contrast-agent 6.11.0 → 6.13.0

data/lib/contrast/agent/assess/rule/response/parameters_pollution_rule.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/rule/response/base_rule'

data/lib/contrast/agent/assess/rule/response/x_content_type_header_rule.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/rule/response/header_rule'

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/rule/response/framework/rails_support'

data/lib/contrast/agent/assess/tag.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/logger'

data/lib/contrast/agent/assess/tracker.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/assess/finalizers/hash'

data/lib/contrast/agent/assess.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/at_exit_hook.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/logger'

data/lib/contrast/agent/deadzone/policy/deadzone_node.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/policy_node'

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/deadzone/policy/deadzone_node'

data/lib/contrast/agent/disable_reaction.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/logger'

data/lib/contrast/agent/excluder.rb

@@ -1,13 +1,16 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/settings/url_exclusion'
+require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
   module Agent
     # Given an array of exclusion matcher instances provides methods to
     # determine if the exclusions apply to particular urls.
     class Excluder # rubocop:disable Metrics/ClassLength
+      include Contrast::Agent::Reporting::InputType
+
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
       attr_reader :exclusions
 
@@ -16,16 +19,40 @@ module Contrast
         @exclusions = exclusions
       end
 
+      # Determine if an input is excluded for protect rule.
+      #
+      # @param results [Array<Contrast::Agent::Reporting::InputAnalysisResult>]
+      # @param request_path [String] Current request path
+      def protect_excluded_by_input? results, request_path
+        return false unless results.any?
+
+        exclusion_matched = 0
+        protect_input_exclusions.any? do |exclusion_match|
+          # each exclusion against each input result
+          results.each do |rule_result|
+            # check and see the rule_id match first or if this applicable for all protect rules.
+            next unless exclusion_match.protection_rule?(rule_result.rule_id)
+
+            # Based on strategy:
+            match = input_match_strategy(exclusion_match,
+                                         input_match?(exclusion_match, rule_result.input_type, rule_result.key),
+                                         request_path)
+            exclusion_matched += 1 if match
+          end
+        end
+        return false if exclusion_matched.zero?
+
+        true
+      end
+
       # If an assess URL exclusion rule applies to the current url, *and* is defined as "All Rules"
       # then we can avoid any tracking for the request.
       #
       # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @return [Boolean]
       def assess_excluded_by_url? request
-        request_path = request.path
-
         assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
-          path_match?(exclusion_matcher, request_path)
+          path_match?(exclusion_matcher, request.path)
         end
       end
 
@@ -74,7 +101,7 @@ module Contrast
         # any INPUT exclusions that apply to the current url and the supplied rule.
         path = request.path
         rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
-          (exclusion_matcher.protection_rules.empty? || exclusion_matcher.protection_rules.include?(rule)) &&
+          (exclusion_matcher.protect_rules.empty? || exclusion_matcher.protect_rules.include?(rule)) &&
               path_match?(exclusion_matcher, path)
         end
         return false if rule_input_exclusions.empty?
@@ -94,18 +121,35 @@ module Contrast
       # If a protect URL exclusion rule applies to the current url, *and* is defined as "All Rules"
       # then we can avoid using the rule for the request.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param rule_id [String]
+      # @param path [String]
       # return [Boolean]
-      def protect_excluded_by_url? request
-        request_path = request.path
+      def protect_excluded_by_url? rule_id, path
+        protect_url_exclusions.any? do |exclusion_matcher|
+          next unless exclusion_matcher.protection_rule?(rule_id)
 
-        protect_url_exclusions_for_all_rules.any? do |exclusion_matcher|
-          path_match?(exclusion_matcher, request_path)
+          return true if path_match?(exclusion_matcher, path)
         end
       end
 
       private
 
+      # Here we check to see the matching strategy. If ALL is set we need to exclude any input matching
+      # the exclusion. If ONLY is set, that means that we have a set if urls to match and apply the
+      # input exclusion only to those matching urls.
+      #
+      # @param exclusion_match [Contrast::Agent::ExclusionMatcher]
+      # @param input_match [Boolean] does the input match the exclusion
+      # @param request_path [String] Current request path
+      # @return [Boolean]
+      def input_match_strategy exclusion_match, input_match, request_path
+        # for ALL urls
+        return input_match if exclusion_match.match_all?
+
+        # for ONLY match we need to check if there is an input and url match.
+        input_match && path_match?(exclusion_match, request_path)
+      end
+
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions_for_all_rules
         @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion_matcher|
@@ -116,7 +160,7 @@ module Contrast
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_url_exclusions
         @_assess_url_exclusions ||= assess_exclusions.select do |exclusion_matcher|
-          exclusion_matcher.type == :URL
+          exclusion_matcher.exclusion_type == :URL
         end
       end
 
