contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/agent/assess/rule/response/body_rule'
-require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'json'
 
@@ -16,7 +16,6 @@ module Contrast
           # set incorrectly the cache-control header
           class CacheControl < HeaderRule
             include BodyRule
-            include Framework::RailsSupport
             HEADER_KEYS = %w[Cache-Control].cs__freeze
             ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
             DEFAULT_SAFE = false
@@ -33,66 +32,65 @@ module Contrast
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            # @return [Hash<String,Array<Hash<String,String>>>, nil] the evidence required to prove the violation of
+            #   the rule
             def violated? response
-              return unless header?(response) && meta_tag?(response)
-
-              header_evidence = header_evidence(response)
-              return if header_evidence.nil?
-
-              tag_evidence = tag_evidence(response)
-              return if tag_evidence.nil?
-
-              { DATA => [header_evidence, tag_evidence] }
-            end
-
-            # Is a cache-control header available?
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def header? response
-              cache_control = cache_control_from(response)
-              framework_supported? ? !cache_control.blank? : !!cache_control
-            end
+              cache_header = cache_control_from(response)
+              cache_meta = cache_meta_tags(response)
+
+              has_header = cache_header && !cache_header.blank?
+              has_meta = cache_meta.any?
+              # Because we're not safe by default, the rule should never hit this case, but we'll handle it just in
+              # case.
+              return { DATA => Contrast::Utils::ObjectShare::EMPTY_ARRAY.to_json } unless has_header || has_meta
+
+              evidence = []
+              # If we have a header tag, then we need to make sure it is set safely. If it is, there'll be no evidence
+              # and we can return as the header prevents violation.
+              if has_header
+                header_evidence = header_evidence(cache_header)
+                return unless header_evidence
+
+                evidence << header_evidence
+              end
 
-            # Is a cache-control meta tag available?
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def meta_tag? response
-              return false if meta_tags(response).empty?
+              # If we have no header, or an unsafe header, then we need to check the meta tag to make sure it is set
+              # safely. If it is, there'll be no evidence and we can return as the meta tag prevents violation.
+              if has_meta
+                tag_evidence = tag_evidence(cache_meta)
+                return unless tag_evidence
 
-              meta_tags(response).each do |tag|
-                return true if meta_cache_tag?(tag[HTML_PROP])
+                evidence << tag_evidence
               end
 
-              false
+              # Otherwise, we'll report the violation.
+              { DATA => evidence.to_json }
             end
 
-            def meta_tags response
-              return @_meta_tags if defined? @meta_tags
-
-              @_meta_tags = html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR)
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array<Hash<String,String>]
+            def cache_meta_tags response
+              html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR).
+                  select { |tag| cache_control_tag?(tag[HTML_PROP]) }
             end
 
             # Process Header value to determine if it violates rule
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence hash or nil
-            def header_evidence response
-              cache_control = cache_control_from(response)
-              value = framework_supported? ? cache_control : cache_control_to_s(cache_control)
+            # @param cache_control [String] the value of the Cache-Control header
+            # @return [Hash<String,String>, nil] the evidence hash or nil
+            def header_evidence cache_control
               # If header is valid, then this portion of the rule isn't violated.
-              return if valid_header?(value)
+              return if valid_header?(cache_control)
 
               # evidence requires header value string, pull directly instead of rebuilding from hash
-              evidence(HEADER_TYPE, NAME, value)
+              evidence(HEADER_TYPE, NAME, cache_control)
             end
 
             # Process Body to determine if cache control meta tag violates rule
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence hash or nil
-            def tag_evidence response
-              meta_tags(response).each do |tag|
-                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag?(tag[HTML_PROP])
-              end
+            # @param cache_meta_tags [Array<Hash>] the meta tags which contain Cache-Control values
+            # @return [Hash<String,String>, nil] the evidence hash or nil
+            def tag_evidence cache_meta_tags
+              violation = cache_meta_tags.find { |tag| !safe_meta_cache_tag?(tag[HTML_PROP]) }
+              violation ? evidence(META_TYPE, PRAGMA, violation[HTML_PROP]) : nil
             end
 
             def potential_elements section, element_start
@@ -107,13 +105,27 @@ module Contrast
               [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
             end
 
