contrast-agent 6.0.0 → 6.1.2

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -17,13 +17,6 @@ module Contrast
           class CacheControl < HeaderRule
             include BodyRule
             include Framework::RailsSupport
-
-            def rule_id
-              'cache-controls-missing'
-            end
-
-            protected
-
             HEADER_KEYS = %w[Cache-Control].cs__freeze
             ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
             DEFAULT_SAFE = false
@@ -31,55 +24,75 @@ module Contrast
             HEAD_TAG = /<head>/i.cs__freeze
             NAME = 'cache-control'
 
+            def rule_id
+              'cache-controls-missing'
+            end
+
+            protected
+
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Hash, nil] the evidence required to prove the violation of the rule
             def violated? response
-              has_header, evidence = process_header(response)
-              return evidence unless evidence.nil?
+              return unless header?(response) && meta_tag?(response)
+
+              header_evidence = header_evidence(response)
+              return if header_evidence.nil?
 
-              has_tag, evidence = process_body(response)
-              return evidence unless evidence.nil?
-              return {} if !has_header && !has_tag
+              tag_evidence = tag_evidence(response)
+              return if tag_evidence.nil?
 
-              nil
+              { DATA => [header_evidence, tag_evidence] }
             end
 
-            # Process Header value to determine if it violates rule
+            # Is a cache-control header available?
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Array[Boolean, Hash]] whether the header exists and the evidence hash or nil
-            def process_header response
-              # Rails 7 adds support for the cache_control header directly in the
-              # rack response, we should use that value
-              if framework_supported?
-                cache_control = response.rack_response.cache_control
-                has_header = !cache_control.blank?
-                not_valid = has_header && !((cache_control[:no_cache]) || (cache_control[:no_store]))
-                # evidence requires header value string, pull directly instead of rebuilding from hash
-                return has_header, evidence(HEADER_TYPE, NAME, cache_control_to_s(cache_control)) if not_valid
-              else
-                # This rule is violated if the header is not there is there,
-                # but the value is not 'no-store' or 'no-cache'
-                cache_control = get_header_value(response)
-                has_header = !!cache_control
-                not_valid = has_header && !valid_header?(cache_control)
-                return has_header, evidence(HEADER_TYPE, NAME, cache_control) if not_valid
+            # @return [Boolean]
+            def header? response
+              cache_control = cache_control_from(response)
+              framework_supported? ? !cache_control.blank? : !!cache_control
+            end
+
+            # Is a cache-control meta tag available?
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Boolean]
+            def meta_tag? response
+              return false if meta_tags(response).empty?
+
+              meta_tags(response).each do |tag|
+                return true if meta_cache_tag?(tag[HTML_PROP])
               end
-              [has_header, nil]
+
+              false
+            end
+
+            def meta_tags response
+              return @_meta_tags if defined? @meta_tags
+
+              @_meta_tags = html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR)
+            end
+
+            # Process Header value to determine if it violates rule
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Hash, nil] the evidence hash or nil
+            def header_evidence response
+              cache_control = cache_control_from(response)
+              value = framework_supported? ? cache_control : cache_control_to_s(cache_control)
+              # If header is valid, then this portion of the rule isn't violated.
+              return if valid_header?(value)
+
+              # evidence requires header value string, pull directly instead of rebuilding from hash
+              evidence(HEADER_TYPE, NAME, value)
             end
 
-            # Process Body to determine cache control exists as meta tag and if it violates rule
+            # Process Body to determine if cache control meta tag violates rule
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Array[Boolean, Hash]] whether the meta tags exists and the evidence hash or nil
-            def process_body response
-              body = response.body
-              # check if the meta tag is include it
-              meta_tags = html_elements(body&.split(HEAD_TAG)&.last, META_START_STR)
-              meta_tags.each do |tag|
-                return true, evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag? tag[HTML_PROP]
+            # @return [Hash, nil] the evidence hash or nil
+            def tag_evidence response
+              meta_tags(response).each do |tag|
+                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag?(tag[HTML_PROP])
               end
-              [!meta_tags.empty?, nil]
             end
 
             def potential_elements section, element_start
@@ -121,13 +134,23 @@ module Contrast
             end
 
