contrast-agent 6.0.0 → 6.1.2

data/lib/contrast/framework/manager.rb

@@ -64,25 +64,25 @@ module Contrast
       end
 
       def platform_version
-        framework_version = first_framework_result :version, ''
+        framework_version = first_framework_result(:version, '')
 
         Contrast::Framework::PlatformVersion.from_string(framework_version)
       end
 
       def platform_version_string
-        first_framework_result :version, ''
+        first_framework_result(:version, '')
       end
 
       def server_type
-        first_framework_result :server_type, 'rack'
+        first_framework_result(:server_type, 'rack')
       end
 
       def app_name
-        first_framework_result :application_name, 'root'
+        first_framework_result(:application_name, 'root')
       end
 
       def app_root
-        found = first_framework_result :application_root, nil
+        found = first_framework_result(:application_root, nil)
         found || ::Rack::Directory.new('').root
       end
 

data/lib/contrast/framework/manager_extend.rb

@@ -21,7 +21,7 @@ module Contrast
       end
 
       def routes_for_all_frameworks
-        data_for_all_frameworks :collect_routes
+        data_for_all_frameworks(:collect_routes)
       end
 
       # This returns an array of all data from each framework in a flat, no-nil values array

data/lib/contrast/framework/rack/patch/session_cookie.rb

@@ -25,7 +25,7 @@ module Contrast
             def instrument
               @_instrument ||= begin
                 ::Rack::Session::Cookie.class_eval do
-                  alias_method :cs__patched_initialize, :initialize
+                  alias_method(:cs__patched_initialize, :initialize)
                   def initialize app, options = {} # rubocop:disable Style/OptionHash
                     Contrast::Framework::Rack::Patch::SessionCookie.analyze(options)
                     cs__patched_initialize(app, options)

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -16,8 +16,19 @@ module Contrast
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
-              [context.server_activity, context.activity, context.observed_route].each do |msg|
-                Contrast::Agent.messaging_queue.send_event_immediately(msg)
+              if Contrast::Agent::Reporter.enabled?
+                [
+                  context.new_observed_route,
+                  Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
+                  Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity.library_usages),
+                  Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+                ].each do |event|
+                  Contrast::Agent.reporter&.send_event_immediately(event)
+                end
+              else
+                [context.server_activity, context.activity, context.observed_route].each do |msg|
+                  Contrast::Agent.messaging_queue&.send_event_immediately(msg)
+                end
               end
             end
 
@@ -27,7 +38,7 @@ module Contrast
                   # normally pre->in->post filters are applied however, in a streamed response we can run into a case
                   # where it's pre -> in -> post -> more infilters in order to submit anything found during the
                   # infilters after the response has been written we need to explicitly send them
-                  alias_method :cs__close, :close
+                  alias_method(:cs__close, :close)
                   def close
                     Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer.send_messages
                     cs__close

data/lib/contrast/framework/rails/patch/assess_configuration.rb

@@ -49,7 +49,7 @@ module Contrast
             end
 
             def apply_session_timeout *args
-              return if ::Contrast::ASSESS.rule_disabled? CS__SESSION_TIMEOUT_NAME
+              return if ::Contrast::ASSESS.rule_disabled?(CS__SESSION_TIMEOUT_NAME)
               return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, args,
                                                 comparison_type: :greater_than, safe_default: false)
 
@@ -64,7 +64,7 @@ module Contrast
             end
 
             def apply_secure_cookie_disabled *args
-              return if ::Contrast::ASSESS.rule_disabled? CS__SECURE_RULE_NAME
+              return if ::Contrast::ASSESS.rule_disabled?(CS__SECURE_RULE_NAME)
               return unless vulnerable_setting?(:secure, true, args)
 
               rails_session_settings = args[1]
@@ -78,7 +78,7 @@ module Contrast
             end
 
