contrast-agent 6.8.0 → 6.10.0

data/lib/contrast/config/diagnostics.rb

@@ -0,0 +1,114 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'json'
+require 'fileutils'
+require 'contrast/utils/timer'
+require 'contrast/utils/log_utils'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'contrast/config/config'
+require 'contrast/config/effective_config'
+require 'contrast/config/effective_config_value'
+
+module Contrast
+  module Agent
+    module DiagnosticsConfig
+      # This class is responsible for logging to file the effective Agent configurations after startup.
+      class Diagnostics
+        include Contrast::Components::Logger::InstanceMethods
+        include Contrast::Utils::LogUtils
+
+        # @return [String] path to write the file.
+        attr_reader :path
+
+        DEFAULT_PATH = File.join(Dir.pwd).cs__freeze
+        ERROR_MESSAGE = '[Configuration Diagnostics] Could not write effective Agent configuration to file'
+        FILE_NAME = 'contrast_connection.json'
+        WRITE = 'w+'
+
+        # @param path [String] path to write to file.
+        def initialize path
+          @path = path if path && !path.empty?
+        end
+
+        # Write current settings to file.
+        #
+        # @param reset [Boolean] should we reset the config we have
+        # @return [Boolean]
+        def write_to_file reset: true
+          logger&.info('[Configuration Diagnostics] Writing Effective Configurations to file', path: dir_name)
+          status = false
+          write_to_file_logic(status, reset: reset)
+        rescue IOError => e
+          logger&.warn(ERROR_MESSAGE, e)
+          false
+        end
+
+        def extract_settings
+          Contrast::AGENT.to_effective_config(config.effective_config)
+          Contrast::API.to_effective_config(config.effective_config)
+          Contrast::APP_CONTEXT.to_effective_config(config.effective_config)
+          Contrast::ASSESS.to_effective_config(config.effective_config)
+          Contrast::INVENTORY.to_effective_config(config.effective_config)
+          Contrast::PROTECT.to_effective_config(config.effective_config)
+        end
+
+        # Determine the path of the current logger and permissions required for
+        # writing to path.
+        #
+        # @return [String] Path
+        def dir_name
+          @_dir_name ||= if write_permission?(@path)
+                           File.dirname(File.absolute_path(@path))
+                         else
+                           DEFAULT_PATH
+                         end
+        rescue Errno::EROFS => e
+          logger.warn(ERROR_MESSAGE, e)
+        end
+
+        # Returns effective configurations of the agent.
+        #
+        # @return [Contrast::Agent::DiagnosticsConfig::Config]
+        def config
+          @_config ||= Contrast::Agent::DiagnosticsConfig::Config.new
+        end
+
+        # Reset the state of the current effective config.
+        def reset_config
+          @_config = Contrast::Agent::DiagnosticsConfig::Config.new
+        end
+
+        def to_controlled_hash
+          {
+              ReportCreate: report_create_time,
+              Config: config.to_controlled_hash
+          }
+        end
+
+        def write_to_file_logic status, reset: true
+          # We need to reset the config before updating it's values
+          reset_config if reset
+          extract_settings
+          File.open(File.join(dir_name, FILE_NAME), WRITE) do |file|
+            file.truncate(0)
+            file.write(JSON.pretty_generate(to_controlled_hash, { space: Contrast::Utils::ObjectShare::EMPTY_STRING }))
+            status = true if file
+            file.close
+          end
+          status
+        end
+
+        private
+
+        # Return current time in iso8601 format.
+        #
+        # @return [String] Time of creation
+        def report_create_time
+          Contrast::Utils::Timer.time_now
+        end
+      end
+    end
+  end
+end