             # This method accepts the violation and transforms it to the proper hash
-            # before return in as violation
+            # before returning a violation
             #
             # @param type [String] String of Header or META of the type
             # @param name [String] String of either cache-control or pragma
             # @param value [String] String of the violated value
             def evidence type, name, value
-              { DATA => { type: type, name: name, value: value }.to_s }
+              { type: type, name: name, value: value }.to_json
+            end
+
+            def cache_control_from response
+              # Rails 7 adds support for the cache_control header directly in the
+              # rack response, we should use that value
+              if framework_supported? && response.rack_response.cs__is_a?(Rack::Response)
+                response.rack_response.cache_control
+              else
+                get_header_value(response)
+              end
             end
 
             # Rebuilds the String value of the Cache-Control Header

data/lib/contrast/agent/assess/rule/response/click_jacking_header_rule.rb

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the headers contains the required header
           class ClickJacking < HeaderRule
-            def rule_id
-              'clickjacking-control-missing'
-            end
-
             HEADER_KEYS = %w[X-Frame-Options].cs__freeze
             ACCEPTED_VALUES = [/^deny/i, /^sameorigin/i].cs__freeze
             DEFAULT_SAFE = false
+
+            def rule_id
+              'clickjacking-control-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -12,12 +12,6 @@ module Contrast
         module Response
           # These rules check that the HTTP Headers include CSP header types
           class CspHeaderInsecure < HeaderRule
-            def rule_id
-              'csp-header-insecure'
-            end
-
-            protected
-
             HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
             DEFAULT_SAFE = false
             SETTINGS = %w[
@@ -28,6 +22,12 @@ module Contrast
             ASTERISK_REGEXP = /[*]/.cs__freeze
             SAFE_REFLECTED_XSS = /1/.cs__freeze
 
+            def rule_id
+              'csp-header-insecure'
+            end
+
+            protected
+
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application

data/lib/contrast/agent/assess/rule/response/csp_header_missing_rule.rb

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check that the HTTP Headers include CSP header types
           class CspHeaderMissing < HeaderRule
-            def rule_id
-              'csp-header-missing'
-            end
-
             HEADER_KEYS = %w[Content-Security-Policy X-Content-Security-Policy X-Webkit-CSP].cs__freeze
             ACCEPTED_VALUES = [/(.)/].cs__freeze
             DEFAULT_SAFE = false
+
+            def rule_id
+              'csp-header-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb

@@ -12,16 +12,16 @@ module Contrast
           # This rule checks if the HTTP Headers include HSTS header and ensures that the max-age value
           # is set to a value greater than 0.
           class HSTSHeader < HeaderRule
+            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
+            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
+            DEFAULT_SAFE = true
+
             def rule_id
               'hsts-header-missing'
             end
 
             protected
 
-            HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
-            ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
-            DEFAULT_SAFE = true
-
             def evidence data
               # get only the value of the max-age property
               val = data&.split('=')&.last

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb

@@ -11,13 +11,13 @@ module Contrast
         module Response
           # These rules check the content of the HTTP Response to determine if the response contains the needed header
           class XContentType < HeaderRule
-            def rule_id
-              'xcontenttype-header-missing'
-            end
-
             HEADER_KEYS = %w[X-Content-Type-Options].cs__freeze
             ACCEPTED_VALUES = [/^nosniff/i].cs__freeze
             DEFAULT_SAFE = false
+
+            def rule_id
+              'xcontenttype-header-missing'
+            end
           end
         end
       end

