contrast-agent 6.2.0 → 6.5.0

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -47,10 +47,14 @@ module Contrast
           # Scope of the method parsed from our JSON policy.
           attr_reader :method_scope
 
+          # @raise [NoMethodError] This is being raised if any of the implementing subclasses does not have
+          #     that method implemented, but is being called on.
           def node_class
             raise(NoMethodError, 'specify the type of the feature for which this node patches')
           end
 
+          # @raise [NoMethodError] This is being raised if any of the implementing subclasses does not have
+          #     that method implemented, but is being called on.
           def feature
             raise(NoMethodError, 'specify the name of the feature for which this node patches')
           end
@@ -62,6 +66,8 @@ module Contrast
           # Don't let nodes be created that will be missing things we need
           # later on. Really, if they don't have these things, they couldn't have
           # done their jobs anyway.
+          #
+          # @raise [ArgumentError] Validates if the created nodes have everything that we'll need now or later on.
           def validate
             unless class_name
               raise(ArgumentError, "#{ node_class } #{ id } did not have a proper class name. Unable to create.")

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -41,6 +41,7 @@ module Contrast
             NODE
           end
 
+          # @raise [ArgumentError] Validates if the created nodes have everything that we'll need now or later on.
           def validate
             super
             unless applicator.public_methods(false).any?(applicator_method)
@@ -52,6 +53,7 @@ module Contrast
             validate_rule
           end
 
+          # @raise [ArgumentError] Validates if the created nodes have everything that we'll need now or later on.
           def validate_properties
             if (required_properties & optional_properties).any?
               raise(ArgumentError,
@@ -66,6 +68,7 @@ module Contrast
             raise(ArgumentError, "#{ id } did not have a required property. Unable to create.")
           end
 
+          # @raise [ArgumentError] Validates if the created nodes have everything that we'll need now or later on.
           def validate_rule
             raise(ArgumentError, 'Unknown rule did not have a proper name. Unable to create.') unless rule_id
             raise(ArgumentError, "#{ id } did not have a proper applicator. Unable to create.") unless applicator

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb

@@ -31,13 +31,12 @@ module Contrast
             #   was invoked
             # @param args [Array<Object>] the arguments passed to the triggering
             #   method at invocation
-            # @raise [Contrast::SecurityException] on block, will pass the
-            #   exception from the rule
             def invoke _method, _exception, _properties, _object, args
               return unless valid_input?(args)
               return if skip_analysis?
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, args[0])
+              # add rescue here
             end
 
             # Calls the actual rule for this applicator, if required, when the
@@ -46,13 +45,12 @@ module Contrast
             #
             # @param arg [Object] the argument passed to the triggering method
             #   at invocation
-            # @raise [Contrast::SecurityException] on block, will pass the
-            #   exception from the rule
             def prepended_invoke arg
               return unless arg&.cs__is_a?(String)
               return if skip_analysis?
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, arg)
+              # add rescue here
             end
 
             # Allow the rule to check if the given input is an attempt to
@@ -67,6 +65,7 @@ module Contrast
               return if skip_analysis?
 
               rule.check_command_scope(command)
+              # add rescue here
             end
 
             protected

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -64,6 +64,7 @@ module Contrast
               write_marker && possible_write?(write_marker)
             end
 
+            # @raise [Contrast::SecurityException] re-raises if some attack is blocked and raised from the infilter
             def path_traversal_rule path, possible_write, object, method
               return unless applies_to?(path, possible_write: possible_write)
 

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -61,8 +61,7 @@ module Contrast
           #   was invoked
           # @param _args [Array<Object>] the arguments passed to the triggering
           #   method at invocation
-          # @raise [Contrast::SecurityException] on block, will pass the
-          #   exception from the rule
+          # @raise [NoMethodError] This is abstract method
           def invoke _method, _exception, _properties, _object, _args
             raise(NoMethodError, 'This is abstract, override it.')
           end
@@ -70,6 +69,7 @@ module Contrast
           # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
+          # @raise [NoMethodError] This is abstract method
           def rule_name
             raise(NoMethodError, 'This is abstract, override it.')
           end

data/lib/contrast/agent/protect/rule/base.rb

@@ -230,6 +230,7 @@ module Contrast
           #   the rule and matched the attack detection logic
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
+          # @raise[NoMethodError] raises if subclass did not implement this method on extend
           def find_attacker _context, _potential_attack_string, **_kwargs
             raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
           end

