contrast-agent 6.2.0 → 6.3.0

data/lib/contrast/agent/thread_watcher.rb

@@ -33,7 +33,7 @@ module Contrast
           @messaging_queue = Contrast::Api::Communication::MessagingQueue.new
         end
         @reporter = Contrast::Agent::Reporter.new
-        @reporter_heartbeat = Contrast::Agent::ReporterHeartbeat.new if Contrast::Agent::Reporter.enabled?
+        @reporter_heartbeat = Contrast::Agent::ReporterHeartbeat.new
         @telemetry = Contrast::Agent::Telemetry::Base.new if Contrast::Agent::Telemetry::Base.enabled?
       end
 
@@ -50,9 +50,6 @@ module Contrast
           @pids[Process.pid] = @pids[Process.pid] && telemetry_status
         end
         reporter_status = init_thread(reporter)
-
-        return @pids unless Contrast::Agent::Reporter.enabled?
-
         reporter_heartbeat_status = init_thread(reporter_heartbeat)
         @pids[Process.pid] = @pids[Process.pid] && reporter_status && reporter_heartbeat_status
         @pids

data/lib/contrast/agent/version.rb

@@ -3,6 +3,6 @@
 
 module Contrast
   module Agent
-    VERSION = '6.2.0'
+    VERSION = '6.3.0'
   end
 end

data/lib/contrast/api/communication/socket.rb

@@ -34,6 +34,7 @@ module Contrast
         end
 
         # Override this method to return a socket. Should be interface compatible with TCPSocket, UNIXSocket, etc.
+        # @raise[NoMethodError] abstract method, needs to be implemented
         def new_socket
           raise(NoMethodError, 'This is abstract, override it.')
         end

data/lib/contrast/api/decorators/message.rb

@@ -19,14 +19,10 @@ module Contrast
 
         def append_event event
           case event
-          when Contrast::Api::Dtm::ServerActivity
-            self.server_activity = event
           when Contrast::Api::Dtm::AgentStartup
             self.agent_startup = event
           when Contrast::Api::Dtm::ApplicationCreate
             self.application_create = event
-          when Contrast::Api::Dtm::ApplicationUpdate
-            self.application_update = event
           when Contrast::Api::Dtm::Activity
             self.activity = event
           when Contrast::Api::Dtm::HttpRequest
@@ -35,8 +31,6 @@ module Contrast
             self.postfilter = event
           when Contrast::Api::Dtm::Poll
             self.poll = event
-          when Contrast::Api::Dtm::ObservedRoute
-            self.observed_route = event
           else
             logger.error('Unknown event type received. Unsure how to send.', event_type: event.cs__class.cs__name)
             return

data/lib/contrast/api/decorators.rb

@@ -12,12 +12,10 @@ end
 require 'contrast/api/decorators/message'
 require 'contrast/api/decorators/agent_startup'
 require 'contrast/api/decorators/application_startup'
-require 'contrast/api/decorators/application_update'
 require 'contrast/api/decorators/architecture_component'
 require 'contrast/api/decorators/input_analysis'
 require 'contrast/api/decorators/application_settings'
 require 'contrast/api/decorators/server_features'
-require 'contrast/api/decorators/library'
 require 'contrast/api/decorators/route_coverage'
 require 'contrast/api/decorators/trace_event_object'
 require 'contrast/api/decorators/trace_event_signature'

data/lib/contrast/components/assess.rb

@@ -76,12 +76,6 @@ module Contrast
           @_scan_response
         end
 
-        def track_frozen_sources?
-          @_track_frozen_sources = !false?(::Contrast::CONFIG.root.agent.ruby.track_frozen_sources) if
-            @_track_frozen_sources.nil?
-          @_track_frozen_sources
-        end
-
         def require_scan?
           @_require_scan = !false?(::Contrast::CONFIG.root.agent.ruby.require_scan) if @_require_scan.nil?
           @_require_scan

data/lib/contrast/components/config.rb

@@ -27,7 +27,7 @@ module Contrast
       CONTRAST_LOG = 'contrast_agent.log'
       CONTRAST_NAME = 'Contrast Agent'
 