             def apply_httponly_disabled *args
-              return if ::Contrast::ASSESS.rule_disabled? CS__HTTPONLY_RULE_NAME
+              return if ::Contrast::ASSESS.rule_disabled?(CS__HTTPONLY_RULE_NAME)
               return unless vulnerable_setting?(:httponly, true, args)
 
               rails_session_settings = args[1]

data/lib/contrast/framework/rails/patch/rails_application_configuration.rb

@@ -14,7 +14,7 @@ module Contrast
           def self.instrument
             @_instrument ||= begin
               ::Rails::Application::Configuration.class_eval do
-                alias_method :cs__patched_session_store, :session_store
+                alias_method(:cs__patched_session_store, :session_store)
                 def session_store *args, **kwargs
                   ret = cs__patched_session_store(*args, **kwargs)
                   Contrast::Framework::Rails::Patch::AssessConfiguration.analyze_session_store(*args, **kwargs)

data/lib/contrast/framework/rails/patch/support.rb

@@ -20,56 +20,24 @@ module Contrast
             # (i.e., where we normally patch) we will miss the configuration
             # and will never be able to report session misconfiguration rules.
             Contrast::Framework::Rails::Patch::RailsApplicationConfiguration.instrument
-            require 'contrast/framework/rails/railtie' if ::Rails::VERSION::MAJOR.to_i >= 3
+            require('contrast/framework/rails/railtie') if ::Rails::VERSION::MAJOR.to_i >= 3
           end
 
           # (See BaseSupport#after_load_patches)
           def after_load_patches
-            patches = Set.new([
-                                Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                    'ActionController::Live::Buffer',
-                                    'contrast/framework/rails/patch/action_controller_live_buffer',
-                                    instrumenting_module:
-                                      'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
-                                Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                                    'Rails::Application::Configuration',
-                                    'contrast/framework/rails/patch/rails_application_configuration',
-                                    method_to_instrument: :session_store,
-                                    instrumenting_module:
-                                      'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
-                              ])
-            patches.merge(special_after_load_patches) if RUBY_VERSION < '2.6.0'
-            patches
-          end
-
-          def special_after_load_patches
-            [
-              # TODO: RUBY-714 remove w/ EOL of 2.5
-              #
-              # @deprecated  Everything past here is used for Rewriting and can
-              #   be removed once we no longer support 2.5.
-              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                  'ActionController::Railties::Helper::ClassMethods',
-                  'contrast/framework/rails/rewrite/action_controller_railties_helper_inherited',
-                  method_to_instrument: :inherited,
-                  instrumenting_module:
-                    'Contrast::Framework::Rails::Rewrite::ActionControllerRailtiesHelperInherited'),
-              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                  'ActiveRecord::AttributeMethods::Read::ClassMethods',
-                  'contrast/framework/rails/rewrite/active_record_attribute_methods_read',
-                  instrumenting_module:
-                    'Contrast::Framework::Rails::Rewrite::ActiveRecordAttributeMethodsRead'),
-              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                  'ActiveRecord::Scoping::Named::ClassMethods',
-                  'contrast/framework/rails/rewrite/active_record_named',
-                  instrumenting_module: 'Contrast::Framework::Rails::Rewrite::ActiveRecordNamed'),
-              Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
-                  'ActiveRecord::AttributeMethods::TimeZoneConversion::ClassMethods',
-                  'contrast/framework/rails/rewrite/active_record_time_zone_inherited',
-                  method_to_instrument: :inherited,
-                  instrumenting_module:
-                    'Contrast::Framework::Rails::Rewrite::ActiveRecordTimeZoneInherited')
-            ]
+            Set.new([
+                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                          'ActionController::Live::Buffer',
+                          'contrast/framework/rails/patch/action_controller_live_buffer',
+                          instrumenting_module:
+                            'Contrast::Framework::Rails::Patch::ActionControllerLiveBuffer'),
+                      Contrast::Agent::Patching::Policy::AfterLoadPatch.new(
+                          'Rails::Application::Configuration',
+                          'contrast/framework/rails/patch/rails_application_configuration',
+                          method_to_instrument: :session_store,
+                          instrumenting_module:
+                            'Contrast::Framework::Rails::Patch::RailsApplicationConfiguration')
+                    ])
           end
         end
       end

