such (b/c TS could turn protect on otherwise), we can only do
+        # so when bypass is on and protect is off in local config
+        #
+        # @return [Boolean]
+        def unnecessary?
+          ::Contrast::CONTRAST_SERVICE.use_agent_communication? && ::Contrast::PROTECT.forcibly_disabled?
+        end
+
         def host
           @_host ||=
             (::Contrast::CONFIG.root.agent.service.host || Contrast::Config::ServiceConfiguration::DEFAULT_HOST).to_s

data/lib/contrast/components/protect.rb

@@ -41,7 +41,7 @@ module Contrast
         def report_any_command_execution?
           if @_report_any_command_execution.nil?
             ctrl = rule_config[Contrast::Agent::Protect::Rule::CmdInjection::NAME]
-            @_report_any_command_execution = true?(ctrl.disable_system_commands)
+            @_report_any_command_execution = ctrl && true?(ctrl.disable_system_commands)
           end
           @_report_any_command_execution
         end
@@ -50,7 +50,7 @@ module Contrast
           if @_report_custom_code_sysfile_access.nil?
             name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.tr('-', '_')
             ctrl = rule_config[name_changed]
-            @_report_custom_code_sysfile_access = true?(ctrl.detect_custom_code_accessing_system_files)
+            @_report_custom_code_sysfile_access = ctrl && true?(ctrl.detect_custom_code_accessing_system_files)
           end
           @_report_custom_code_sysfile_access
         end

data/lib/contrast/components/sampling.rb

@@ -25,7 +25,7 @@ module Contrast
         def sampling_control
           @_sampling_control ||= begin
             config_settings = ::Contrast::CONFIG.root.assess&.sampling
-            settings = ::Contrast::SETTINGS&.assess_state&.[](:sampling_settings)
+            settings = ::Contrast::SETTINGS&.assess_state&.sampling_settings
             {
                 enabled: enabled?(config_settings, settings),
                 baseline: baseline(config_settings, settings),
@@ -48,7 +48,7 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Boolean] the resolution of the config_settings, settings, and default value
         def enabled? config_settings, settings
-          true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].reject(&:nil?)[0])
+          true?([config_settings&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED].compact[0])
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -56,7 +56,7 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def baseline config_settings, settings
-          [config_settings&.baseline, settings&.baseline, DEFAULT_SAMPLING_BASELINE].map(&:to_i).find(&:positive?)
+          [config_settings&.baseline, settings&.baseline].map(&:to_i).find(&:positive?) || DEFAULT_SAMPLING_BASELINE
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -64,10 +64,8 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def request_frequency config_settings, settings
-          [
-            config_settings&.request_frequency, settings&.request_frequency,
-            DEFAULT_SAMPLING_REQUEST_FREQUENCY
-          ].map(&:to_i).find(&:positive?)
+          [config_settings&.request_frequency, settings&.request_frequency].map(&:to_i).find(&:positive?) ||
+              DEFAULT_SAMPLING_REQUEST_FREQUENCY
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -75,10 +73,8 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def response_frequency config_settings, settings
-          [
-            config_settings&.response_frequency, settings&.response_frequency,
-            DEFAULT_SAMPLING_RESPONSE_FREQUENCY
-          ].map(&:to_i).find(&:positive?)
+          [config_settings&.response_frequency, settings&.response_frequency].map(&:to_i).find(&:positive?) ||
+              DEFAULT_SAMPLING_RESPONSE_FREQUENCY
         end
 
         # @param config_settings [Contrast::Config::SamplingConfiguration] the Sampling configuration as provided by
@@ -86,7 +82,7 @@ module Contrast
         # @param settings [Contrast::Api::Settings::Sampling] the Sampling settings as provided by TeamServer
         # @return [Integer] the resolution of the config_settings, settings, and default value
         def window config_settings, settings
-          [config_settings&.window_ms, settings&.window_ms, DEFAULT_SAMPLING_WINDOW_MS].map(&:to_i).find(&:positive?)
+          [config_settings&.window_ms, settings&.window_ms].map(&:to_i).find(&:positive?) || DEFAULT_SAMPLING_WINDOW_MS
         end
       end
 

data/lib/contrast/components/settings.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/api/settings.pb'
+require 'contrast/agent/reporting/settings/sensitive_data_masking'
 
 module Contrast
   module Components
@@ -13,12 +14,14 @@ module Contrast
       APPLICATION_STATE_BASE = Struct.new(:modes_by_id, :exclusion_matchers).
           new(Hash.new(Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION), [])
       PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
-      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules).new(false, nil, []) do
+      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
+                                                                                                            [], nil) do
         def sampling_settings= new_val
           @sampling_settings = new_val
           Contrast::Utils::Assess::SamplingUtil.instance.update
         end
       end
+      SENSITIVE_DATA_MASKING_BASE = Contrast::Agent::Reporting::Settings::SensitiveDataMasking.new
 