data/lib/contrast/config/diagnostics_tools.rb

@@ -0,0 +1,98 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module DiagnosticsConfig
+      # Diagnostics tools to be included in config components.
+      module DiagnosticsTools
+        CHECK = 'd'
+
+        # Converts current configuration for array of values to effective config values class and appends them to
+        # EffectiveConfig class. Must be used inside Config Components only.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        # @param config_values [Array<String>] array of the names of values.
+        # @param canonical_prefix [String] starting of the path to config => api.proxy...
+        # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
+        def add_effective_config_values effective_config, config_values, canonical_prefix, name_prefix
+          return if config_values.to_s.empty?
+
+          config_values.each do |config|
+            Contrast::Agent::DiagnosticsConfig::EffectiveConfigValue.new.tap do |value|
+              next if (config_val = send(config.to_sym)).to_s.empty?
+
+              config_name = assign_name(config)
+              value.canonical_name = "#{ canonical_prefix }.#{ config_name }"
+              value.name = "#{ name_prefix }.#{ config_name }"
+              value.value = config_val
+              value.source = Contrast::CONFIG.sources.get(value.canonical_name)
+              if value.source == Contrast::Components::Config::Sources::YAML
+                value.filename = Contrast::CONFIG.config_file_path
+              end
+              effective_config.values << value
+            rescue StandardError => e
+              log_error(e)
+              next
+            end
+          end
+        end
+
+        # Converts current configuration for single value to effective config values class and appends them to
+        # EffectiveConfig class. Must be used inside Config Components only.
+        #
+        # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+        # @param config_name [String] name of the config.
+        # @param config_value [String, Boolean] value of the config.
+        # @param canonical_prefix [String] starting of the path to config => api.proxy...
+        # @param name_prefix [String] the name of the config prefix => contrast.api_key, contrast.url
+        def add_single_effective_value effective_config, config_name, config_value, canonical_prefix, name_prefix
+          Contrast::Agent::DiagnosticsConfig::EffectiveConfigValue.new.tap do |value|
+            break if config_value.to_s.empty?
+
+            value.value = config_value
+            value.canonical_name = "#{ canonical_prefix }.#{ config_name }"
+            value.name = "#{ name_prefix }.#{ config_name }"
+            value.source = Contrast::CONFIG.sources.get(value.canonical_name)
+            if value.source == Contrast::Components::Config::Sources::YAML
+              value.filename = Contrast::CONFIG.config_file_path
+            end
+            effective_config.values << value
+          rescue StandardError => e
+            log_error(e)
+            next
+          end
+        end
+
+        private
+
+        # Assigns a proper name for the config removing '?' out of method names.
+        #
+        # @param config [String] name of the configuration
+        # @return [String]
+        def assign_name config
+          return Contrast::Utils::ObjectShare::EMPTY_STRING unless config
+
+          name = config.dup
+          if name.end_with?(Contrast::Utils::ObjectShare::QUESTION_MARK)
+            # check and remove '?' : start_bundled_service? => start_bundled_service
+            name.delete!(Contrast::Utils::ObjectShare::QUESTION_MARK)
+            name.chop! if name.end_with?(CHECK)
+            name
+          end
+          name
+        end
+
+        # Logs any caught error.
+        #
+        # @param error [StandardError]
+        def log_error error
+          Contrast::CONFIG.proto_logger.warn('Could not write effective config to file: ',
+                                             error: error, backtrace: error.backtrace)
+        end
+      end
+    end
+  end
+end

data/lib/contrast/config/effective_config.rb

@@ -0,0 +1,65 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/config/effective_config_value'
+
+module Contrast
+  module Agent
+    module DiagnosticsConfig
+      # The current effective config received from all authorized configuration channels.
+      class EffectiveConfig
+        # Value of effective agent configurations
+        #
+        # @return [Array]
+        attr_reader :values
+
+        def initialize
+          @values = []
+        end
+
+        def to_controlled_hash
+          {
+              EffectiveConfig: { values: @values&.map(&:to_controlled_hash) },
+              File: yaml_config_settings,
+              Environment: environment_settings,
+              CommandLine: command_line_settings,
+              ContrastUI: contrast_ui_settings
+          }
+        end
+
+        private
+
+        def yaml_config_settings
+          {
+              Path: Contrast::CONFIG.config_file_path,
+              Values: Contrast::CONFIG.sources.for(Contrast::Components::Config::Sources::YAML)
+          }
+        end
+
+        def command_line_settings
+          flatten_settings(Contrast::CONFIG.sources.for(Contrast::Components::Config::Sources::CLI))
+        end
+
+        def contrast_ui_settings
+          flatten_settings(Contrast::CONFIG.sources.for(Contrast::Components::Config::Sources::CONTRASTUI))
+        end
+
+        def flatten_settings data, path = []
+          data.each_with_object([]) do |(k, v), entries|
+            if v.cs__is_a?(Hash)
+              entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
+            else
+              entries << { "#{ path.join('.') }.#{ k }" => Contrast::CONFIG.config.loaded_config.dig(*path, k) }
+            end
+          end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
+        end
+
+        def environment_settings
+          ENV.select { |e| e.to_s.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) }.
+              to_a.
+              map { |e| Hash[*e] }
+        end
+      end
+    end
+  end
+end