+            # @param tag [String] the tag to check
+            # @return [Boolean] if the tag has cache-control settings or not
+            def cache_control_tag? tag
+              http_equiv_idx = tag =~ /http-equiv=/i
+              return false unless http_equiv_idx
+
+              content_idx = tag =~ /content=/i
+              return false unless content_idx
+
+              # determine the value of the http-equiv if it's cache-control
+              http_equiv_idx += 11
+              accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
+            end
+
             # Determine if the given metatag does not have a valid cache-control tag.
             # Meta tags has the option to set http-equiv and content to set the http response header
             # to define for the document
             #
             # @param tag [String] the meta tag
             # @return [Boolean, nil]
-            def meta_cache_tag? tag
+            def safe_meta_cache_tag? tag
               # Here we should determine the index of the needed keys
               # http-equiv and content
               http_equiv_idx = tag =~ /http-equiv=/i
@@ -128,33 +140,36 @@ module Contrast
               return false unless is_valid
 
               content_idx += 8
-              return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
-
-              true
+              accepted_values.any? { |value| (tag =~ value) == content_idx }
             end
 
-            # This method accepts the violation and transforms it to the proper hash
-            # before returning a violation
+            # This method accepts the violation and transforms it to the proper hash before returning a violation.
+            # Unlike other rules, this returns a complex structure to be converted to JSON on reporting -- do NOT cast
+            # it here as that'll result in extra escaping later.
             #
             # @param type [String] String of Header or META of the type
             # @param name [String] String of either cache-control or pragma
             # @param value [String] String of the violated value
+            # @return [Hash<String, String>]
             def evidence type, name, value
-              { type: type, name: name, value: value }.to_json
+              { 'type' => type, 'name' => name, 'value' => value }
             end
 
+            # return the cache control value from the response, either as a Hash in later versions of Rails or as a
+            # String in all other frameworks/ response types (remember, response can be a few things).
+            #
+            # @param response [Contrast::Agent::Response]
+            # @return [String]
             def cache_control_from response
-              # Rails 7 adds support for the cache_control header directly in the
-              # rack response, we should use that value
-              if framework_supported? && response.rack_response.cs__is_a?(Rack::Response)
-                response.rack_response.cache_control
-              else
-                get_header_value(response)
-              end
+              control = if response.rack_response.cs__is_a?(Rack::Response)
+                          response.rack_response.cache_control
+                        else
+                          get_header_value(response)
+                        end
+              control.cs__is_a?(Hash) ? cache_control_to_s(control) : control
             end
 
-            # Rebuilds the String value of the Cache-Control Header
-            # from the hash build in the Rack::Response
+            # Rebuilds the String value of the Cache-Control Header from the hash build in the Rack::Response
             #
             # @param hsh [Hash]
             # @return [String]

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -46,7 +46,7 @@ module Contrast
                 settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
                 settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
               end
-              evidence(settings) if settings.value?(false)
+              evidence(settings.to_json) if settings.value?(false)
             end
 
             # Get the CSP values from and transforms them to key value hash

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -12,7 +12,12 @@ module Contrast
             module RailsSupport
               RAILS_VERSION = Gem::Version.new('7.0.0')
 
-              def framework_supported?
+              # Some rules have features or settings that make them unsupported, meaning unnecessary or unavailable
+              # in that framework. For now, the only distinction required is Rails 7 or not, so that's what we'll
+              # report here.
+              #
+              # @return [Boolean] if the rule is unsupported by the framework
+              def rails_seven?
                 return false unless defined?(::Rails)
 
                 rails_version = ::Rails.version

data/lib/contrast/agent/assess/rule/response/header_rule.rb

@@ -2,9 +2,7 @@
 # frozen_string_literal: true
 
 require 'rack'
-require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 require 'contrast/utils/hash_digest'
-require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
 require 'contrast/agent/assess/rule/response/base_rule'
 