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -13,15 +13,14 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if the response contains the needed header
           class XXssProtection < HeaderRule
             include Framework::RailsSupport
+            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
+            ACCEPTED_VALUES = [/^1/].cs__freeze
+            DEFAULT_SAFE = true
 
             def rule_id
               'xxssprotection-header-disabled'
             end
 
-            HEADER_KEYS = %w[X-XSS-Protection].cs__freeze
-            ACCEPTED_VALUES = [/^1/].cs__freeze
-            DEFAULT_SAFE = true
-
             protected
 
             def analyze_response? response

data/lib/contrast/agent/assess/tag.rb

@@ -12,6 +12,19 @@ module Contrast
                     :start_idx, # start of range
                     :end_idx    # end of range (calculated from start + length), exclusive
 
+        # Update range should be how start and end index of tags are changed,
+        # as it includes validation
+        #
+        # Note that we allow start_idx == end_idx b/c this is how we determine
+        # if a tag range is 'covered' in trigger detection
+        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
+        BELOW = 'BELOW'
+        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
+        LOW_SPAN = 'LOW_SPAN'
+        WITHIN = 'WITHIN'
+        WITHOUT = 'WITHOUT'
+        HIGH_SPAN = 'HIGH_SPAN'
+        ABOVE = 'ABOVE'
         # Initialize a new tag
         #
         # @param label [String] the label of the tag
@@ -109,13 +122,6 @@ module Contrast
         end
         alias_method :to_s, :str_val
 
-        BELOW = 'BELOW'
-        LOW_SPAN = 'LOW_SPAN'
-        WITHIN = 'WITHIN'
-        WITHOUT = 'WITHOUT'
-        HIGH_SPAN = 'HIGH_SPAN'
-        ABOVE = 'ABOVE'
-
         # The tag is ______ the range
         # rrrrrrr == self.range, the range of the tag
         def compare_range start, stop
@@ -154,13 +160,6 @@ module Contrast
 
         private
 
-        # Update range should be how start and end index of tags are changed,
-        # as it includes validation
-        #
-        # Note that we allow start_idx == end_idx b/c this is how we determine
-        # if a tag range is 'covered' in trigger detection
-        ERROR_NEGATIVE_START = 'Unable to set start idx negative'
-        ERROR_END_BEFORE_START = 'Unable to set start idx after end idx'
         def update_range start_idx, end_idx
           raise(ArgumentError, ERROR_NEGATIVE_START) if start_idx.negative?
           raise(ArgumentError, ERROR_END_BEFORE_START) if end_idx < start_idx

data/lib/contrast/agent/at_exit_hook.rb

@@ -31,7 +31,18 @@ module Contrast
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context
 
-        Contrast::Agent.messaging_queue.send_event_immediately(context.activity)
+        if Contrast::Agent::Reporter.enabled?
+          [
+            context.new_observed_route,
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity.library_usages),
+            Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+          ].each do |event|
+            Contrast::Agent.reporter&.send_event_immediately(event)
+          end
+        else
+          Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
+        end
       end
     end
   end

data/lib/contrast/agent/inventory/database_config.rb

@@ -44,20 +44,27 @@ module Contrast
               end
             end
           rescue StandardError => e
-            logger.error('Unable to append db config', e)
+            logger.warn('Unable to append db config', e)
             nil
           end
 
           private
 
           # We capture the active record configuration used by this application, as reported by
-          # ActiveRecord::Base.connection_config, so that we can record it once and report it as needed.
+          # ActiveRecord::Base.connection_db_config, so that we can record it once and report it as needed.
           #
           # @return [Hash]
           def active_record_config
             return @_active_record_config if instance_variable_defined?(:@_active_record_config)
 
-            @_active_record_config = ActiveRecord::Base.connection_config rescue nil # rubocop:disable Style/RescueModifier
+            @_active_record_config = if ActiveRecord::Base.cs__respond_to?(:connection_db_config)
+                                       ActiveRecord::Base.connection_db_config
+                                     else
+                                       # TODO: RUBY-99999 - Remove when Rails 6.0 is not supported
+                                       ActiveRecord::Base.connection_config
+                                     end
+          rescue StandardError
+            nil
           end
 