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -40,6 +40,8 @@ module Contrast
             BLOCK_MESSAGE
           end
 
+          # @raise [Contrast::SecurityException] if the attack is blocked
+          #   raised with BLOCK_MESSAGE
           def infilter context, database, query_string
             return unless infilter?(context)
 

data/lib/contrast/agent/reporting/reporter.rb

@@ -38,14 +38,12 @@ module Contrast
         @_thread = Contrast::Agent::Thread.new do
           logger.debug('Starting background Reporter thread.')
           loop do
-            # TODO: RUBY-99999
-            # The client and connection are being used in multiple threads/ concurrently, and that's not okay. We need
-            # to figure out why that is and lock it so that it isn't.
-            next unless client && connection
+            next unless connected?
+            next unless app_create_complete?
 
             process_event(queue.pop)
           rescue StandardError => e
-            logger.debug('Reporter thread could not process because of:', error: e)
+            logger.debug('Reporter thread could not process because of:', e)
           end
         end
       end
@@ -71,7 +69,6 @@ module Contrast
         end
         return unless event
 
-        logger.debug('Enqueued event for sending', event_type: event.cs__class)
         queue << event
       end
 
@@ -84,7 +81,9 @@ module Contrast
           logger.warn('Reporter attempted to send event immediately with Agent disabled', caller: caller, event: event)
           return
         end
-        client.send_event(event, connection, send_immediately: true)
+        return unless event
+
+        client.send_event(event, connection)
       rescue StandardError => e
         logger.error('Could not send message to TeamServer from Reporter queue.', e)
       end
@@ -108,6 +107,32 @@ module Contrast
         @_queue ||= Queue.new
       end
 
+      # TODO: RUBY-99999
+      # The client and connection are being used in multiple threads/ concurrently, and that's not okay. We need
+      # to figure out why that is and lock it so that it isn't.
+      #
+      # @return [Boolean]
+      def connected?
+        return true if client && connection
+
+        logger.debug('No client/connection; sleeping', client: client, connection: connection)
+        sleep(5)
+        false
+      end
+
+      # Unless we're in bypass mode, we need to make sure the service has started and built the application on
+      # TeamServer since we're doing a split style here.
+      #
+      # @return [Boolean]
+      def app_create_complete?
+        return true if Contrast::CONTRAST_SERVICE.use_agent_communication?
+        return true if Contrast::Agent.messaging_queue&.speedracer&.status&.startup_messages_sent?
+
+        logger.debug('Service startup incomplete; Application may not be created; sleeping')
+        sleep(5)
+        false
+      end
+
       # @param event [Contrast::Agent::Reporting::ReportingEvent]
       def process_event event
         client.send_event(event, connection)

data/lib/contrast/agent/reporting/reporter_heartbeat.rb

@@ -3,47 +3,51 @@
 
 require 'contrast/agent/worker_thread'
 require 'contrast/agent/reporting/report'
-require 'contrast/components/logger'
-require 'contrast/agent/reporting/reporting_events/agent_startup'
+require 'contrast/agent/inventory/dependency_usage_analysis'
+require 'contrast/agent/reporting/reporting_events/poll'
+require 'contrast/agent/reporting/reporting_events/server_activity'
 
 module Contrast
   module Agent
     # The ReporterHeartbeat will make sure that the process remains marked alive by TeamServer and that we periodically
-    # reach out to get the latest settings for this application.
+    # reach out to get the latest settings for this application. It also sends out those messages which do not need to
+    # be associated directly with a request, such as Server Activity and Library Observation.
     class ReporterHeartbeat < WorkerThread
-      include Contrast::Components::Logger::InstanceMethods
-
       # TeamServer will mark an application offline after 5 minutes. Sending this every one should be more than enough
       # to satisfy our goals.
       REFRESH_INTERVAL_SEC = 60
 
-      # check if we can report to TS
-      #
-      # @return[Boolean] true if bypass is enabled, or false if bypass disabled
-      def enabled?
-        @_enabled = Contrast::CONTRAST_SERVICE.use_agent_communication? if @_enabled.nil?
-        @_enabled
-      end
-
-      def connection
-        @_connection ||= client.initialize_connection
-      end
-
       def start_thread!
         return if running?
 