-      class Interface # :nodoc:
+      class Interface # :nodoc: # rubocop:disable Metrics/ClassLength
         SESSION_VARIABLES = 'Invalid configuration. '\
                             "Setting both application.session_id and application.session_metadata is not allowed.\n"
         API_URL = "Invalid configuration. Missing a required connection value 'url' is not set."
@@ -57,6 +57,8 @@ module Contrast
           @config = Contrast::Configuration.new
           env_overrides
           validate
+        rescue ArgumentError => e
+          proto_logger.error('Configuration failed with error: ', e)
         end
         alias_method :rebuild, :build
 
@@ -136,7 +138,7 @@ module Contrast
             next unless env_key.to_s.start_with?(CONTRAST_ENV_MARKER)
 
             config_item = Contrast::Utils::EnvConfigurationItem.new(env_key, env_value)
-            @config.assign_value_to_path_array(config_item.dot_path_array, config_item.value)
+            assign_value_to_path_array(root, config_item.dot_path_array, config_item.value)
           end
         end
 
@@ -193,6 +195,20 @@ module Contrast
         def logger_path
           root.agent.logger.path
         end
+
+        # Assign the value from an ENV variable to the Contrast::Config::RootConfiguration object, when
+        # appropriate.
+        #
+        # @return nil
+        def assign_value_to_path_array current_level, dot_path_array, value
+          dot_path_array[0...-1].each do |segment|
+            segment = segment.tr('-', '_')
+            current_level = current_level.send(segment) if current_level.cs__respond_to?(segment)
+          end
+          return unless current_level.nil? == false && current_level.cs__respond_to?(dot_path_array[-1])
+
+          current_level.send("#{ dot_path_array[-1] }=", value)
+        end
       end
     end
   end

data/lib/contrast/config/base_configuration.rb

@@ -20,19 +20,6 @@ module Contrast
         end
         hsh
       end
-
-      def assign_value_to_path_array dot_path_array, value
-        current_level = self
-        dot_path_array[0...-1].each do |segment|
-          segment = segment.tr('-', '_')
-          current_level = current_level.send(segment) if current_level.cs__respond_to?(segment)
-        end
-        last_entry = dot_path_array[-1]
-        if current_level.nil? == false && current_level.cs__respond_to?(last_entry)
-          current_level.send("#{ last_entry }=", value)
-        end
-        nil
-      end
     end
   end
 end

data/lib/contrast/config/root_configuration.rb

@@ -26,6 +26,7 @@ module Contrast
       # @return [Boolean, nil]
       attr_accessor :enable
 
+      # @raise[ArgumentError]
       def initialize hsh = {}
         raise(ArgumentError, 'Expected a hash') unless hsh.is_a?(Hash)
 

data/lib/contrast/config/ruby_configuration.rb

@@ -21,7 +21,7 @@ module Contrast
       DEFAULT_UNINSTRUMENTED_NAMESPACES = %w[FactoryGirl FactoryBot].cs__freeze
 
       attr_writer :disabled_agent_rake_tasks, :exceptions, :interpolate, :propagate_yield, :require_scan,
-                  :track_frozen_sources, :non_request_tracking, :uninstrument_namespace
+                  :non_request_tracking, :uninstrument_namespace
 
       def initialize hsh = {}
         return unless hsh
@@ -31,7 +31,6 @@ module Contrast
         @interpolate = hsh[:interpolate]
         @propagate_yield = hsh[:propagate_yield]
         @require_scan = hsh[:require_scan]
-        @track_frozen_sources = hsh[:track_frozen_sources]
         @non_request_tracking = hsh[:non_request_tracking]
         @uninstrument_namespace = hsh[:uninstrument_namespace]
       end
@@ -67,16 +66,10 @@ module Contrast
         @require_scan.nil? ?  Contrast::Utils::ObjectShare::TRUE  : @require_scan
       end
 