           # The classes we instrument in order to determine which, if any, database(s) an application connects to take
@@ -67,7 +74,7 @@ module Contrast
           # reporting.
           #
           # @param hash_or_str [Hash, String]
-          # @return [Contrast::Api::Dtm::ArchitectureComponent]
+          # @return [Array<Contrast::Api::Dtm::ArchitectureComponent>, nil]
           def build_from_db_config hash_or_str
             return unless hash_or_str
 
@@ -82,7 +89,7 @@ module Contrast
           # understandable by TeamServer.
           #
           # @param hash [Hash] the information used to open a database connection
-          # @return [Contrast::Api::Dtm::ArchitectureComponent]
+          # @return [Array<Contrast::Api::Dtm::ArchitectureComponent>]
           def build_from_db_hash hash
             ac = Contrast::Api::Dtm::ArchitectureComponent.build_database
             ac.vendor = hash[:adapter] || hash[ADAPTER] || Contrast::Utils::ObjectShare::EMPTY_STRING
@@ -115,9 +122,11 @@ module Contrast
           # mysql+mysqlconnector://scott:tiger@localhost/foo # pragma: allowlist secret
           #
           # @param str [String] the DB connection string
-          # @return [Contrast::Api::Dtm::ArchitectureComponent]
+          # @return [Array<Contrast::Api::Dtm::ArchitectureComponent>, nil]
           def build_from_db_string str
             adapter, hosts, database = split_connection_str(str)
+            return unless adapter && hosts && database
+
             acs = []
             hosts.split(Contrast::Utils::ObjectShare::COMMA).map do |s|
               host, port = s.split(Contrast::Utils::ObjectShare::COLON)
@@ -136,13 +145,19 @@ module Contrast
           # generation of a Contrast::Api::Dtm::ArchitectureComponent
           #
           # @param str [String] the DB connection string
-          # @return [Array<String>] the adapter, hosts, and database
+          # @return [Array<String>, nil] the adapter, hosts, and database
           def split_connection_str str
             adapter, str = str.split(Contrast::Utils::ObjectShare::COLON_SLASH_SLASH)
+            return unless str
+
             _auth, str = str.split(Contrast::Utils::ObjectShare::AT)
+            return unless str
+
             # Not currently used
             # user, pass = auth.split(Contrast::Utils::ObjectShare::COLON)
             hosts, db_and_options = str.split(Contrast::Utils::ObjectShare::SLASH)
+            return unless db_and_options
+
             hosts << LOCALHOST if hosts.empty?
             database, _options = db_and_options.split(Contrast::Utils::ObjectShare::QUESTION_MARK)
 

data/lib/contrast/agent/middleware.rb

@@ -13,7 +13,7 @@ require 'contrast/utils/heap_dump_util'
 require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
-require 'contrast/agent/telemetry/events/startup_metrics_telemetry_event'
+require 'contrast/agent/telemetry/events/startup_metrics_event'
 require 'contrast/utils/middleware_utils'
 
 require 'contrast/utils/timer'
@@ -48,6 +48,9 @@ module Contrast
           return
         end
         agent_startup_routine
+      rescue StandardError => e
+        logger.error('Unable to initialize the agent. Disabling permanently.', e)
+        ::Contrast::AGENT.disable! # ensure the agent is disabled (probably redundant)
       end
 
       # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
@@ -78,9 +81,9 @@ module Contrast
           Contrast::Agent.thread_watcher.ensure_running?
         end
 