data/lib/contrast/framework/rails/support.rb

@@ -104,7 +104,7 @@ module Contrast
             end
 
             new_route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
-            new_route_coverage.attach_rails_data route, original_url
+            new_route_coverage.attach_rails_data(route, original_url)
           rescue StandardError => e
             logger.warn('Unable to determine the current route of this request', e)
             nil
@@ -153,7 +153,7 @@ module Contrast
             # If the current routing node points to a sub-app (::Rais::Engine), dive deeper.
             # Have sub-app route the remainder of the url.
             if engine_route?(route)
-              new_req = retrieve_request request.env
+              new_req = retrieve_request(request.env)
               new_req.path_info = new_req.path_info.gsub(match.to_s, '')
               get_full_route(new_req, route.app.app.routes.router, path << match.to_s)
             else

data/lib/contrast/framework/sinatra/support.rb

@@ -101,7 +101,7 @@ module Contrast
             full_route ||= request.env[::Rack::PATH_INFO]
 
             new_route_coverage = Contrast::Agent::Reporting::RouteCoverage.new
-            new_route_coverage.attach_rack_based_data final_controller, method, route_pattern, full_route
+            new_route_coverage.attach_rack_based_data(final_controller, method, route_pattern, full_route)
           end
 
           # Search object space for sinatra controllers--any class that subclasses ::Sinatra::Base.

data/lib/contrast/logger/aliased_logging.rb

@@ -0,0 +1,94 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry/events/exceptions/telemetry_exceptions'
+require 'contrast/agent/telemetry/events/exceptions/obfuscate'
+
+module Contrast
+  module Logger
+    # Our decorator for the Ougai logger allowing for the catching, creating and saving Telemetry exceptions
+    module AliasedLogging
+      ALIASED_WARN = 'warn'.cs__freeze
+      ALIASED_ERROR = 'error'.cs__freeze
+      ALIASED_FATAL = 'fatal'.cs__freeze
+
+      # @param message [String] The message to log. Use default_message if not specified.
+      # @param exception [Exception] The exception or the error
+      # @param data [Object] Any structured data
+      def warn message = nil, exception = nil, data = nil, &block
+        # build Telemetry Exclusion
+        build_exclusion(ALIASED_WARN, message, exception, data)
+        super(message, exception, data, &block)
+      end
+
+      # @param message [String] The message to log. Use default_message if not specified.
+      # @param exception [Exception] The exception or the error
+      # @param data [Object] Any structured data
+      def error message = nil, exception = nil, data = nil, &block
+        # build Telemetry Exclusion
+        build_exclusion(ALIASED_ERROR, message, exception, data)
+        super(message, exception, data, &block)
+      end
+
+      # @param message [String] The message to log. Use default_message if not specified.
+      # @param exception [Exception] The exception or the error
+      # @param data [Object] Any structured data
+      def fatal message = nil, exception = nil, data = nil, &block
+        # build Telemetry Exclusion
+        build_exclusion(ALIASED_FATAL, message, exception, data)
+        super(message, exception, data, &block)
+      end
+
+      private
+
+      def build_exclusion _type, _message = nil, _exception = nil, _data = nil
+        # TODO: RUBY-1698
+        nil
+        #   start = caller_locations&.find_index { |stack| stack.to_s.include?(type) }
+        #   stack_trace = start ? caller_locations(start + 1, 20) : caller_locations(20, 20)
+        #   stack_frame_type = Contrast::Agent::Telemetry::TelemetryException::Obfuscate.obfuscate_type(
+        #       stack_trace[1].path.delete_prefix(Dir.pwd))
+        #   message_exception_type = Contrast::Agent::Telemetry::TelemetryException::Obfuscate.obfuscate_exception_type(
+        #       exception ? exception.cs__class.to_s : stack_frame_type.split('/').last)
+        #   stack_frame_function = stack_trace[1].label
+        #   key = "#{ stack_frame_type }|#{ stack_frame_function }|#{ message }"
+        #   if TELEMETRY_EXCEPTIONS[key]
+        #     TELEMETRY_EXCEPTIONS.increment(key)
+        #     return
+        #   end
+        #
+        #   event_message = create_message(stack_frame_function,
+        #                                  stack_frame_type, message_exception_type,
+        #                                  data, exception,
+        #                                  message)
+        #   TELEMETRY_EXCEPTIONS[key] = event_message
+        # rescue StandardError => e
+        #   debug('Unable to report exception to telemetry', e)
+      end
+
+      def create_message stack_frame_function, stack_frame_type, message_exception_type, data, exception, message
+        message_for_exception = if exception
+                                  exception.cs__respond_to?(:message) ? exception.message : exception
+                                else
+                                  message
+                                end
+        module_name = message_exception_type ? message_exception_type.split('::')[0] : nil
+        stack_frame = Contrast::Agent::Telemetry::TelemetryException::StackFrame.build(stack_frame_function,
+                                                                                       stack_frame_type,
+                                                                                       module_name)
+        message_exception = Contrast::Agent::Telemetry::TelemetryException::MessageException.build(
+            message_exception_type,
+            message_for_exception,
+            module_name,
+            stack_frame)
+        tags = if data
+                 data
+               else
+                 exception.cs__is_a?(Hash) ? exception : {}
+               end
+        message = Contrast::Agent::Telemetry::TelemetryException::Message.build(tags, [message_exception])
+        Contrast::Agent::Telemetry::TelemetryException::Event.new(message)
+      end
+    end
+  end
+end