-      # controls whether or not we track frozen Strings by replacing them
-      # @return [Boolean, Contrast::Utils::ObjectShare::TRUE]
-      def track_frozen_sources
-        @track_frozen_sources.nil? ?  Contrast::Utils::ObjectShare::TRUE : @track_frozen_sources
-      end
-
       # controls tracking outside of request
       # @return [Boolean, Contrast::Utils::ObjectShare::FALSE]
       def non_request_tracking
-        @non_request_tracking.nil? ?  Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
+        @non_request_tracking.nil? ? Contrast::Utils::ObjectShare::FALSE : @non_request_tracking
       end
 
       # @return [Array, DEFAULT_UNINSTRUMENTED_NAMESPACES]

data/lib/contrast/configuration.rb

@@ -18,8 +18,6 @@ module Contrast
     include Contrast::Components::Scope::InstanceMethods
     extend Contrast::Components::Scope::InstanceMethods
 
-    def_delegator :root, :assign_value_to_path_array
-
     attr_reader :default_name, :root
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'

data/lib/contrast/extension/assess/eval_trigger.rb

@@ -25,10 +25,6 @@ module Contrast
           def apply_trigger obj, source, ret, clazz, method
             return unless ::Contrast::ASSESS.non_request_tracking? || Contrast::Agent::REQUEST_TRACKER.current
 
-            # Since we know this is the source of the trigger, we can do some
-            # optimization here and return when it is not tracked
-            return unless Contrast::Utils::Assess::TrackingUtil.tracked?(source)
-
             # source might not be all the args passed in, but it is the one we care
             # about. we could pass in all the args in the last param here if it
             # becomes an issue in rendering on TS

data/lib/contrast/extension/assess/hash.rb

@@ -15,11 +15,12 @@ module Contrast
         class << self
           def cs__duplicate_and_freeze object
             return object unless object.is_a?(String) && !object.cs__frozen?
-            return object unless Contrast::Agent::Assess::Tracker.tracked?(object)
 
             # Copy the object, then freeze it, so that it looks the same
             # externally, but will have our finalizer on it.
-            object.dup&.cs__freeze
+            copy = object.dup
+            Contrast::Agent::Assess::Tracker.pre_freeze(copy)
+            copy&.cs__freeze
           rescue StandardError
             # we'll rescue this error, but we can't log it here as that will
             # result in a seg fault

data/lib/contrast/extension/assess/kernel.rb

@@ -4,6 +4,7 @@
 require 'contrast/extension/assess/exec_trigger'
 require 'contrast/components/logger'
 require 'contrast/agent/assess/events/event_data'
+require 'contrast/agent/patching/policy/patch'
 
 module Contrast
   module Extension
@@ -97,6 +98,27 @@ module Contrast
           end
         end
       end
+
+      # Used for Kernel exec aliasing since we have no other way of accessing the
+      # Kernel#exec under C if we alias it there.
+      module ContrastKernel
+        # Method to replace the call to Kernel#exec when applying alias patch.
+        # It will invoke  Contrast::Extension::Assess::KernelPropagator before
+        # calling the original method.
+        #
+        # @param source [String, Proc] Potentially untrusted shell command to execute.
+        # @return nil - This method will invoke the Kernel#exec which will
+        def cs__kernel_exec source
+          # Check if in contrast scope and we have source.
+          unless Contrast::Agent::Patching::Policy::Patch.in_contrast_scope? || source.nil?
+            Contrast::Agent::Patching::Policy::Patch.with_contrast_scope do
+              Contrast::Extension::Assess::KernelPropagator.apply_trigger(source)
+            end
+          end
+          # Call this in the end else any code bellow this call won't be executed.
+          Kernel.exec(source)
+        end
+      end
     end
   end
 end

data/lib/contrast/extension/assess/marshal.rb

@@ -58,6 +58,22 @@ module Contrast
           end
         end
       end
+
+      # Used for aliasing
+      module ContrastMarshal
+        def cs__marshal_load source
+          # Do the protect
+          Contrast::Extension::Assess::MarshalPropagator.cs__load_protect(source) if source
+          # call the original
+          result = Marshal.load(source) # rubocop:disable Security/MarshalLoad
+          # Do the assess
+          tracked = Contrast::Agent::Assess::Tracker::PROPERTIES_HASH.tracked?(source) if source
+          skip = Contrast::Agent::Patching::Policy::Patch.skip_assess_analysis? if tracked
+          Contrast::Extension::Assess::MarshalPropagator.cs__load_assess(source, result) if skip
+          # return original
+          result
+        end
+      end
     end
   end
 end