         @_thread = Contrast::Agent::Thread.new do
           logger.info('Starting heartbeat thread.')
           loop do
-            Contrast::Agent.reporter&.send_event(poll_message)
+            polling_events.each do |event|
+              Contrast::Agent.reporter&.send_event(event)
+            end
+            clean_properties
             sleep(REFRESH_INTERVAL_SEC)
           end
         end
       end
 
+      private
+
       def poll_message
         @_poll_message ||= Contrast::Agent::Reporting::Poll.new
       end
+
+      # Those events which should be sent periodically, rather than on event or request.
+      #
+      # @return [Array<Contrast::Agent::Reporting::ReportingEvent>]
+      def polling_events
+        [
+          Contrast::Agent::Inventory::DependencyUsageAnalysis.instance.generate_library_usage,
+          Contrast::Agent::Reporting::ServerActivity.new,
+          poll_message
+        ].compact
+      end
     end
   end
 end

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -56,35 +56,31 @@ module Contrast
         # @param attacker_activity [Contrast::Agent::Reporting::ApplicationDefendAttackerActivity]
         # @param rule [String]
         def attach_existing existing_attacker_activity, attacker_activity, rule
-          # TODO: RUBY-1663 figure out attack time mapping
           new_violation = attacker_activity.protection_rules[rule]
+          sample_activity = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity
           if (previously_violated = existing_attacker_activity.protection_rules[rule])
-            if (new_blocked = new_violation.blocked&.samples)
-              unless previously_violated.blocked
-                previously_violated.blocked = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
-              end
-              previously_violated.blocked.samples.concat(new_blocked)
+            if (new_blocked = new_violation.blocked)
+              previously_violated.blocked ||= sample_activity.new
+              previously_violated.blocked.samples.concat(new_blocked.samples) if new_blocked.samples
+              previously_violated.blocked.merge_time_maps(new_blocked.time_map)
             end
 
-            if (new_exploited = new_violation.exploited&.samples)
-              unless previously_violated.exploited
-                previously_violated.exploited = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
-              end
-              previously_violated.exploited.samples.concat(new_exploited)
+            if (new_exploited = new_violation.exploited)
+              previously_violated.exploited ||= sample_activity.new
+              previously_violated.exploited.samples.concat(new_exploited.samples) if new_exploited.samples
+              previously_violated.exploited.merge_time_maps(new_exploited.time_map)
             end
 
-            if (new_ineffective = new_violation.ineffective&.samples)
-              unless previously_violated.ineffective
-                previously_violated.ineffective = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
-              end
-              previously_violated.ineffective.samples.concat(new_ineffective)
+            if (new_ineffective = new_violation.ineffective)
+              previously_violated.ineffective ||= sample_activity.new
+              previously_violated.ineffective.samples.concat(new_ineffective.samples) if new_ineffective.samples
+              previously_violated.ineffective.merge_time_maps(new_ineffective.time_map)
             end
 
-            if (new_suspicious = new_violation.suspicious&.samples)
-              unless previously_violated.suspicious
-                previously_violated.suspicious = Contrast::Agent::Reporting::ApplicationDefendAttackSampleActivity.new
-              end
-              previously_violated.suspicious.samples.concat(new_suspicious)
+            if (new_suspicious = new_violation.suspicious)
+              previously_violated.suspicious ||= sample_activity.new
+              previously_violated.suspicious.samples.concat(new_suspicious.samples) if new_suspicious.samples
+              previously_violated.suspicious.merge_time_maps(new_suspicious.time_map)
             end
           else
             existing_attacker_activity.protection_rules[rule] = new_violation

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample.rb

@@ -16,7 +16,7 @@ module Contrast
       class ApplicationDefendAttackSample
         include Contrast::Agent::Reporting::InputType
 