data/lib/contrast/logger/application.rb

@@ -1,8 +1,6 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/exclude_key'
-
 module Contrast
   module Logger
     # Our decorator for the Ougai logger allowing for the logging of the
@@ -31,8 +29,6 @@ module Contrast
         loggable = ::Contrast::CONFIG.loggable
         info('Current configuration', configuration: loggable)
         env_keys = ENV.keys.select do |env_key|
-          next if Contrast::Utils::ExcludeKey.excludable? env_key.to_s
-
           env_key&.to_s&.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER)
         end
         env_items = env_keys.map { |env_key| Contrast::Utils::EnvConfigurationItem.new(env_key, nil) }

data/lib/contrast/logger/cef_log.rb

@@ -30,7 +30,7 @@ module Contrast
           else
             cs__error(*args, **kwargs)
           end
-          args.each { |arg| raise arg if arg && arg.cs__class < Exception }
+          args.each { |arg| raise(arg) if arg && arg.cs__class < Exception }
         end
       end
     end
@@ -69,11 +69,11 @@ module Contrast
         if @_cef_logger
           @_cef_logger.error('Unable to process update to LoggerManager.', e)
         else
-          puts 'Unable to process update to LoggerManager.'
-          raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+          puts('Unable to process update to LoggerManager.')
+          raise(e) if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
 
-          puts e.message
-          puts e.backtrace.join("\n")
+          puts(e.message)
+          puts(e.backtrace.join("\n"))
         end
         # rubocop:enable Rails/Output
       end
@@ -99,28 +99,28 @@ module Contrast
 
       def virtual_patch_message patch, outcome
         message = "Virtual Patch #{ patch.fetch(:name, '') } - #{ patch[:uuid] } was triggered by this request."
-        log [message, patch, outcome], ::Logger::Severity::DEBUG
+        log([message, patch, outcome], ::Logger::Severity::DEBUG)
       end
 
       def bot_blocking_message matching_bot, outcome
         message = "User agent #{ matching_bot[:user_agent] } matched the disallowed value #{ matching_bot[:bot] }"
-        log [message, matching_bot, outcome], ::Logger::Severity::DEBUG
+        log([message, matching_bot, outcome], ::Logger::Severity::DEBUG)
       end
 