data/lib/contrast/extension/assess/string.rb

@@ -31,31 +31,32 @@ module Contrast
         INTERPOLATION_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(NODE_HASH)
 
         class << self
+          # We call this method from C, and the Scope check is happening there. If we are in
+          # Contrast Scope the method won't be invoked.
+          #
+          # @param inputs [Array<String>] Inputs for interpolation.
+          # @param result [String] The result from the interpolation.
           def track_interpolation inputs, result
             return unless ::Contrast::AGENT.interpolation_enabled?
-            return if in_contrast_scope?
             return unless inputs.any? { |input| Contrast::Agent::Assess::Tracker.tracked?(input) }
+            return unless (properties = Contrast::Agent::Assess::Tracker.properties!(result))
 
-            with_contrast_scope do
-              return unless (properties = Contrast::Agent::Assess::Tracker.properties!(result))
-
-              parent_events = []
-              offset = 0
-              inputs.each do |input|
-                properties.copy_from(input, result, offset)
-                add_dynamic_sources_info(input, result)
-                offset += input.length
-                parent_event = Contrast::Agent::Assess::Tracker.properties(input)&.event
-                parent_events << parent_event if parent_event
-              end
-              event_data = Contrast::Agent::Assess::Events::EventData.new(INTERPOLATION_NODE,
-                                                                          result,
-                                                                          inputs,
-                                                                          result,
-                                                                          inputs)
-              properties.build_event(event_data)
-              properties.event.instance_variable_set(:@_parent_events, parent_events)
+            parent_events = []
+            offset = 0
+            inputs.each do |input|
+              properties.copy_from(input, result, offset)
+              add_dynamic_sources_info(input, result)
+              offset += input.length
+              parent_event = Contrast::Agent::Assess::Tracker.properties(input)&.event
+              parent_events << parent_event if parent_event
             end
+            event_data = Contrast::Agent::Assess::Events::EventData.new(INTERPOLATION_NODE,
+                                                                        result,
+                                                                        inputs,
+                                                                        result,
+                                                                        inputs)
+            properties.build_event(event_data)
+            properties.event.instance_variable_set(:@_parent_events, parent_events)
           rescue StandardError => e
             logger.error('Unable to track interpolation', e)
           end

data/lib/contrast/framework/base_support.rb

@@ -8,18 +8,22 @@ module Contrast
     # The API for all subclasses to implement to correctly support a given framework
     module BaseSupport
       # The top level module name used by the framework
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def detection_class
         raise(NoMethodError('Subclasses of BaseSupport should implement this method'))
       end
 
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def version
         raise(NoMethodError('Subclasses of BaseSupport should implement this method'))
       end
 
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def application_name
         raise(NoMethodError, 'Subclasses of BaseSupport should implement this method')
       end
 
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def server_type
         raise(NoMethodError, 'Subclasses of BaseSupport should implement this method')
       end
@@ -27,18 +31,22 @@ module Contrast
       # Find all the predefined routes for this application
       #
       # @return [Array<Contrast::Agent::Reporting::DiscoveredRoute>]
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def collect_routes
         raise(NoMethodError, 'Subclasses of BaseSupport should implement this method')
       end
 
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def current_route_coverage
         raise(NoMethodError, 'Subclasses of BaseSupport should implement this method')
       end
 
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def current_route
         raise(NoMethodError, 'Subclasses of BaseSupport should implement this method')
       end
 
+      # @raise [NoMethodError] raises error if subclass does not implement this method
       def retrieve_request _env
         raise(NoMethodError, 'Subclasses of BaseSupport should implement this method')
       end

data/lib/contrast/framework/manager.rb

@@ -7,7 +7,6 @@ require 'contrast/components/logger'
 require 'contrast/extension/module'
 require 'contrast/framework/grape/support'
 require 'contrast/framework/manager_extend'
-require 'contrast/framework/platform_version'
 require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
 require 'contrast/framework/sinatra/support'
@@ -64,16 +63,6 @@ module Contrast
         routes_for_all_frameworks
       end
 