data/lib/contrast/config/effective_config_value.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module DiagnosticsConfig
+      # All In effect config values stored in a easy to write representation.
+      class EffectiveConfigValue
+        # @return [String] Name of the config starting form root of yaml config.
+        attr_accessor :canonical_name
+        # @return [String] Name of the config.
+        attr_accessor :name
+        # @return [String] Value set for the config.
+        attr_accessor :value
+        # @return [String] The source for the entry in the config.
+        attr_accessor :source
+        # @return [String,nil] The filename for the source of the config, if the source was "yaml".
+        attr_accessor :filename
+
+        def to_controlled_hash
+          {
+              canonical_name: canonical_name,
+              name: name, # rubocop:disable Security/Module/Name
+              value: value,
+              Source: source,
+              Filename: filename
+          }.compact
+        end
+      end
+    end
+  end
+end

data/lib/contrast/config/exception_configuration.rb

@@ -1,20 +1,32 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/base'
+
 module Contrast
   module Config
     # Common Configuration settings. Those in this section pertain to the exception handling in Ruby, allowing for the
     # override of Response Code and Message when Security Exceptions are raised.
     class ExceptionConfiguration
       include Contrast::Config::BaseConfiguration
+      include Contrast::Components::ComponentBase
+
+      CANON_NAME = 'agent.ruby.exception'
+      CONFIG_VALUES = %w[capture override_status override_message].cs__freeze
 
       # @return [Integer] the HTTP status code override
       attr_accessor :override_status
       # @return [String] the message text override
       attr_accessor :override_message
       attr_writer :capture
+      # @return [String]
+      attr_reader :canon_name
+      # @return [Array]
+      attr_reader :config_values
 
       def initialize hsh = {}
+        @config_values = CONFIG_VALUES
+        @canon_name = CANON_NAME
         return unless hsh
 
         @capture = hsh[:capture]

data/lib/contrast/config/protect_rule_configuration.rb

@@ -36,11 +36,11 @@ module Contrast
       # String to its recognized symbol equivalent. If a nonsense value is provided, it'll
       # be treated the same as disabling the rule.
       #
-      # @return [Symbol]
+      # @return [Symbol, nil]
       def applicable_mode
         return unless mode
 
-        case mode
+        case mode.downcase
         when 'permit'
           :PERMIT
         when 'block_at_perimeter'

data/lib/contrast/config/protect_rules_configuration.rb

@@ -11,13 +11,13 @@ module Contrast
 
       attr_accessor :disabled_rules
       attr_reader :bot_blocker,
-                  :cmd_injection, :cmdi_command_backdoors,
+                  :cmd_injection, :cmd_injection_command_backdoors,
                   :cmd_injection_semantic_chained_commands, :cmd_injection_semantic_dangerous_paths,
                   :method_tampering,
                   :nosql_injection,
                   :path_traversal, :path_traversal_semantic_file_security_bypass,
                   :reflected_xss,
-                  :sql_injection, :sqli_dangerous_function,
+                  :sql_injection, :sql_injection_semantic_dangerous_functions,
                   :unsafe_file_upload,
                   :untrusted_deserialization,
                   :xxe,
@@ -28,15 +28,16 @@ module Contrast
       def initialize hsh = {} # rubocop:disable Metrics/AbcSize
         return unless hsh
 
+        # IVs must be with the same name as rule_id
         @disabled_rules = hsh[:disabled_rules]
         @rule_base = Contrast::Config::ProtectRuleConfiguration.new(hsh[BASE_RULE.to_sym])
         @bot_blocker = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'bot-blocker'])
         @cmd_injection = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection'])
-        @cmdi_command_backdoors =
+        @cmd_injection_command_backdoors =
           Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection-command-backdoors'])
-        @cmdi_chained_command =
+        @cmd_injection_semantic_chained_commands =
           Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection-semantic-chained-commands'])
-        @cmdi_dangerous_path =
+        @cmd_injection_semantic_dangerous_paths =
           Contrast::Config::ProtectRuleConfiguration.new(hsh[:'cmd-injection-semantic-dangerous-paths'])
         @method_tampering = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'method-tampering'])
         @nosql_injection = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'nosql-injection'])
@@ -45,7 +46,7 @@ module Contrast
           Contrast::Config::ProtectRuleConfiguration.new(hsh[:'path-traversal-semantic-file-security-bypass'])
         @reflected_xss = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'reflected-xss'])
         @sql_injection = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'sql-injection'])
-        @sqli_dangerous_function =
+        @sql_injection_semantic_dangerous_functions =
           Contrast::Config::ProtectRuleConfiguration.new(hsh[:'sql-injection-semantic-dangerous-functions'])
         @unsafe_file_upload = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'unsafe-file-upload'])
         @untrusted_deserialization = Contrast::Config::ProtectRuleConfiguration.new(hsh[:'untrusted-deserialization'])