-        # @return [Hash]
+        # @return [Hash] => start: ms, elapsed: ms
         attr_reader :time_stamp
 
         class << self

data/lib/contrast/agent/reporting/reporting_events/application_defend_attack_sample_activity.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/utils/timer'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_sample'
 
 module Contrast
@@ -26,7 +27,7 @@ module Contrast
 
         def initialize
           @samples = []
-          @start_time = (Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0) / 1000
+          @start_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0 # in ms
           @event_type = :application_defend_attack_sample_activity
           @time_map = Hash.new { |h, k| h[k] = 0 }
           super
@@ -36,7 +37,7 @@ module Contrast
           {
               attackTimeMap: time_map,
               samples: samples.map(&:to_controlled_hash),
-              startTime: @start_time,
+              startTime: @start_time, # Start time in ms.
               total: 1 # there will only ever be 1 attack sample, until batching is done
           }
         end
@@ -44,12 +45,34 @@ module Contrast
         # @param attack_result [Contrast::Api::Dtm::AttackResult]
         def attach_data attack_result
           attack_result.samples.each do |attack_sample|
+            base_time = Contrast::Agent::REQUEST_TRACKER.current&.timer&.start_ms || 0
+            dmt_time = attack_sample.timestamp_ms.to_i
             converted = Contrast::Agent::Reporting::ApplicationDefendAttackSample.convert(attack_result, attack_sample)
             samples << converted
-            attack_second = converted.time_stamp[:elapsed] / 1000
+            @start_time = if dmt_time.zero?
+                            @start_time
+                          else
+                            dmt_time
+                          end
+            attack_second = (@start_time - base_time) / 1000 # in seconds
             time_map[attack_second] += 1
           end
         end
+
+        # This method will merge time_maps of attack samples with same
+        # type.
+        #
+        # @param map [Hash<Integer,Integer>] TimeMap to append to previously_violated rule
+        # samples.
+        # @return time_map [Hash<Integer,Integer>] merged time map with updated occurrences.
+        def merge_time_maps map
+          # If the second is the same (key) if we just merge there won't be a new entry,
+          # so just increase the attack count.
+          map.each_key do |key|
+            @time_map[key] = @time_map.fetch(key, 0) + map[key]
+          end
+          @time_map
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/reporting_events/application_update.rb

@@ -17,23 +17,16 @@ module Contrast
       # system. Contains data used by TeamServer to render the Flow Map and SCA features.
       #
       # @attr_reader components [Array<Contrast::Agent::Reporting::ArchitectureComponent>]
-      # @attr_reader libraries [Array<Contrast::Agent::Reporting::LibraryDiscovery>]
+      # @attr_accessor libraries [Array<Contrast::Agent::Reporting::LibraryDiscovery>]
       class ApplicationUpdate < Contrast::Agent::Reporting::ApplicationReportingEvent
-        attr_reader :components, :libraries
-
-        class << self
-          # @param app_update_dtm [Contrast::Api::Dtm::ApplicationUpdate]
-          # @return [Contrast::Agent::Reporting::ApplicationUpdate]
-          def convert app_update_dtm
-            report = new
-            report.attach_data(app_update_dtm)
-            report
-          end
-        end
+        attr_reader :components
+        attr_accessor :libraries
 
         def initialize
           @event_method = :PUT
           @event_endpoint = "#{ Contrast::API.api_url }/api/ng/update/application"
+          @components = []
+          @libraries = []
           super
         end
 
@@ -41,18 +34,6 @@ module Contrast
           'update-application'
         end
 
-        # Attach the data from the protobuf models to this reporter so that it can be sent to TeamServer directly.
-        #
-        # @param app_update_dtm [Contrast::Api::Dtm::ApplicationUpdate]
-        def attach_data app_update_dtm
-          @components = app_update_dtm.components.map do |component|
-            Contrast::Agent::Reporting::ArchitectureComponent.convert(component)
-          end
-          @libraries = app_update_dtm.libraries.values.map do |library|
-            Contrast::Agent::Reporting::LibraryDiscovery.convert(library)
-          end
-        end
-
         # Convert the instance variables on the class, and other information, into the identifiers required for
         # TeamServer to process the JSON form of this message.
         #

data/lib/contrast/agent/reporting/reporting_events/architecture_component.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/api/dtm.pb'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -17,6 +18,7 @@ module Contrast
       # @attr_reader url [String] the url used to connect to the component. Required for reporting.
       # @attr_reader vendor [String] the publisher of the component, like MySQL.
       class ArchitectureComponent
+        include Contrast::Components::Logger::InstanceMethods
         # required attributes
         attr_reader :type, :url
         # optional attributes
@@ -55,7 +57,12 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('ArchitectureComponent validation failed with: ', e)
+            return
+          end
           {
               remoteHost: remote_host,
               remotePort: remote_port,

data/lib/contrast/agent/reporting/reporting_events/discovered_route.rb

@@ -16,6 +16,8 @@ module Contrast
       # includes the literal URL and HTTP Verb used to invoke them, as they must have been called at this point to be
       # recorded.
       class DiscoveredRoute < Contrast::Agent::Reporting::ObservedRoute
+        include Contrast::Components::Logger::InstanceMethods
+
         class << self
           # @param obj [Regexp, Object]
           # @return [String]
@@ -104,7 +106,12 @@ module Contrast
         end
 