@@ -16,7 +14,7 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if something was set incorrectly or
           # insecurely in it.
           class HeaderRule < BaseRule
-            HEADER_TYPE = 'header'
+            HEADER_TYPE = 'Header'
 
             # Rules discern which responses they can/should analyze.
             #
@@ -44,11 +42,13 @@ module Contrast
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Boolean]
             def headers? response
-              response.headers&.any?
+              !!response.headers&.any?
             end
 
             protected
 
+            # @param response [Contrast::Agent::Response]
+            # @return [Object]
             def get_header_value response
               response_headers = response.headers
               values = response_headers.values_at(*cs__class::HEADER_KEYS, *cs__class::HEADER_KEYS.map(&:to_sym))
@@ -57,7 +57,7 @@ module Contrast
 
             # Determine if the value of the Response Header has a valid value
             #
-            # @param header [Contrast::Agent::Response] a response header
+            # @param header [String] a response header
             # @return [Boolean] whether the header value is valid
             def valid_header? header
               cs__class::ACCEPTED_VALUES.any? { |val| val.match(header) }

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb

@@ -14,7 +14,7 @@ module Contrast
           class HSTSHeader < HeaderRule
             HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
             ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
-            DEFAULT_SAFE = true
+            DEFAULT_SAFE = false
 
             def rule_id
               'hsts-header-missing'

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -24,7 +24,7 @@ module Contrast
             protected
 
             def analyze_response? response
-              !framework_supported? && super
+              !rails_seven? && super
             end
           end
         end

data/lib/contrast/agent/assess/tracker.rb

@@ -12,7 +12,6 @@ module Contrast
       # have tightly coupled dependencies on each other.
       class Tracker
         PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
-        KEEP_AGE = 600_000.cs__freeze # 10 minutes
 
         class << self
           # Retrieve the properties of the given Object, iff they exist.
@@ -60,12 +59,7 @@ module Contrast
           # Clean PROPERTIES_HASH of any values older than KEEP_AGE ms or
           # have nil properties
           def cleanup!
-            PROPERTIES_HASH.delete_if do |_k, properties|
-              return true if properties.nil?
-              return false unless (event = properties&.event)
-
-              KEEP_AGE <= (Contrast::Utils::Timer.now_ms - event.time)
-            end
+            PROPERTIES_HASH.cleanup!
           end
         end
       end

data/lib/contrast/agent/at_exit_hook.rb

@@ -37,13 +37,7 @@ module Contrast
         ].compact.each do |event|
           Contrast::Agent.reporter&.send_event_immediately(event)
         end
-
-        if Contrast::Agent::Reporter.enabled?
-          event = Contrast::Agent::Reporting::DtmMessage.dtm_to_event(context.activity)
-          Contrast::Agent.reporter&.send_event_immediately(event)
-        else
-          Contrast::Agent.messaging_queue&.send_event_immediately(context.activity)
-        end
+        Contrast::Agent.reporter&.send_event_immediately(context.activity)
       end
     end
   end