data/lib/contrast/config/request_audit_configuration.rb

@@ -1,13 +1,18 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/components/base'
+
 module Contrast
   module Config
     # This class holds the Common Settings for the hidden functionality of the TS
     class RequestAuditConfiguration
       include Contrast::Config::BaseConfiguration
+      include Contrast::Components::ComponentBase
 
       DEFAULT_PATH = './messages'
+      CANON_NAME = 'api.request_audit'
+      CONFIG_VALUES = %w[enable requests responses path].cs__freeze
 
       attr_writer :enable, :requests, :responses, :path
 
@@ -39,6 +44,14 @@ module Contrast
       def path
         @path.nil? ? DEFAULT_PATH : @path
       end
+
+      # Converts current configuration to effective config values class and appends them to
+      # EffectiveConfig class.
+      #
+      # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+      def to_effective_config effective_config
+        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, "#{ CONTRAST }.#{ CANON_NAME }")
+      end
     end
   end
 end

data/lib/contrast/config/server_configuration.rb

@@ -1,12 +1,18 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/config/base_configuration'
+
 module Contrast
   module Config
     # Common Configuration settings. Those in this section pertain to the server identification functionality of the
     # Agent.
     class ServerConfiguration
       include Contrast::Config::BaseConfiguration
+      include Contrast::Components::ComponentBase
+
+      CANON_NAME = 'server'
+      CONFIG_VALUES = %w[tags environment version].cs__freeze
 
       # @return [String, nil]
       attr_reader :name
@@ -14,14 +20,19 @@ module Contrast
       attr_accessor :path
       # @return [String, nil]
       attr_accessor :type
-      # @return [Array, nil]
-      attr_accessor :tags
+      attr_writer :tags
       # @return [String, nil]
       attr_accessor :environment
       # @return [String, nil]
       attr_accessor :version
+      # @return [String]
+      attr_reader :canon_name
+      # @return [Array]
+      attr_reader :config_values
 
       def initialize hsh = {}
+        @config_values = CONFIG_VALUES
+        @canon_name = CANON_NAME
         return unless hsh
 
         @path = hsh[:path]
@@ -31,6 +42,34 @@ module Contrast
         @environment = hsh[:environment]
         @version = hsh[:version]
       end
+
+      # @return [String, nil]
+      def tags
+        stringify_array(@tags)
+      end
+
+      # Converts current configuration to effective config values class and appends them to
+      # EffectiveConfig class.
+      #
+      # @param effective_config [Contrast::Agent::DiagnosticsConfig::EffectiveConfig]
+      def to_effective_config effective_config
+        super
+        add_single_effective_value(effective_config,
+                                   'type',
+                                   Contrast::APP_CONTEXT.server_type,
+                                   CANON_NAME,
+                                   "#{ CONTRAST }.#{ CANON_NAME }")
+        add_single_effective_value(effective_config,
+                                   'name',
+                                   Contrast::APP_CONTEXT.server_name,
+                                   CANON_NAME,
+                                   "#{ CONTRAST }.#{ CANON_NAME }")
+        add_single_effective_value(effective_config,
+                                   'path',
+                                   Contrast::APP_CONTEXT.server_path,
+                                   CANON_NAME,
+                                   "#{ CONTRAST }.#{ CANON_NAME }")
+      end
     end
   end
 end

data/lib/contrast/configuration.rb

@@ -13,6 +13,7 @@ require 'contrast/components/scope'
 require 'contrast/components/inventory'
 require 'contrast/components/protect'
 require 'contrast/components/assess'
+require 'contrast/components/config/sources'
 require 'contrast/config/server_configuration'
 
 module Contrast
@@ -45,6 +46,12 @@ module Contrast
     attr_writer :protect
     # @return [Boolean, nil]
     attr_accessor :enable
+    # @return [Hash]
+    attr_accessor :loaded_config
+    # @return [Contrast::Config::Sources]
+    attr_accessor :sources
+    # @return [String,nil]
+    attr_reader :config_file
 
