contrast-agent 5.3.0 → 6.1.1

data/lib/contrast/agent/patching/policy/patch.rb

@@ -49,11 +49,11 @@ module Contrast
             ].cs__freeze
 
             def enter_method_scope! method_policy
-              contrast_enter_method_scopes! method_policy.scopes_to_enter
+              contrast_enter_method_scopes!(method_policy.scopes_to_enter)
             end
 
             def exit_method_scope! method_policy
-              contrast_exit_method_scopes! method_policy.scopes_to_exit
+              contrast_exit_method_scopes!(method_policy.scopes_to_exit)
             end
 
             # @param mod [Module] the module in which the patch should be
@@ -114,16 +114,15 @@ module Contrast
             #                          (equivalent to :alias, where `module = module.singleton class`)
             #                          (this is a.k.a. "class-method patch")
             #   :prepend            -> prepend instance method of module
-            #   [prepending singleton is easily supported too, just not implemented yet.]
+            #   :prepending singleton -> prepend singleton method of module
             # @return [Symbol] new alias for the underlying method (presumably, so the patched method can call it)
             def register_c_patch target_module_name, unbound_method, impl = :alias_instance
               # These could be set as AfterLoadPatches.
               method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
-              underlying_method_name = build_unbound_method_name(method_name).to_sym
+              underlying_method_name = underlying_method_name(method_name, impl)
 
               target_module = Module.cs__const_get(target_module_name)
-              target_module = target_module.cs__singleton_class if %i[prepend_singleton prepend].include? impl
-              target_module = target_module.cs__singleton_class if %i[alias_singleton prepend].include? impl
+              target_module = target_module.cs__singleton_class if %i[prepend_singleton alias_singleton].include?(impl)
 
               visibility = if target_module.private_instance_methods(false).include?(method_name)
                              :private
@@ -132,14 +131,14 @@ module Contrast
                            elsif target_module.public_instance_methods(false).include?(method_name)
                              :public
                            else
-                             raise NoMethodError,
-                                   <<~ERR
+                             raise(NoMethodError,
+                                   <<~ERR)
                                      Tried to register a C-defined #{ impl } patch for \
                                      #{ target_module_name }##{ method_name }, but can't find :#{ method_name }.
                                    ERR
                            end
 
-              reflect_implementation impl, target_module, unbound_method, visibility
+              reflect_implementation(impl, target_module, unbound_method, visibility)
               # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
               # can't invoke this logging method or we'll seg fault as we'd
               # change the method definition mid-call
@@ -161,29 +160,25 @@ module Contrast
             # @param visibility [Symbol] method visibility
             def reflect_implementation impl, target_module, unbound_method, visibility
               method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
-              underlying_method_name = build_unbound_method_name(method_name).to_sym
+              underlying_method_name = underlying_method_name(method_name, impl)
 
               case impl
               when :alias_instance, :alias_singleton
                 # Core to patching. Ignore define method usage cop.
                 # rubocop:disable Performance/Kernel/DefineMethod
-                unless target_module.instance_methods(false).include? underlying_method_name
+                unless target_module.instance_methods(false).include?(underlying_method_name)
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend_instance, :prepend_singleton
+                prepending_module = Module.new
+                prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                prepending_module.send(visibility, method_name)
 
-                unless target_module.instance_methods(false).include? underlying_method_name
-
-                  prepending_module = Module.new
-                  prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                  prepending_module.send(visibility, method_name)
-
-                end
                 # This prepends to the singleton class (it patches a class method)
-                target_module.prepend prepending_module
+                target_module.prepend(prepending_module)
                 # rubocop:enable Performance/Kernel/DefineMethod
               end
             end
@@ -207,6 +202,12 @@ module Contrast
 
               !ASSESS&.enabled?
             end
+
+            def underlying_method_name method_name, impl
+              return method_name.to_sym if %i[prepend_instance prepend_singleton].include?(impl)
+
+              build_unbound_method_name(method_name).to_sym
+            end
           end
         end
       end