       def ip_denylisted_message remote_ip, block_entry, outcome
         message = "IP Address #{ remote_ip } matched the disallowed value" \
                   "#{ block_entry[:ip] } in the IP Blacklist #{ block_entry[:uuid] }"
-        log [message, block_entry, outcome], ::Logger::Severity::DEBUG
+        log([message, block_entry, outcome], ::Logger::Severity::DEBUG)
       end
 
       def successful_attack rule_id, outcome, input_type = nil, input_value = nil
         if input_type.present? && input_value.present?
           successful_attack_with_input = "#{ input_type } had a value that successfully exploited" \
                                          "#{ rule_id } - #{ input_value }"
-          log [successful_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
+          log([successful_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN)
         else
           successful_attack_wo_input = "An effective attack was detected against #{ rule_id }"
-          log [successful_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
+          log([successful_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN)
         end
       end
 
@@ -128,10 +128,10 @@ module Contrast
         if input_type.present? && input_value.present?
           ineffective_attack_with_input = "#{ input_type } had a value that matched a signature for, " \
                                           "but did not successfully exploit #{ rule_id } - #{ input_value }"
-          log [ineffective_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN
+          log([ineffective_attack_with_input, rule_id, outcome], ::Logger::Severity::WARN)
         else
           ineffective_attack_wo_input = "An unsuccessful attack was detected against #{ rule_id }"
-          log [ineffective_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN
+          log([ineffective_attack_wo_input, rule_id, outcome], ::Logger::Severity::WARN)
         end
       end
 
@@ -140,10 +140,10 @@ module Contrast
         if input_type.present? && input_value.present?
           suspicious_attack_with = "#{ input_type } included a potential attack value that was detected" \
                                    "as suspicious using #{ rule_id } - #{ input_value }"
-          log [suspicious_attack_with, rule_id, outcome], ::Logger::WARN
+          log([suspicious_attack_with, rule_id, outcome], ::Logger::WARN)
         elsif input_value.present?
           suspicious_attack_without = "Suspicious activity indicates a potential attack using #{ rule_id }"
-          log [suspicious_attack_without, rule_id, outcome], ::Logger::WARN
+          log([suspicious_attack_without, rule_id, outcome], ::Logger::WARN)
         end
       end
     end

data/lib/contrast/logger/format.rb

@@ -10,6 +10,7 @@ module Contrast
     # Our format for the Ougai logger allowing for custom log format that
     # extends the behavior of the default Ougai logger
     class Format < Ougai::Formatters::Bunyan
+      NO_REQUEST_HASH = { request_id: -1 }.cs__freeze
       LOG_TRACKER = Contrast::Utils::ThreadTracker.new
       # Our override of the _call method to add in the extra data that we want,
       # based on
@@ -49,7 +50,6 @@ module Contrast
         hash
       end
 
-      NO_REQUEST_HASH = { request_id: -1 }.cs__freeze
       def request_hash
         @request_tracker_defined ||= defined?(Contrast::Agent) && defined?(Contrast::Agent::REQUEST_TRACKER)
         return NO_REQUEST_HASH unless @request_tracker_defined

data/lib/contrast/logger/log.rb

@@ -44,8 +44,8 @@ module Contrast
       untimed_func_symbol = "untimed_#{ meth_spec.method_name }".to_sym
       send_to = class_method ? meth_spec.clazz.cs__singleton_class : meth_spec.clazz
       meth_spec.clazz.class_eval do
-        include Contrast::Components::Logger::InstanceMethods
-        extend Contrast::Components::Logger::InstanceMethods
+        include(Contrast::Components::Logger::InstanceMethods)
+        extend(Contrast::Components::Logger::InstanceMethods)
 