-        if Contrast::Agent::Telemetry.enabled?
+        if Contrast::Agent::Telemetry::Base.enabled?
           logger.debug_with_time('middleware: sending startup metrics telemetry event') do
-            event = Contrast::Agent::StartupMetricsTelemetryEvent.new
+            event = Contrast::Agent::Telemetry::StartupMetricsEvent.new
             Contrast::Agent.thread_watcher.telemetry_queue.send_event(event)
           end
         end
@@ -145,7 +148,7 @@ module Contrast
           request_handler.ruleset.prefilter
         end
       rescue StandardError => e
-        raise e if security_exception?(e)
+        raise(e) if security_exception?(e)
 
         logger.error('Unable to execute agent pre_call', e)
       end
@@ -164,7 +167,7 @@ module Contrast
           # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
-          Contrast::Agent::EXPLOITS.report_recorded_exploits context unless Contrast::Agent::EXPLOITS.collection.empty?
+          Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity
@@ -177,7 +180,7 @@ module Contrast
         end
       # unsuccessful attack
       rescue StandardError => e
-        raise e if security_exception?(e)
+        raise(e) if security_exception?(e)
 
         logger.error('Unable to execute agent post_call', e)
       end

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -47,7 +47,7 @@ module Contrast
             return true  unless target_defined? # bc no methods are loaded
             return false unless method_to_instrument
 
-            !module_lookup.instance_methods.include? method_to_instrument
+            !module_lookup.instance_methods.include?(method_to_instrument)
           end
 
           def applies? loaded_module_name
@@ -59,9 +59,7 @@ module Contrast
           end
 
           def instrument!
-            return if instrumenting_module == :'Contrast::Framework::Rails::Rewrite' && RAILS_VER >= '2.6.0'
-
-            require instrumentation_file_path
+            require(instrumentation_file_path)
 
             if instrumenting_module
               mod = Module.cs__const_get(instrumenting_module)
@@ -74,7 +72,7 @@ module Contrast
 
           def module_lookup
             @_module_lookup ||= begin
-              Module.cs__const_get module_name
+              Module.cs__const_get(module_name)
             rescue StandardError => _e
               nil
             end

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -43,7 +43,7 @@ module Contrast
               ].cs__freeze
               paths.each do |p|
                 path_part = "cs__assess_#{ p }"
-                Contrast::Extension::Assess::InstrumentHelper.instrument "#{ path_part }/#{ path_part }"
+                Contrast::Extension::Assess::InstrumentHelper.instrument("#{ path_part }/#{ path_part }")
               end
               true
             end
@@ -73,7 +73,7 @@ module Contrast
           # handling
           def apply_require_patches!
             @_apply_require_patches ||= begin
-              require 'contrast/extension/thread'
+              require('contrast/extension/thread')
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/method_policy_extend.rb

@@ -38,8 +38,8 @@ module Contrast
                                                  deadzone_node: deadzone_node
                                              })
 
-            return method_policy unless check_method_policy_nodes_empty? source_node, propagation_node, trigger_node,
-                                                                         protect_node, inventory_node, deadzone_node
+            return method_policy unless check_method_policy_nodes_empty?(source_node, propagation_node, trigger_node,
+                                                                         protect_node, inventory_node, deadzone_node)
 
             create_new_node(module_policy, method_policy) if module_policy.deadzone_nodes&.any?
             method_policy
@@ -74,9 +74,9 @@ module Contrast
               next unless node.method_name.nil?
 
               klass = Module.cs__const_get(node.class_name)
-              next unless it_defined? klass, method_policy.method_name
+              next unless it_defined?(klass, method_policy.method_name)
 
-              new_node = set_new_node method_policy, klass, node
+              new_node = set_new_node(method_policy, klass, node)
               method_policy.instance_variable_set(:@method_visibility, new_node.method_visibility)
               method_policy.instance_variable_set(:@deadzone_node, node)
               module_policy.deadzone_nodes << new_node

data/lib/contrast/agent/patching/policy/patch.rb

@@ -49,11 +49,11 @@ module Contrast
             ].cs__freeze
 
             def enter_method_scope! method_policy
-              contrast_enter_method_scopes! method_policy.scopes_to_enter
+              contrast_enter_method_scopes!(method_policy.scopes_to_enter)
             end
 
             def exit_method_scope! method_policy
-              contrast_exit_method_scopes! method_policy.scopes_to_exit
+              contrast_exit_method_scopes!(method_policy.scopes_to_exit)
             end
 