       # This is a class.
       class Interface
@@ -26,7 +29,67 @@ module Contrast
 
         # tainted_columns are database columns that receive unsanitized input.
         attr_reader :tainted_columns # This can probably go into assess_state?
-        attr_reader :assess_state, :protect_state, :application_state
+        # Current state for Assess.
+        # enabled [Boolean] Indicate if the assess feature set is enabled for this server or not.
+        #
+        # sampling [Hash<AssessSampling>] Hash of AssessSampling Used to control the sampling feature in the agent: {
+        #  baseline          [Integer] The number of baseline requests to take before switching to sampling
+        #                               for the window.
+        #  enabled           [Boolean] If the sampling feature should be used or not.
+        #  frequency         [Integer] The number of requests to skip before observing during the sampling
+        #                               window after the baseline.
+        #  responseFrequency [Integer]
+        #  window            [Integer]
+        # }
+        #
+        # disabled_assess_rules [array<AssessRuleID(String)>] Assess rules to disable for this application.
+        attr_reader :assess_state
+        # Current State for Protect.
+        # enabled [Boolean] Indicate if the protect feature set is enabled for this server or not.
+        #
+        # Protection rules are returned as:
+        # rules [Hash<RULE_ID => MODE>, nil] Hash with rule_id as key and mode as value
+        attr_reader :protect_state
+        # Current Application State.
+        #
+        # modes_by_id [Hash<Rule_id => Mode] Returns Hash with rules and their current mode.
+        # exclusion_matchers [Array] Array of all the exclusions.
+        # code_exclusions [Array<CodeExclusion>] Array of CodeExclusion: {
+        #   name         [String] The name of the exclusion as defined by the user in TS.
+        #   modes        [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   denylist     [String] The call, if in the stack, should result in the agent not taking action.
+        # input_exclusions [Array<InputExclusions>] Array of InputExclusions: {
+        #   name           [String] The name of the input.
+        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
+        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
+        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
+        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
+        # }
+        # url_exclusions [Array<UrlExclusions>] Array of UrlExclusions: {
+        #   name           [String] The name of the input.
+        #   modes          [String] If this exclusion applies to assess or protect. [assess, defend]
+        #   assess_rules   [Array] Array of assess rules to which this exclusion applies. AssessRuleID [String]
+        #   protect_rules  [Array] Array of ProtectRuleID [String] The protect rules to which this exclusion applies.
+        #   urls           [Array] Array of URLs to which the exclusions apply. URL [String]
+        #   match_strategy [String] If this exclusion applies to all URLs or only those specified. [ALL, ONLY]
+        #   type           [String] The type of the input [COOKIE, PARAMETER, HEADER, BODY, QUERYSTRING]
+        # }
+        attr_reader :application_state
+        # This the structure that will hold the masking rules send from TS.
+        #
+        # @return [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]:
+        #           mask_http_body [Boolean] Policy flag to enable the use of masking on request body.
+        #           rules          [Array<Contrast::Agent::Reporting::Settings::SensitiveDataMaskingRule>]
+        #                          Rules to follow when using the masking. Each rules contains Id [String]
+        #                          and Keywords [Array<String>].
+        attr_reader :sensitive_data_masking
+        # @return [Integer] the time, in ms, that application settings last changed
+        attr_reader :last_app_update_ms
+        # @return [Integer] the time, in ms, that server settings last changed
+        attr_reader :last_server_update_ms
 
         def initialize
           reset_state
@@ -36,32 +99,31 @@ module Contrast
           @application_state.exclusion_matchers.select(&:code?)
         end
 
-        # @param features [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
-        def update_from_server_features features
-          if features&.class == Contrast::Agent::Reporting::Response
-            @protect_state.enabled = features.server_features.protect.enabled?
-            @assess_state.enabled = features.server_features.assess.enabled?
-            @assess_state.sampling_settings = features.server_features.assess.sampling
+        # @param features_response [Contrast::Api::Settings::ServerFeatures, Contrast::Agent::Reporting::Response]
+        def update_from_server_features features_response
+          if features_response.cs__is_a?(Contrast::Agent::Reporting::Response)
+            update_from_response(features_response)
           else
-            @protect_state.enabled = features.protect_enabled?
-            @assess_state.enabled = features.assess_enabled?
-            @assess_state.sampling_settings = features.assess.sampling
+            @protect_state.enabled = features_response.protect_enabled?
+            @assess_state.enabled = features_response.assess_enabled?
+            @assess_state.sampling_settings = features_response.assess.sampling
+            @last_server_update_ms = Contrast::Utils::Timer.now_ms
           end
+          @last_server_update_ms = Contrast::Utils::Timer.now_ms
         end
 