@@ -130,7 +174,7 @@ module Contrast
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def assess_input_exclusions
         @_assess_input_exclusions ||= assess_exclusions.select do |exclusion_matcher|
-          exclusion_matcher.type == :INPUT
+          exclusion_matcher.exclusion_type == :INPUT
         end
       end
 
@@ -139,17 +183,10 @@ module Contrast
         @_assess_exclusions ||= @exclusions.select(&:assess)
       end
 
-      # @return [Array<Contrast::Agent::ExclusionMatcher>]
-      def protect_url_exclusions_for_all_rules
-        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion_matcher|
-          exclusion_matcher.protect_rules.empty?
-        end
-      end
-
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
       def protect_url_exclusions
         @_protect_url_exclusions ||= protect_exclusions.select do |exclusion_matcher|
-          exclusion_matcher.type == :URL
+          exclusion_matcher.exclusion_type == :URL
         end
       end
 
@@ -158,9 +195,19 @@ module Contrast
         @_protect_exclusions ||= @exclusions.select(&:protect)
       end
 
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def protect_input_exclusions
+        @_protect_input_exclusions ||= protect_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.exclusion_type == :INPUT
+        end
+      end
+
       # @return [Boolean]
       def path_match? exclusion_matcher, path
-        exclusion_matcher.wildcard_url || exclusion_matcher.urls.any? { |url| url.match?(path) }
+        return false unless path
+
+        exclusion_matcher.wildcard_url ||
+            exclusion_matcher.urls.any? { |url| url.match?(path) || regexp_match?(url, path) }
       end
 
       # @param exclusion [Contrast::Agent::ExclusionMatcher]
@@ -168,7 +215,7 @@ module Contrast
       # @param source_name [String]
       # @return [Boolean]
       def input_match? exclusion, source_type, source_name
-        case exclusion.input_type
+        case exclusion.type
         when 'PARAMETER'
           input_match_parameter?(exclusion, source_type, source_name)
         when 'COOKIE'
@@ -176,49 +223,84 @@ module Contrast
         when 'HEADER'
           input_match_header?(exclusion, source_type, source_name)
         when 'BODY'
-          Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
+          BODY == source_type
         when 'QUERYSTRING'
-          Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
+          QUERYSTRING == source_type
         else
           false
         end
       end
 
+      # Returns true if parameter exclusion is found.
+      #
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [Contrast::Agent::Reporting::InputType<Symbol>]
+      # @param source_name [String] value to match
+      # @return [Boolean]
       def input_match_parameter? exclusion, source_type, source_name
-        return false unless [
-          Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_TYPE,
-          Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_KEY_TYPE
-        ].include?(source_type)
+        return false unless params_types.include?(source_type)
 
-        exclusion.wildcard_input || (exclusion.input_name == source_name) || regexp_match?(exclusion.input_name,
-                                                                                           source_name)
+        input_value_match?(exclusion, source_name)
       end
 
+      # Returns true if cookie exclusion is found.
+      #
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [Contrast::Agent::Reporting::InputType<Symbol>]
+      # @param source_name [String] value to match
+      # @return [Boolean]
       def input_match_cookie? exclusion, source_type, source_name
-        return false unless [
-          Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_TYPE,
-          Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_KEY_TYPE
-        ].include?(source_type)
+        return false unless cookie_types.include?(source_type)
 
-        exclusion.wildcard_input || exclusion.input_name == source_name || regexp_match?(exclusion.input_name,
-                                                                                         source_name)
+        input_value_match?(exclusion, source_name)
       end
 
+      # Returns true if header exclusion is found.
+      #
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [Contrast::Agent::Reporting::InputType<Symbol>]
+      # @param source_name [String] value to match
+      # @return [Boolean]
       def input_match_header? exclusion, source_type, source_name
-        return false unless [
-          Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE,
-          Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE
-        ].include?(source_type)
+        return false unless source_type == HEADER
 
-        exclusion.wildcard_input || exclusion.input_name.casecmp(source_name).zero? || regexp_match?(
-            exclusion.input_name, source_name)
+        input_value_match?(exclusion, source_name, header: true)
       end
 