         send_to.send(:alias_method, untimed_func_symbol, meth_spec.method_name)
         meth_spec.aliased = true
@@ -73,7 +73,7 @@ module Contrast
         next if meth_spec.aliased
 
         is_class_method = meth_spec.clazz.singleton_methods(false).include?(meth_spec.method_name)
-        trace_time_class_method meth_spec, is_class_method
+        trace_time_class_method(meth_spec, is_class_method)
       end
     end
   end
@@ -96,7 +96,7 @@ module Contrast
           else
             cs__error(*args, **kwargs)
           end
-          args.each { |arg| raise arg if arg && arg.cs__class < Exception }
+          args.each { |arg| raise(arg) if arg && arg.cs__class < Exception }
         end
       end
     end
@@ -142,11 +142,11 @@ module Contrast
         if logger
           logger.error('Unable to process update to LoggerManager.', e)
         else
-          puts 'Unable to process update to LoggerManager.'
-          raise e if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
+          puts('Unable to process update to LoggerManager.')
+          raise(e) if ENV['CONTRAST__AGENT__RUBY_MORE_COWBELL']
 
-          puts e.message
-          puts e.backtrace.join("\n")
+          puts(e.message)
+          puts(e.backtrace.join("\n"))
         end
       end
 

data/lib/contrast/tasks/config.rb

@@ -7,7 +7,7 @@ require 'contrast/agent/reporting/reporter'
 
 module Contrast
   # A Rake task to generate a contrast_security.yaml file with some basic settings
-  module Config
+  module Config # rubocop:disable Metrics/ModuleLength
     extend Rake::DSL
     DEFAULT_CONFIG = {
         'api' => {
@@ -32,6 +32,7 @@ module Contrast
     }.cs__freeze
 
     SKIP_LOG = %w[service_key api_key].cs__freeze
+    REQUIRED = %i[url api_key service_key user_name].cs__freeze
 
     namespace :contrast do
       namespace :config do
@@ -62,20 +63,19 @@ module Contrast
           puts 'Validating Contrast Reporter Headers...'
           reporter = Contrast::Config.validate_headers
           puts '...done!'
-          puts 'Testing Client Connection...'
+          puts 'Testing Reporter Client Connection...'
           Contrast::Config.test_connection(reporter) if reporter
           puts '...done!'
         end
       end
-      def self.validate_config # rubocop:disable Metrics/PerceivedComplexity
+
+      def self.validate_config
         config = Contrast::Configuration.new
         abort('Unable to Build Config') unless config
-
-        required = %i[url api_key service_key user_name]
-
         missing = []
-        config.root.api.each do |key, value|
-          puts "#{ key }::#{ value }" unless value.is_a?(Contrast::Config::BaseConfiguration) || SKIP_LOG.includes?(key)
+        api_hash = config.root.api.to_hash
+        api_hash.each_key do |key|
+          value = mask_keys(api_hash, key)
           if value.is_a?(Contrast::Config::ApiProxyConfiguration)
             Contrast::Config.validate_proxy(value)
           elsif value.is_a?(Contrast::Config::CertificationConfiguration)
@@ -84,7 +84,7 @@ module Contrast
           elsif value.is_a?(Contrast::Config::RequestAuditConfiguration)
             Contrast::Config.validate_audit(value)
             next
-          elsif value == Contrast::Config::BaseConfiguration::EMPTY_VALUE && required.includes?(key.to_sym)
+          elsif value.nil? && REQUIRED.includes?(key.to_sym)
             missing << key
           end
         end
@@ -92,39 +92,40 @@ module Contrast
       end
 
       def self.validate_proxy config
-        puts "Proxy Enabled: #{ config.enable }"
+        puts("Proxy Enabled: #{ config.enable }")
         return unless config.enable
 
-        puts "Proxy URL: #{ config.url }"
+        puts("Proxy URL: #{ config.url }")
         abort('Proxy Enabled but no Proxy URL given') unless config.url
       end
 
       def self.validate_cert config
-        puts "Certification Enabled: #{ config.enable }"
+        puts("Certification Enabled: #{ config.enable }")
         return unless config.enable
 