-      def platform_version
-        framework_version = first_framework_result(:version, '')
-
-        Contrast::Framework::PlatformVersion.from_string(framework_version)
-      end
-
-      def platform_version_string
-        first_framework_result(:version, '')
-      end
-
       def server_type
         first_framework_result(:server_type, 'rack')
       end
@@ -157,16 +146,13 @@ module Contrast
           next unless module_name == framework.detection_class
 
           @_frameworks << framework
-          # Report the registered routes of that framework now that we know we need to find them
-          # TODO: RUBY-1438 -- remove and build ReportingEvent directly
-          app_update_msg = Contrast::Api::Dtm::ApplicationUpdate.build
-          if Contrast::Agent.reporter
-            report = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(app_update_msg)
-            Contrast::Agent.reporter.send_event(report)
-          else
-            Contrast::Agent.messaging_queue.send_event_eventually(app_update_msg)
+          report = Contrast::Agent::Reporting::ApplicationUpdate.new
+          # This convert here is left as it'll be easier to be replaced when the Library is being changed
+          report.libraries = Contrast::Agent::Inventory::DependencyAnalysis.instance.library_pb_list
+          [report, Contrast::Agent::Reporting::ApplicationInventory.new].each do |e|
+            Contrast::Agent.reporter.send_event(e)
           end
-          Contrast::Agent.reporter.send_event(Contrast::Agent::Reporting::ApplicationInventory.new)
+
           logger.info('Framework detected after initialization. Enabling support.',
                       framework: framework.detection_class,
                       frameworks: @_frameworks)

data/lib/contrast/framework/manager_extend.rb

@@ -3,7 +3,6 @@
 
 require 'contrast/components/logger'
 require 'contrast/extension/module'
-require 'contrast/framework/platform_version'
 require 'contrast/framework/rack/support'
 require 'contrast/framework/rails/support'
 require 'contrast/framework/grape/support'

data/lib/contrast/framework/rails/patch/action_controller_live_buffer.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/inventory/dependency_usage_analysis'
+
 module Contrast
   module Framework
     module Rails
@@ -9,27 +11,20 @@ module Contrast
         # event on streamed responses.
         module ActionControllerLiveBuffer
           class << self
-            # TODO: RUBY-1353
-            # TODO: RUBY-1355
-            # TODO: RUBY-1357
-            # TODO: RUBY-1357
             def send_messages
               return unless (context = Contrast::Agent::REQUEST_TRACKER.current)
 
+              [
+                context.observed_route
+              ].each do |event|
+                Contrast::Agent.reporter&.send_event_immediately(event)
+              end
+
               if Contrast::Agent::Reporter.enabled?
-                [
-                  context.new_observed_route,
-                  context.observed_library_usage,
-                  Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.server_activity),
-                  Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
-                ].each do |event|
-                  Contrast::Agent.reporter&.send_event_immediately(event)
-                end
+                event = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
+                Contrast::Agent.reporter&.send_event_immediately(event)
               else
-                Contrast::Agent.reporter.send_event_immediately(context.observed_library_usage)
-                [context.server_activity, context.activity, context.observed_route].each do |msg|
-                  Contrast::Agent.messaging_queue&.send_event_immediately(msg)
-                end
+                Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
               end
             end
 

data/lib/contrast/logger/aliased_logging.rb

@@ -88,6 +88,8 @@ module Contrast
                end
         message = Contrast::Agent::Telemetry::TelemetryException::Message.build(tags, [message_exception])
         Contrast::Agent::Telemetry::TelemetryException::Event.new(message)
+      rescue ArgumentError => e
+        debug('TelemetryException failed from aliased logging with: ', e)
       end
 