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -99,10 +99,17 @@ module Contrast
               :CONTRAST_PATCH_POLICY_STATUS
             end
 
+            # @param mod [Module or Class] the entity on which the patch has been placed
+            # @param method [Symbol] the method being patched
+            # @param ret [Contrast::Agent::Patching::Policy::MethodPolicy] the policy of the patched method
             def update_holder mod, method, ret
-              mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
-              holder = mod.instance_variable_get(method_info_key)
-              holder[method] = ret
+              unless mod.instance_variable_defined?(method_info_key) &&
+                    (holder = mod.instance_variable_get(method_info_key))
+
+                holder = {}
+                mod.instance_variable_set(method_info_key, holder)
+              end
+              holder[method] = ret # rubocop:disable Lint/UselessSetterCall
             end
 
             def find_info_for candidates, method

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -133,7 +133,7 @@ module Contrast
             # @param module_data [Contrast::Agent::ModuleData] the module, and its name, that's being patched into
             # @param redo_patch [Boolean] a trigger to force patching regardless of the state of the
             #   Contrast::Agent::Patching::Policy::PatchStatus status on the Module
-            def patch_into_module module_data, redo_patch = false
+            def patch_into_module module_data, redo_patch: false
               status = Contrast::Agent::Patching::Policy::PatchStatus.get_status(module_data.mod)
               return if (status&.patched? || status&.patching?) && !redo_patch
 
@@ -179,7 +179,7 @@ module Contrast
             # @param private [Boolean] Indicate if the query should include
             #   private, as well as public, instance methods
             # @return [Array<Symbol>]
-            def all_instance_methods mod, private = false
+            def all_instance_methods mod, private: false
               instance_methods = mod.instance_methods(false)
               # C magic rb_define_global_function creates private instance
               # methods. We need to instrument those dudes
@@ -206,8 +206,8 @@ module Contrast
             #   this module, sorted by type.
             def patch_into_instance_methods module_data, module_policy
               mod = module_data.mod
-              methods = all_instance_methods(mod, true)
-              methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
+              methods = all_instance_methods(mod, private: true)
+              methods.delete(:initialize) if mod.to_s.start_with?('RSpec') && mod.to_s.include?('Matchers')
               patch_into_methods(mod, methods, module_policy, true)
             end
 

data/lib/contrast/agent/patching/policy/policy.rb

@@ -20,6 +20,19 @@ module Contrast
         class Policy
           include Singleton
           include Contrast::Components::Logger::InstanceMethods
+          SOURCES_KEY = 'sources'
+          PROPAGATION_KEY = 'propagators'
+          RULES_KEY = 'rules'
+          TRIGGERS_KEY = 'triggers'
+          def initialize
+            @sources = []
+            @propagators = []
+            @triggers = []
+            @providers = {}
+
+            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
+            from_hash_string(json)
+          end
 
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
@@ -38,25 +51,10 @@ module Contrast
 
           attr_reader :sources, :propagators, :triggers, :providers
 
-          SOURCES_KEY =          'sources'
-          PROPAGATION_KEY =      'propagators'
-          RULES_KEY = 'rules'
-          TRIGGERS_KEY = 'triggers'
-
           def self.policy_json
             File.join(policy_folder, 'policy.json').cs__freeze
           end
 
-          def initialize
-            @sources = []
-            @propagators = []
-            @triggers = []
-            @providers = {}
-
-            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
-            from_hash_string(json)
-          end
-
           # Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
           # monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
           # be flexible and extensible.