-        # @param features [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
-        def update_from_application_settings features
-          if features&.class == Contrast::Agent::Reporting::Response
-            @application_state.modes_by_id = features.application_settings.protect.protection_rules_to_settings_hash
-            # TODO: RUBY-1438 this needs to be translated
-            # @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
-            @assess_state.disabled_assess_rules = features.application_settings.assess.disabled_rules
+        # @param settings_response [Contrast::Api::Settings::ApplicationSettings, Contrast::Agent::Reporting::Response]
+        def update_from_application_settings settings_response
+          if settings_response&.cs__class == Contrast::Agent::Reporting::Response
+            update_from_response(settings_response)
           else
-            new_vals = features.application_state_translation
+            new_vals = settings_response.application_state_translation
             @application_state.modes_by_id = new_vals[:modes_by_id]
             @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
             @assess_state.disabled_assess_rules = new_vals[:disabled_assess_rules]
+            @last_app_update_ms = Contrast::Utils::Timer.now_ms
           end
+          @last_app_update_ms = Contrast::Utils::Timer.now_ms
         end
 
         # Wipe state to zero.
@@ -70,6 +132,7 @@ module Contrast
           @assess_state = ASSESS_STATE_BASE.dup
           @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
+          @sensitive_data_masking = SENSITIVE_DATA_MASKING_BASE.dup
         end
 
         def build_protect_rules
@@ -86,6 +149,75 @@ module Contrast
           Contrast::Agent::Protect::Rule::Xss.new
           Contrast::Agent::Protect::Rule::Xxe.new
         end
+
+        # Update the sensitive data masking policy from settings,
+        # received from TS. In case the settings are empty,
+        # keep current ones.
+        #
+        # @param sensitive_data_masking [Contrast::Agent::Reporting::Settings::SensitiveDataMasking]
+        # Ts Response settings for sensitive data masking policy
+        def update_sensitive_data_policy sensitive_data_masking
+          @sensitive_data_masking.mask_http_body = sensitive_data_masking.mask_http_body? unless
+            settings_empty?(sensitive_data_masking.mask_http_body?)
+          @sensitive_data_masking.mask_attack_vector = sensitive_data_masking.mask_attack_vector? unless
+            settings_empty?(sensitive_data_masking.mask_attack_vector?)
+          return if settings_empty?(sensitive_data_masking.rules)
+
+          @sensitive_data_masking.rules = sensitive_data_masking.rules
+          # update with the newly received rules.
+          Contrast::Agent::Reporting::Masker.send(:update_dictionary)
+        end
+
+        private
+
+        # @param response [Contrast::Agent::Reporting::Response]
+        def update_from_response response
+          if (server_features = response.server_features)
+            update_server_features(server_features)
+          end
+          return unless (app_settings = response.application_settings)
+
+          update_application_settings(app_settings)
+        end
+
+        # @param server_features [Contrast::Agent::Reporting::Settings::FeatureSettings]
+        def update_server_features server_features
+          return unless server_features
+
+          log_file = server_features.log_file
+          log_level = server_features.log_level
+          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+          @protect_state.enabled = server_features.protect.enabled?
+          @assess_state.enabled = server_features.assess.enabled?
+          @assess_state.sampling_settings = server_features.assess.sampling
+          @last_server_update_ms = Contrast::Utils::Timer.now_ms
+        end
+
+        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
+        def update_application_settings app_settings
+          return unless app_settings
+
+          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          # TODO: RUBY-1438 this needs to be translated
+          # @application_state.exclusion_matchers = new_vals[:exclusion_matchers]
+          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+          @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
+          if app_settings.assess.session_id && !app_settings.assess.session_id.blank?
+            @assess_state.session_id = app_settings.assess.session_id
+          end
+          @last_app_update_ms = Contrast::Utils::Timer.now_ms
+        end
+
+        # check if settings are empty and return true if so.
+        #
+        # @param settings [String, Boolean, Array, Hash]
+        # @return true | false
+        def settings_empty? settings
+          return false if !!settings == settings
+          return true if settings.nil? || settings.empty?
+
+          false
+        end
       end
     end
   end