data/lib/contrast/agent/excluder.rb

@@ -0,0 +1,224 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/settings/url_exclusion'
+
+module Contrast
+  module Agent
+    # Given an array of exclusion matcher instances provides methods to
+    # determine if the exclusions apply to particular urls.
+    class Excluder # rubocop:disable Metrics/ClassLength
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      attr_reader :exclusions
+
+      # @param exclusions [Array<Contrast::Agent::ExclusionMatcher>]
+      def initialize exclusions = []
+        @exclusions = exclusions
+      end
+
+      # If an assess URL exclusion rule applies to the current url, *and* is defined as "All Rules"
+      # then we can avoid any tracking for the request.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @return [Boolean]
+      def assess_excluded_by_url? request
+        request_path = request.path
+
+        assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
+        end
+      end
+
+      # If an assess URL exclusion rule applies to the current url, *and* also covers the
+      # provided rule_id, then we can avoid tracking this entry.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param rule_id [String]
+      # return [Boolean]
+      def assess_excluded_by_url_and_rule? request, rule_id
+        request_path = request.path
+
+        assess_url_exclusions.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path) &&
+              (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
+        end
+      end
+
+      # If an assess INPUT exclusion rule applies to the current url, *and* also covers all
+      # rules, then we can avoid tracking this entry.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param source_type [String]
+      # @param source_name [String]
+      # return [Boolean]
+      def assess_excluded_by_input? request, source_type, source_name
+        request_path = request.path
+
+        assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
+          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher, request_path)
+        end
+      end
+
+      # If an assess INPUT exclusion rule covers the provided rule_id *for all finding event sources*, then we
+      # can avoid tracking this entry. If any event source *isn't excluded* then we don't exclude the finding.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param finding [Contrast::Agent::Reporting::Finding]
+      # @param rule [String]
+      # return [Boolean]
+      def assess_excluded_by_input_and_rule? request, finding, rule
+        return false if finding.events.empty?
+
+        # We need to check for url exclusions here for the input rules as the url exclusions
+        # that have already been checked didn't include the INPUT exclusions. So we look for
+        # any INPUT exclusions that apply to the current url and the supplied rule.
+        path = request.path
+        rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
+          (exclusion_matcher.protection_rules.empty? || exclusion_matcher.protection_rules.include?(rule)) &&
+              path_match?(exclusion_matcher, path)
+        end
+        return false if rule_input_exclusions.empty?
+
+        event_sources = finding.events.flat_map(&:event_sources)
+        event_sources.each do |event_source|
+          return false unless rule_input_exclusions.any? do |exclusion|
+            input_match?(exclusion, event_source.type, event_source.name) # rubocop:disable Security/Module/Name
+          end
+        end
+
+        # If we reach here, and we have event sources then all of them matched so we should exclude
+        # this finding. On the other hand, if there were no event sources we have nothing to exclude.
+        event_sources.any?
+      end
+
+      # If a protect URL exclusion rule applies to the current url, *and* is defined as "All Rules"
+      # then we can avoid using the rule for the request.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # return [Boolean]
+      def protect_excluded_by_url? request
+        request_path = request.path
+
+        protect_url_exclusions_for_all_rules.any? do |exclusion_matcher|
+          path_match?(exclusion_matcher, request_path)
+        end
+      end
+
+      private
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def assess_url_exclusions_for_all_rules
+        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
+        end
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def assess_url_exclusions
+        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
+        end
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def assess_input_exclusions_for_all_rules
+        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.assess_rules.empty?
+        end
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def assess_input_exclusions
+        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :INPUT
+        end
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def assess_exclusions
+        @_assess_exclusions ||= @exclusions.select(&:assess)
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def protect_url_exclusions_for_all_rules
+        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.protect_rules.empty?
+        end
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def protect_url_exclusions
+        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion_matcher|
+          exclusion_matcher.type == :URL
+        end
+      end
+
+      # @return [Array<Contrast::Agent::ExclusionMatcher>]
+      def protect_exclusions
+        @_protect_exclusions ||= @exclusions.select(&:protect)
+      end
+
+      # @return [Boolean]
+      def path_match? exclusion_matcher, path
+        exclusion_matcher.wildcard_url || exclusion_matcher.urls.any? { |url| url.match?(path) }
+      end
+
+      # @param exclusion [Contrast::Agent::ExclusionMatcher]
+      # @param source_type [String]
+      # @param source_name [String]
+      # @return [Boolean]
+      def input_match? exclusion, source_type, source_name
+        case exclusion.input_type
+        when 'PARAMETER'
+          input_match_parameter?(exclusion, source_type, source_name)
+        when 'COOKIE'
+          input_match_cookie?(exclusion, source_type, source_name)
+        when 'HEADER'
+          input_match_header?(exclusion, source_type, source_name)
+        when 'BODY'
+          Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
+        when 'QUERYSTRING'
+          Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
+        else
+          false
+        end
+      end
+
+      def input_match_parameter? exclusion, source_type, source_name
+        return false unless [
+          Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_TYPE,
+          Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_KEY_TYPE
+        ].include?(source_type)
+
+        exclusion.wildcard_input || (exclusion.input_name == source_name) || regexp_match?(exclusion.input_name,
+                                                                                           source_name)
+      end
+
+      def input_match_cookie? exclusion, source_type, source_name
+        return false unless [
+          Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_TYPE,
+          Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_KEY_TYPE
+        ].include?(source_type)
+
+        exclusion.wildcard_input || exclusion.input_name == source_name || regexp_match?(exclusion.input_name,
+                                                                                         source_name)
+      end
+
+      def input_match_header? exclusion, source_type, source_name
+        return false unless [
+          Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE,
+          Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE
+        ].include?(source_type)
+
+        exclusion.wildcard_input || exclusion.input_name.casecmp(source_name).zero? || regexp_match?(
+            exclusion.input_name, source_name)
+      end
+
+      def regexp_match? possible_pattern, source_name
+        Regexp.new("^#{ possible_pattern }$").match?(source_name)
+      rescue RegexpError
+        false
+      end
+    end
+  end
+end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -2,6 +2,10 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/settings/exclusion_base'
+require 'contrast/agent/reporting/settings/code_exclusion'
+require 'contrast/agent/reporting/settings/input_exclusion'
+require 'contrast/agent/reporting/settings/url_exclusion'
 