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/scope'
+require 'contrast/utils/object_share'
 
 module Contrast
   module Agent
@@ -13,18 +14,14 @@ module Contrast
         # @abstract
         class PolicyNode
           include Contrast::Components::Scope::InstanceMethods
-
-          attr_accessor :class_name, :instance_method, :method_name, :method_visibility
-          attr_reader :properties, :method_scope
-
-          def node_class
-            raise NoMethodError, 'specify the type of the feature for which this node patches'
-          end
-
-          def feature
-            raise NoMethodError, 'specify the name of the feature for which this node patches'
-          end
-
+          JSON_METHOD_VISIBILITY = 'method_visibility'
+          JSON_PROPERTIES = 'properties'
+          JSON_METHOD_NAME = 'method_name'
+          JSON_METHOD_SCOPE = 'scope'
+          # The keys used to read from policy.json to create the individual
+          # policy nodes. These are common across node types
+          JSON_CLASS_NAME = 'class_name'
+          JSON_INSTANCE_METHOD = 'instance_method'
           def initialize policy_hash = {}
             @class_name = policy_hash[JSON_CLASS_NAME]
             @instance_method = policy_hash[JSON_INSTANCE_METHOD]
@@ -35,6 +32,29 @@ module Contrast
             symbolize
           end
 
+          # Name of the class in which the method is being invoked.
+          attr_accessor :class_name
+          # Check for instance method.
+          #
+          # @return true | false
+          attr_accessor :instance_method
+          # The symbol representation of the invoked method.
+          attr_accessor :method_name
+          # Visibility of the invoked method [Private, Public, Protected]
+          attr_accessor :method_visibility
+          # Properties parsed from our JSON policy.
+          attr_reader :properties
+          # Scope of the method parsed from our JSON policy.
+          attr_reader :method_scope
+
+          def node_class
+            raise(NoMethodError, 'specify the type of the feature for which this node patches')
+          end
+
+          def feature
+            raise(NoMethodError, 'specify the name of the feature for which this node patches')
+          end
+
           def id
             @_id ||= "#{ feature }:#{ node_class }:#{ class_name }#{ instance_method? ? '#' : '.' }#{ method_name }"
           end
@@ -78,15 +98,6 @@ module Contrast
             @method_visibility = @method_visibility.to_sym if @method_visibility
             @method_scope = @method_scope.to_sym if @method_scope
           end
-
-          # The keys used to read from policy.json to create the individual
-          # policy nodes. These are common across node types
-          JSON_CLASS_NAME = 'class_name'
-          JSON_INSTANCE_METHOD = 'instance_method'
-          JSON_METHOD_NAME = 'method_name'
-          JSON_METHOD_SCOPE = 'scope'
-          JSON_METHOD_VISIBILITY = 'method_visibility'
-          JSON_PROPERTIES = 'properties'
         end
       end
     end

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -24,6 +24,7 @@ module Contrast
           attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
                       :rule_id
 
+          NODE = 'Trigger'
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             @rule_id = rule_hash[JSON_NAME]
@@ -36,7 +37,6 @@ module Contrast
             @applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
           end
 
-          NODE = 'Trigger'
           def node_class
             NODE
           end

data/lib/contrast/agent/protect/exploitable_collection.rb

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      # This class will store all exploits or definite attack but
+      # require us to wait for response
+      class ExploitableCollection
+        include Contrast::Components::Logger::InstanceMethods
+
+        def initialize
+          @_collection = []
+        end
+
+        def collection
+          @_collection ||= []
+        end
+
+        # Push the Result we need to store until response is available
+        #
+        # @param attack_result [Contrast::Agent::Reporting::AttackResult]
+        def push attack_result
+          @_collection << attack_result
+        end
+
+        # Attach attack results to the context
+        #
+        # @param context [Contrast::Agent::RequestContext]
+        def report_recorded_exploits context
+          context.activity.results.concat(@_collection)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -4,7 +4,14 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
+require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
+require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'json'
 