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('DiscoveredRoute validation failed with: ', e)
+            return
+          end
           { session_id: ::Contrast::ASSESS.session_id, signature: @signature, verb: @verb, url: @url }.compact
         end
 

data/lib/contrast/agent/reporting/reporting_events/finding.rb

@@ -130,7 +130,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('Finding event validation failed with: ', e)
+            return
+          end
+
           hsh = {
               created: created,
               hash: hash_code.to_s,

data/lib/contrast/agent/reporting/reporting_events/finding_event.rb

@@ -8,6 +8,7 @@ require 'contrast/agent/reporting/reporting_events/finding_event_signature'
 require 'contrast/agent/reporting/reporting_events/finding_event_source'
 require 'contrast/agent/reporting/reporting_events/finding_event_stack'
 require 'contrast/agent/reporting/reporting_events/finding_event_taint_range'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -17,6 +18,8 @@ module Contrast
       # construct the vulnerability information for the assess feature. They represent the operation the application
       # underwent that transformed data during the dataflow.
       class FindingEvent
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [Symbol] what the event did; CREATION, A2O, A2P, A2A, A2R, O2A, O2O, O2P, O2R, P2A, P2O, P2P, P2R,
         #   TAG, TRIGGER.
         attr_reader :action
@@ -120,7 +123,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash # rubocop:disable Metrics/AbcSize
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEvent validation failed with: ', e)
+            return
+          end
+
           {
               action: action,
               args: args.map(&:to_controlled_hash),

data/lib/contrast/agent/reporting/reporting_events/finding_event_object.rb

@@ -3,6 +3,7 @@
 
 require 'base64'
 require 'contrast/agent/assess/contrast_object'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -12,6 +13,8 @@ module Contrast
       # TeamServer to construct the vulnerability information for the assess feature. They represent those parts of the
       # objects that were acted on in a Dataflow Finding.
       class FindingEventObject
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [Integer] the id of the Object this represents.
         attr_reader :hash
         # @return [Boolean] if the Object is tracked or not
@@ -52,7 +55,13 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventObject validation failed with: ', e)
+            return
+          end
+
           {
               hash: hash,
               tracked: tracked,
@@ -60,6 +69,7 @@ module Contrast
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper hash. Unable to continue.") unless hash
           raise(ArgumentError, "#{ self } did not have a proper tracked. Unable to continue.") if tracked.nil?

data/lib/contrast/agent/reporting/reporting_events/finding_event_parent_object.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'base64'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
       # used by TeamServer to relate this event to those that came previously. They represent the events that directly
       # preceding the FindingEvent generated.
       class FindingEventParentObject
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [Integer] the Id of the parent event
         attr_reader :id
 
@@ -24,12 +27,19 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventParentObject validation failed with: ', e)
+            return
+          end
+
           {
               id: id
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper id. Unable to continue.") unless id
         end

data/lib/contrast/agent/reporting/reporting_events/finding_event_property.rb

@@ -1,6 +1,8 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     module Reporting
@@ -8,6 +10,8 @@ module Contrast
       # system to relay this information in the Finding/Trace messages. Events have properties on them which are held
       # as an array of key-value pairs.
       class FindingEventProperty
+        include Contrast::Components::Logger::InstanceMethods
+
         # @return [String] the key of the property
         attr_reader :key
         # @return [String] the value of the source
@@ -24,13 +28,20 @@ module Contrast
         # @return [Hash]
         # @raise [ArgumentError]
         def to_controlled_hash
-          validate
+          begin
+            validate
+          rescue ArgumentError => e
+            logger.error('FindingEventProperty validation failed with: ', e)
+            return
+          end
+
           {
               key: key,
               value: value
           }
         end
 
+        # @raise [ArgumentError]
         def validate
           raise(ArgumentError, "#{ self } did not have a proper key. Unable to continue.") unless key && !key.empty?
         end