             # @param mod [Module] the module in which the patch should be
@@ -114,16 +114,15 @@ module Contrast
             #                          (equivalent to :alias, where `module = module.singleton class`)
             #                          (this is a.k.a. "class-method patch")
             #   :prepend            -> prepend instance method of module
-            #   [prepending singleton is easily supported too, just not implemented yet.]
+            #   :prepending singleton -> prepend singleton method of module
             # @return [Symbol] new alias for the underlying method (presumably, so the patched method can call it)
             def register_c_patch target_module_name, unbound_method, impl = :alias_instance
               # These could be set as AfterLoadPatches.
               method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
-              underlying_method_name = build_unbound_method_name(method_name).to_sym
+              underlying_method_name = underlying_method_name(method_name, impl)
 
               target_module = Module.cs__const_get(target_module_name)
-              target_module = target_module.cs__singleton_class if %i[prepend_singleton prepend].include? impl
-              target_module = target_module.cs__singleton_class if %i[alias_singleton prepend].include? impl
+              target_module = target_module.cs__singleton_class if %i[prepend_singleton alias_singleton].include?(impl)
 
               visibility = if target_module.private_instance_methods(false).include?(method_name)
                              :private
@@ -132,14 +131,14 @@ module Contrast
                            elsif target_module.public_instance_methods(false).include?(method_name)
                              :public
                            else
-                             raise NoMethodError,
-                                   <<~ERR
+                             raise(NoMethodError,
+                                   <<~ERR)
                                      Tried to register a C-defined #{ impl } patch for \
                                      #{ target_module_name }##{ method_name }, but can't find :#{ method_name }.
                                    ERR
                            end
 
-              reflect_implementation impl, target_module, unbound_method, visibility
+              reflect_implementation(impl, target_module, unbound_method, visibility)
               # Ougai::Logger.create_item_with_2args calls Hash#[]=, so we
               # can't invoke this logging method or we'll seg fault as we'd
               # change the method definition mid-call
@@ -161,29 +160,25 @@ module Contrast
             # @param visibility [Symbol] method visibility
             def reflect_implementation impl, target_module, unbound_method, visibility
               method_name = unbound_method.name.to_sym # rubocop:disable Security/Module/Name -- ruby built in attribute.
-              underlying_method_name = build_unbound_method_name(method_name).to_sym
+              underlying_method_name = underlying_method_name(method_name, impl)
 
               case impl
               when :alias_instance, :alias_singleton
                 # Core to patching. Ignore define method usage cop.
                 # rubocop:disable Performance/Kernel/DefineMethod
-                unless target_module.instance_methods(false).include? underlying_method_name
+                unless target_module.instance_methods(false).include?(underlying_method_name)
                   # alias_method may be private
                   target_module.send(:alias_method, underlying_method_name, method_name)
                   target_module.send(:define_method, method_name, unbound_method.bind(target_module))
                 end
                 target_module.send(visibility, method_name) # e.g., module.private(:my_method)
               when :prepend_instance, :prepend_singleton
+                prepending_module = Module.new
+                prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
+                prepending_module.send(visibility, method_name)
 
-                unless target_module.instance_methods(false).include? underlying_method_name
-
-                  prepending_module = Module.new
-                  prepending_module.send(:define_method, method_name, unbound_method.bind(target_module))
-                  prepending_module.send(visibility, method_name)
-
-                end
                 # This prepends to the singleton class (it patches a class method)
-                target_module.prepend prepending_module
+                target_module.prepend(prepending_module)
                 # rubocop:enable Performance/Kernel/DefineMethod
               end
             end
@@ -207,6 +202,12 @@ module Contrast
 
               !ASSESS&.enabled?
             end
+
+            def underlying_method_name method_name, impl
+              return method_name.to_sym if %i[prepend_instance prepend_singleton].include?(impl)
+
+              build_unbound_method_name(method_name).to_sym
+            end
           end
         end
       end