 module Contrast
@@ -13,81 +20,131 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
-        class << self
-          include Contrast::Agent::Reporting::InputType
-          include Contrast::Agent::Reporting::ScoreLevel
-          include Contrast::Agent::Protect::Rule::SqliWorthWatching
-
-          PROTECT_RULES = { sqli: 'sql-injection' }.cs__freeze
-
-          # This method with analyze the user input from the context of the
-          # current request and run each of the protect rules against all
-          # found input types
-          #
-          # @param request [Contrast::Agent::Request] current request context.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def analyse request
-            return unless Contrast::SETTINGS.protect_state.enabled
-            return if request.nil?
-
-            inputs = extract_input request
-            return unless inputs
-
-            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
-            input_analysis.request = request
-            # each rule against each input
-            input_classification inputs, input_analysis
-            input_analysis
-          end
-
-          private
-
-          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-          #
-          # @param inputs [String, Array<String>] user input to be analysed.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-          #                                                       for each protect rule.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def input_classification inputs, input_analysis
-            # key = input type, value = user_input
-            inputs.each do |input_type, value|
-              PROTECT_RULES.each do |_key, rule_id|
-                # check if rule is enabled
-                next unless Contrast::PROTECT.rule(rule_id).enabled?
-
-                # start with sqli rule
-                case rule_id
-                when PROTECT_RULES[:sqli]
-                  Contrast::Agent::Protect::Rule::SqliInputClassification.classify input_type, value, input_analysis
-                else
-                  return nil
-                end
-              end
-            end
-            input_analysis
-          end
-
-          # Extract the inputs from the request context and label them with Protect
-          # input type tags. Each tag will contain one or more user inputs.
-          #
-          # This methods is to be expanded and modified as needed by other Protect rules
-          # and sub-rules for their requirements.
-          #
-          # @param request [Contrast::Agent::Request] current request context.
-          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          def extract_input request
-            inputs = {}
-            inputs[BODY] = request.body
-            inputs[COOKIE_NAME] = request.cookies.keys
-            inputs[COOKIE_VALUE] = request.cookies.values
-            inputs[HEADER] = request.headers
-            inputs[PARAMETER_NAME] = request.parameters.keys
-            inputs[PARAMETER_VALUE] = request.parameters.values
-            inputs[QUERYSTRING] = request.query_string
-            inputs.compact!
-            inputs
-          end
-        end
+        # DISPOSITION_NAME = 'name'
+        # DISPOSITION_FILENAME = 'filename'
+        #
+        # class << self
+        #   include Contrast::Agent::Reporting::InputType
+        #   include Contrast::Agent::Reporting::ScoreLevel
+        #   include Contrast::Agent::Protect::Rule::SqliWorthWatching
+        #   include Contrast::Utils::ObjectShare
+        #   include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+        #
+        #   PROTECT_RULES = {
+        #       sqli: {
+        #           rule_name: 'sql-injection',
+        #           classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+        #       },
+        #       cmdi: {
+        #           rule_name: 'cmd-injection',
+        #           classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+        #       },
+        #       method_tampering: {
+        #           rule_name: 'method-tampering',
+        #           classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+        #       },
+        #       unsafe_file_upload: {
+        #           rule_name: 'unsafe-file-upload',
+        #           classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+        #       },
+        #       nosqli: {
+        #           rule_name: 'nosql-injection',
+        #           classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+        #       }
+        #   }.cs__freeze
+        #
+        #   # This method with analyze the user input from the context of the
+        #   # current request and run each of the protect rules against all
+        #   # found input types
+        #   #
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+        #   def analyse request
+        #     return unless Contrast::PROTECT.enabled?
+        #     return if request.nil?
+        #
+        #     inputs = extract_input request
+        #     return unless inputs
+        #
+        #     input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+        #     input_analysis.request = request
+        #     # each rule against each input
+        #     input_classification inputs, input_analysis
+        #     input_analysis
+        #   end
+        #
+        #   private
+        #
+        #   # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+        #   #
+        #   # @param inputs [String, Array<String>] user input to be analysed.
+        #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+        #   #                                                       for each protect rule.
+        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+        #   def input_classification inputs, input_analysis
+        #     # key = input type, value = user_input
+        #     inputs.each do |input_type, value|
+        #       next if value.nil? || value.empty?
+        #
+        #       PROTECT_RULES.each do |_key, rule|
+        #         protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
+        #         logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
+        #
+        #         # check if rule is enabled
+        #         next unless protect_rule&.enabled?
+        #
+        #         # method tampering doesn't take value
+        #         if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+        #           rule[:classification].send(:classify, input_type, input_analysis)
+        #         else
+        #           rule[:classification].send(:classify, input_type, value, input_analysis)
+        #         end
+        #       end
+        #     end
+        #     input_analysis
+        #   end
+        #
+        #   # Extract the inputs from the request context and label them with Protect
+        #   # input type tags. Each tag will contain one or more user inputs.
+        #   #
+        #   # This methods is to be expanded and modified as needed by other Protect rules
+        #   # and sub-rules for their requirements.
+        #   #
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+        #   def extract_input request
+        #     inputs = {}
+        #     inputs[BODY] = request.body
+        #     inputs[COOKIE_NAME] = request.cookies.keys
+        #     inputs[COOKIE_VALUE] = request.cookies.values
+        #     inputs[HEADER] = request.headers
+        #     inputs[PARAMETER_NAME] = request.parameters.keys
+        #     inputs[PARAMETER_VALUE] = request.parameters.values
+        #     inputs[QUERYSTRING] = request.query_string
+        #     inputs[METHOD] = request.request_method
+        #     extract_multipart inputs, request
+        #     inputs.compact!
+        #     inputs
+        #   end
+        #
+        #   # Extract the filename and name of the  Content Disposition Header.
+        #   #
+        #   # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   def extract_multipart inputs, request
+        #     disposition = request.rack_request.env['Content-Disposition']
+        #     disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
+        #     return unless disposition
+        #
+        #     pairs = {}
+        #     disposition.split(SEMICOLON).each do |elem|
+        #       new_pair = elem.strip.split(EQUALS, 2)
+        #       pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+        #     end
+        #     inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+        #     inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+        #   end
+        # end
       end
     end
   end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -41,7 +41,8 @@ module Contrast
             private
 