       def get_stack_trace type

data/lib/contrast/utils/assess/source_method_utils.rb

@@ -7,15 +7,6 @@ module Contrast
       # This module will include all methods for some internal validations in the SourceMethod module
       # and some other module methods from the same place, so we can ease the main module
       module SourceMethodUtils
-        # Safely duplicate the target, or return nil
-        #
-        # @param target [Object] the thing to check for duplication
-        def safe_dup target
-          target.dup
-        rescue StandardError => _e
-          nil
-        end
-
         # Find the name of the source
         #
         # @param source_node [Contrast::Agent::Assess::Policy::SourceNode] the node to direct applying this source

data/lib/contrast/utils/lru_cache.rb

@@ -5,6 +5,9 @@ module Contrast
   module Utils
     # A LRU(Least Recently Used) Cache store.
     class LRUCache
+      # Initializes new Least Recently Used Cache Store
+      #
+      # @raise [StandardError] raises error if provided capacity is invalid or less or equal to zero
       def initialize capacity = 500
         raise(StandardError('Capacity must be bigger than 0')) if capacity <= 0
 

data/lib/contrast/utils/middleware_utils.rb

@@ -34,6 +34,7 @@ module Contrast
       SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
       # We're only going to suppress SecurityExceptions indicating a blocked attack. And, only if the
       # config.agent.ruby.exceptions.capture? is set
+      # @raise [Contrast::SecurityException] if exceptions.capture? is allowed
       def handle_exception exception
         if security_exception?(exception)
           exception_control = ::Contrast::AGENT.exception_control
@@ -74,6 +75,7 @@ module Contrast
         true
       end
 
+      # @raise [Contrast::SecurityException] raises error to prevent an attack
       def application_code env
         logger.trace_with_time('application') do
           app.call(env)

data/lib/contrast/utils/telemetry_client.rb

@@ -34,8 +34,8 @@ module Contrast
       def build_request event
         return unless valid_event?(event)
 
-        string_body = if Array(event).all?(Contrast::Agent::Telemetry::TelemetryException::Event)
-                        event.map(&:to_controlled_hash).flatten!
+        string_body = if event.cs__is_a?(Contrast::Agent::Telemetry::TelemetryException::Event)
+                        [event.to_controlled_hash]
                       else
                         [event.to_hash]
                       end
@@ -73,14 +73,14 @@ module Contrast
         ready_after if status_code == 429
       end
 
-      # This method will be responsible for validating the event
-      # @param event[Contrast::Agent::Telemetry::Event,Contrast::Agent::Telemetry::StartupMetricsEvent,
-      # array<Contrast::Agent::Telemetry::TelemetryException::Event>]
+      # This method will be responsible for validating the event. Valid if event is of a known
+      # Contrast::Agent::Telemetry type
+      #
+      # @param event [Object]
       def valid_event? event
         return true if event.cs__is_a?(Contrast::Agent::Telemetry::Event)
         return true if event.cs__is_a?(Contrast::Agent::Telemetry::StartupMetricsEvent)
-        # Batch
-        return true if Array(event).all?(Contrast::Agent::Telemetry::TelemetryException::Event)
+        return true if event.cs__is_a?(Contrast::Agent::Telemetry::TelemetryException::Event)
 
         false
       end

data/resources/assess/policy.json

@@ -1092,17 +1092,8 @@
       "patch_method": "sprintf_tagger",
       "source": "O,P1",
       "target": "R"
-    }, {
-      "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
-      "instance_method": true,
-      "method_visibility": "public",
-      "method_name":"quote",
-      "source": "P0",
-      "target": "R",
-      "action": "SPLAT",
-      "tags":["SQL_ENCODED"],
-      "untags":["SQL_DECODED"]
-    }, {
+    },
+    {
       "class_name":"ActiveRecord::ConnectionAdapters::Quoting",
       "instance_method": true,
       "method_visibility": "public",

data/ruby-agent.gemspec

@@ -113,7 +113,7 @@ end
 # dependencies.csv in this directory to indicate that and create a
 # corresponding update to the fake gem server data in TeamServer.
 def self.add_dependencies spec
-  spec.add_dependency 'ougai', '~> 1.8'
+  spec.add_dependency 'ougai', '>= 1.8', '< 3.0.0'
   spec.add_dependency 'protobuf', '~> 3.10'
   spec.add_dependency 'rack', '~> 2.0'
 end