-        puts "CA File: #{ config.ca_file }"
+        puts("CA File: #{ config.ca_file }")
         abort('CA file path not provided') unless config.ca_file
-        puts "Cert File: #{ config.cert_file }"
+        puts("Cert File: #{ config.cert_file }")
         abort('Cert file path not provided') unless config.cert_file
-        puts "Key File: #{ config.key_file }"
+        puts("Key File: #{ config.key_file }")
         abort('Key file path not provided') unless config.key_file
       end
 
       def self.validate_audit config
-        puts "Request Audit Enabled: #{ config.enable }"
+        puts("Request Audit Enabled: #{ config.enable }")
         return unless config.enable
 
         config.each do |k, v|
-          puts "#{ k }::#{ v }"
+          puts("#{ k }::#{ v }")
         end
       end
 
       def self.validate_headers
         missing = []
         reporter = Contrast::Agent::Reporter.new
-        reporter.client.headers.to_hash.each_pair do |key, value|
-          puts "#{ key }::#{ value }"
+        reporter_headers = reporter.client.headers.to_hash
+        reporter_headers.each_key do |key|
+          value = mask_keys(reporter_headers, key)
           missing << key if value.nil?
         end
         abort("Missing required header values: #{ missing.join(', ') }") unless missing.empty?
@@ -132,8 +133,16 @@ module Contrast
       end
 
       def self.test_connection reporter
-        abort('Failed to Initialize Connection please check error logs for details') unless reporter.connection
-        abort('Failed to Start Client please check error logs for details') unless reporter.client.startup!
+        connection = reporter.connection
+        abort('Failed to Initialize Connection please check error logs for details') unless connection
+        abort('Failed to Start Client please check error logs for details') unless reporter.client.startup!(connection)
+      end
+
+      def self.mask_keys hash, key
+        value = hash[key]
+        redacted_value = Contrast::Configuration::REDACTED if SKIP_LOG.include?(key.to_s)
+        puts("#{ key }::#{ redacted_value || value }") unless value.is_a?(Contrast::Config::BaseConfiguration)
+        value
       end
     end
   end

data/lib/contrast/tasks/service.rb

@@ -11,7 +11,7 @@ module Contrast
     extend Rake::DSL
     # Start the service if it is not already running
     def self.start_service
-      puts 'Starting Contrast Service'
+      puts('Starting Contrast Service')
       service_log = ::Contrast::CONTRAST_SERVICE.logger_path
       if File.writable?(service_log)
         spawn('contrast_service', out: File::NULL, err: service_log)
@@ -23,7 +23,7 @@ module Contrast
         sleep(0.05) until Contrast::Utils::OS.running?
       end
       watcher.join(1)
-      puts Contrast::Utils::OS.running? ? 'Contrast Service started successfully.' : 'Contrast Service did not start.'
+      puts(Contrast::Utils::OS.running? ? 'Contrast Service started successfully.' : 'Contrast Service did not start.')
     end
 
     # Stop the service if it is running

data/lib/contrast/utils/assess/tracking_util.rb

@@ -50,9 +50,9 @@ module Contrast
 
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
-              handle_hash obj, idx
+              handle_hash(obj, idx)
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
-              handle_enumerable obj, idx
+              handle_enumerable(obj, idx)
             else
               Contrast::Agent::Assess::Tracker.tracked?(obj)
             end
@@ -79,9 +79,9 @@ module Contrast
 
             idx += 1
             if Contrast::Utils::DuckUtils.iterable_hash?(obj)
-              handle_hash obj, idx
+              handle_hash(obj, idx)
             elsif Contrast::Utils::DuckUtils.iterable_enumerable?(obj)
-              handle_enumerable obj, idx
+              handle_enumerable(obj, idx)
             else
               Contrast::Agent::Assess::Tracker.trackable?(obj)
             end