             def valid_input? args
-              return false unless args&.any?
+              return false unless args
+              return false unless args.cs__is_a?(Array) && args.any?
 
               args[0]
             end
@@ -54,9 +55,9 @@ module Contrast
             end
 
             def extract_mongo_data operation
-              if operation.cs__respond_to? :selector
+              if operation.cs__respond_to?(:selector)
                 operation.selector
-              elsif operation.cs__respond_to? :documents
+              elsif operation.cs__respond_to?(:documents)
                 operation.documents
               end
             end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -65,11 +65,11 @@ module Contrast
             end
 
             def path_traversal_rule path, possible_write, object, method
-              return unless applies_to?(path, possible_write)
+              return unless applies_to?(path, possible_write: possible_write)
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
             rescue Contrast::SecurityException => e
-              raise e
+              raise(e)
             rescue StandardError => e
               logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
             end
@@ -90,7 +90,7 @@ module Contrast
               end
             end
 
-            def applies_to? path, possible_write = false
+            def applies_to? path, possible_write: false
               # any possible write is a potential risk
               return true if possible_write
 

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -111,7 +111,7 @@ module Contrast
                 end
               end
             rescue Contrast::SecurityException => e
-              raise e
+              raise(e)
             rescue StandardError => e
               parser ||= Contrast::Utils::ObjectShare::UNKNOWN
               logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -38,7 +38,7 @@ module Contrast
           def apply_rule method, exception, properties, object, args
             invoke(method, exception, properties, object, args)
           rescue Contrast::SecurityException => e
-            raise e
+            raise(e)
           rescue StandardError => e
             logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
                                                            rule: rule_name)
@@ -64,14 +64,14 @@ module Contrast
           # @raise [Contrast::SecurityException] on block, will pass the
           #   exception from the rule
           def invoke _method, _exception, _properties, _object, _args
-            raise NoMethodError, 'This is abstract, override it.'
+            raise(NoMethodError, 'This is abstract, override it.')
           end
 
           # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
           def rule_name
-            raise NoMethodError, 'This is abstract, override it.'
+            raise(NoMethodError, 'This is abstract, override it.')
           end
 
           # The rule for which this applicator applies. It'll be a concrete
@@ -80,7 +80,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            ::Contrast::PROTECT.rule rule_name
+            ::Contrast::PROTECT.rule(rule_name)
           end
 
           # Should we skip analysis for this rule for this method invocation?