+      # regexp check for input name match
+      #
+      # @return [Boolean]
       def regexp_match? possible_pattern, source_name
-        Regexp.new("^#{ possible_pattern }$").match?(source_name)
+        Regexp.new("^#{ possible_pattern }$").match?(source_name) || Regexp.new(possible_pattern).match?(source_name)
       rescue RegexpError
         false
       end
+
+      # Returns true if ia input matches exclusion input name, or it's a all input type - wildcard [*, .*]
+      #
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_name [String] value to match
+      # @param header [Boolean]
+      # @return [Boolean]
+      def input_value_match? exclusion, source_name, header: nil
+        exclusion.wildcard_input ||
+            (header.nil? ? (exclusion.name == source_name) : exclusion.name.casecmp(source_name).zero?) || # rubocop:disable Security/Module/Name
+            regexp_match?(exclusion.name, source_name) || exclusion.input_name == source_name # rubocop:disable Security/Module/Name
+      end
+
+      # Input types to match against exclusions parameter type.
+      #
+      # @return [Array<Symbol>]
+      def params_types
+        @_params_types ||= [PARAMETER_VALUE, PARAMETER_NAME].cs__freeze
+      end
+
+      # Input types to match against exclusions cookie type.
+      #
+      # @return [Array<Symbol>]
+      def cookie_types
+        @_cookie_types ||= [COOKIE_NAME, COOKIE_VALUE].cs__freeze
+      end
     end
   end
 end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -1,9 +1,8 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/settings/exclusion_base'
-require 'contrast/agent/reporting/settings/code_exclusion'
 require 'contrast/agent/reporting/settings/input_exclusion'
 require 'contrast/agent/reporting/settings/url_exclusion'
 
@@ -14,12 +13,13 @@ module Contrast
     # functions of the Agent are suppressed for that request or event.
     class ExclusionMatcher
       include Contrast::Components::Logger::InstanceMethods
-
       extend Forwardable
 
-      attr_reader :protect, :assess, :type, :urls, :wildcard_url, :wildcard_input
+      attr_reader :protect, :assess, :exclusion_type, :wildcard_url, :wildcard_input
+
+      def_delegators :@exclusion, :protect_rules, :assess_rules, :type, :name, :input_name, :urls, :match_strategy
 
-      def_delegators :@exclusion, :protect_rules, :assess_rules, :input_type, :input_name
+      MATCH_ALL = 'ALL'.cs__freeze
 
       # Create a matcher around an exclusion sent from TeamServer.
       #
@@ -31,15 +31,12 @@ module Contrast
         @assess = @exclusion.assess
 
         case excl
-        when Contrast::Agent::Reporting::Settings::CodeExclusion
-          handle_wildcard_code
-          @type = :CODE
         when Contrast::Agent::Reporting::Settings::InputExclusion
           handle_wildcard_input
-          @type = :INPUT
+          @exclusion_type = :INPUT
         when Contrast::Agent::Reporting::Settings::UrlExclusion
           handle_wildcard_url
-          @type = :URL
+          @exclusion_type = :URL
         end
       end
 
@@ -48,10 +45,9 @@ module Contrast
       # regexp beyond this.
       # https://docs.contrastsecurity.com/admin-policymgmt.html#exclude
       def handle_wildcard_input
-        return unless @exclusion.input_name
+        return unless @exclusion.name # rubocop:disable Security/Module/Name
 
-        @wildcard_input = @exclusion.input_name == '.*' ||
-            @exclusion.input_name == Contrast::Utils::ObjectShare::ASTERISK
+        @wildcard_input = @exclusion.name == '.*' || @exclusion.name == Contrast::Utils::ObjectShare::ASTERISK # rubocop:disable Security/Module/Name
       end
 
       # According to the docs for exclusions, urls apply to all urls if the url
@@ -74,24 +70,6 @@ module Contrast
         end
       end
 
-      # According to the docs for exclusions, code applies to the entire stacktrace
-      # of the caller, and can act as a regexp. Per our user instructions in the
-      # Contrast UI, these comparisons must be done at the end of the input.
-      # https://docs.contrastsecurity.com/admin-policymgmt.html#exclude
-      def handle_wildcard_code
-        return unless @exclusion.denylist&.any?
-
-        @wildcard_exclusions = []
-        @exclusion.denylist.each do |code|
-          class_name, method_name = code.split(Contrast::Utils::ObjectShare::COLON)
-          class_pattern = build_regexp(class_name, start_anchor: false, end_anchor: true)
-          method_pattern = build_regexp(method_name)
-          next unless class_pattern && method_pattern
-
-          @wildcard_exclusions << [class_pattern, method_pattern]
-        end
-      end
-
       def build_regexp pattern, start_anchor: false, end_anchor: false
         pattern = Contrast::Utils::ObjectShare::CARROT + pattern if start_anchor
         pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
@@ -108,12 +86,8 @@ module Contrast
         @assess
       end
 