 module Contrast
   module Agent
@@ -11,18 +15,32 @@ module Contrast
     class ExclusionMatcher
       include Contrast::Components::Logger::InstanceMethods
 
+      extend Forwardable
+
+      attr_reader :protect, :assess, :type, :urls, :wildcard_url, :wildcard_input
+
+      def_delegators :@exclusion, :protect_rules, :assess_rules, :input_type, :input_name
+
       # Create a matcher around an exclusion sent from TeamServer.
       #
-      # @param excl [Contrast::Api::Settings::Exclusion]
+      # @param excl [Contrast::Agent::Reporting::Settings::ExclusionBase]
       # @return [Contrast::Agent::ExclusionMatcher]
       def initialize excl
         @exclusion = excl
         @protect = @exclusion.protect
         @assess = @exclusion.assess
 
-        handle_wildcard_input
-        handle_wildcard_url
-        handle_wildcard_code
+        case excl
+        when Contrast::Agent::Reporting::Settings::CodeExclusion
+          handle_wildcard_code
+          @type = :CODE
+        when Contrast::Agent::Reporting::Settings::InputExclusion
+          handle_wildcard_input
+          @type = :INPUT
+        when Contrast::Agent::Reporting::Settings::UrlExclusion
+          handle_wildcard_url
+          @type = :URL
+        end
       end
 
       # According to the docs for exclusions, user input applies to all inputs if
@@ -91,7 +109,7 @@ module Contrast
       end
 
       def code?
-        @exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::CODE
+        @type == :CODE
       end
 
       def match_all?
@@ -99,12 +117,12 @@ module Contrast
       end
 
       # Determine if the given rule is excluded by this exclusion.
-      # In this case, the `protection_rules` being empty means apply to all rules,
+      # In this case, the `protect_rules` being empty means apply to all rules,
       # not no rules
       #
       # @param rule - the id of the rule which we're checking for exclusion
       def protection_rule? rule
-        protect? && (@exclusion.protection_rules.empty? || @exclusion.protection_rules.include?(rule))
+        protect? && (@exclusion.protect_rules.empty? || @exclusion.protect_rules.include?(rule))
       end
 
       # Determine if the given rule is excluded by this exclusion.