-      def code?
-        @type == :CODE
-      end
-
       def match_all?
-        @exclusion.urls.nil? || @exclusion.urls.empty?
+        (@exclusion.urls.nil? || @exclusion.urls.empty?) && @exclusion.match_strategy == MATCH_ALL
       end
 
       # Determine if the given rule is excluded by this exclusion.
@@ -131,25 +105,7 @@ module Contrast
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def assess_rule? rule
-        assess? && (@exclusion.assessment_rules.empty? || @exclusion.assessment_rules.include?(rule))
-      end
-
-      def match_code? stack_trace
-        return false unless code?
-        return false if @wildcard_exclusions&.empty?
-
-        @wildcard_exclusions.each do |code|
-          class_name = code[0]
-          method_name = code[1]
-          stack_trace.each do |location|
-            next unless location.base_label.match?(method_name)
-            next unless location.path.match?(class_name)
-
-            return true
-          end
-        end
-
-        false
+        assess? && (@exclusion.assess_rules.empty? || @exclusion.assess_rules.include?(rule))
       end
     end
   end

data/lib/contrast/agent/inventory/database_config.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_events/architecture_component'

data/lib/contrast/agent/inventory/dependencies.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/inventory/dependency_analysis.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_events/library_discovery'

data/lib/contrast/agent/inventory/dependency_usage_analysis.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_events/library_usage_observation'

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/logger'

data/lib/contrast/agent/inventory/policy/policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/inventory/policy/trigger_node'

data/lib/contrast/agent/inventory/policy/trigger_node.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/trigger_node'

data/lib/contrast/agent/inventory.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/middleware.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'ipaddr'
@@ -10,10 +10,10 @@ require 'contrast/utils/object_share'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/heap_dump_util'
-require 'contrast/utils/telemetry'
+require 'contrast/agent/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
-require 'contrast/agent/telemetry/events/startup_metrics_event'
+require 'contrast/agent/telemetry/startup_metrics_event'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/middleware_utils'
 require 'contrast/utils/reporting/application_activity_batch_utils'
@@ -57,14 +57,29 @@ module Contrast
 
       # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready to do some
       # processing on a per request basis. If not, we just pass the request along to the next middleware in the stack.
+      # If Application Scope feature is enabled we execute the env call with that scope, enabling only analysis for
+      # the current application, and nothing outside that.
       #
       # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
       #   this Request
       # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user up
       #   the Rack framework.
       def call env
+        return with_app_scope { call_routine(env) } if Contrast::RUBY_INTERFACE.start_with_application_scope?
+
+        call_routine(env)
+      end
+
+      private
+
+      # This is the call routine we do when we are hooked to the middleware stack.
+      #
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state and values of
+      #   this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back to the user up
+      #   the Rack framework.
+      def call_routine env
         logger.trace_with_time('Elapsed time for Contrast::Agent::Middleware#call') do
-          ::Contrast::Agent::ThreadWatcher.check_before_start
           return app.call(env) unless ::Contrast::AGENT.enabled?
 
           Contrast::Agent.heapdump_util.start_thread!
@@ -73,8 +88,6 @@ module Contrast
         end
       end
 
-      private
-
       # Startup the Agent as part of the initialization process:
       # - start the TeamServer sending thread, responsible for sending and processing messages
       # - start the heartbeat thread, which handles periodic messages to TeamServer
@@ -175,10 +188,10 @@ module Contrast
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
           Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
-          # Process Worth Watching Inputs for v2 rules
-          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
           # Now we can build the ia_results only for postfilter rules.
           context.protect_postfilter_ia
+          # Process Worth Watching Inputs for v2 rules
+          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity

data/lib/contrast/agent/module_data.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/patching/policy/after_load_patch.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/components/scope'

data/lib/contrast/agent/patching/policy/after_load_patcher.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/after_load_patch'

data/lib/contrast/agent/patching/policy/method_policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/method_policy_extend'

data/lib/contrast/agent/patching/policy/method_policy_extend.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/patching/policy/module_policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 require 'contrast/agent/patching/policy/method_policy'