     DEFAULT_YAML_PATH  = 'contrast_security.yaml'
     MILLISECOND_MARKER = '_ms'
@@ -53,18 +60,26 @@ module Contrast
     KEYS_TO_REDACT = %i[api_key url service_key user_name].cs__freeze
     REDACTED = '**REDACTED**'
 
-    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH
+    def initialize cli_options = nil, default_name = DEFAULT_YAML_PATH # rubocop:disable Metrics/AbcSize
       @default_name = default_name
 
       # Load config_kv from file
       config_kv = deep_symbolize_all_keys(load_config)
+      config_sources = assign_source_to(config_kv, Contrast::Components::Config::Sources::YAML)
 
       # Overlay CLI options - they take precedence over config file
       cli_options = deep_symbolize_all_keys(cli_options)
-      config_kv = deep_merge(cli_options, config_kv) if cli_options
+      if cli_options
+        config_kv = deep_merge(cli_options, config_kv)
+        config_sources = deep_merge(assign_source_to(cli_options, Contrast::Components::Config::Sources::CLI),
+                                    config_sources)
+      end
 
       # Some in-flight rewrites to maintain backwards compatibility
       config_kv = update_prop_keys(config_kv)
+      @loaded_config = config_kv
+
+      @sources = Contrast::Components::Config::Sources.new(config_sources)
 
       @api = Contrast::Components::Api::Interface.new(config_kv[:api])
       @enable = config_kv[:enable]
@@ -132,6 +147,7 @@ module Contrast
           next
         end
         config = yaml_to_hash(path) || {}
+        @config_file = path
         break
       end
 
@@ -307,5 +323,15 @@ module Contrast
     def redactable? key
       KEYS_TO_REDACT.include?(key.to_sym)
     end
+
+    def assign_source_to hash, source = Contrast::Components::Config::Sources::YAML
+      hash.transform_values do |value|
+        if value.is_a?(Hash)
+          assign_source_to(value, source)
+        else
+          source
+        end
+      end
+    end
   end
 end

data/lib/contrast/extension/assess/array.rb

@@ -13,10 +13,10 @@ module Contrast
       # This is our patch of the Array class required to handle propagation
       # Disclaimer: there may be a better way, but we're in a 'get it work' state.
       # Hopefully, we'll be in a 'get it right' state soon.
-      class ArrayPropagator # rubocop:disable Style/StaticClass
+      class ArrayPropagator
         extend Contrast::Components::Scope::InstanceMethods
 
-        ARRAY_JOIN_HASH = {
+        ARRAY_JOIN_HASH ||= { # rubocop:disable Lint/OrAssignmentToConstant
             'class_name' => 'Array',
             'instance_method' => true,
             'method_visibility' => 'public',
@@ -27,7 +27,7 @@ module Contrast
             'patch_class' => 'NOOP',
             'patch_method' => 'cs__track_join'
         }.cs__freeze
-        ARRAY_JOIN_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(ARRAY_JOIN_HASH)
+        ARRAY_JOIN_NODE ||= Contrast::Agent::Assess::Policy::PropagationNode.new(ARRAY_JOIN_HASH) # rubocop:disable Lint/OrAssignmentToConstant
 
         class << self
           # When you call join, they use an internal thing, so there's no good way to get at the thing being returned.

data/lib/contrast/extension/assess/erb.rb

@@ -39,7 +39,7 @@ module ERBPropagator
     # @param used_binding [Binding] the binding in of the current event, saved as preshift argument
     # @param erb_pre_result [String] the source saved in the preshift
     # @param properties [Contrast::Agent::Assess::Properties] properties of the target if none create new
-    # @param parent_events [Array<Contrast::Agent::Assess::ContrastEvent>] parents event extracted from the source
+    # @param parent_events [Array<Contrast::Agent::Reporting::FindingEvent>] parents event extracted from the source
     #                                                                      properties
     # @param ret [String] the Return of the invoked method
     # @return [Array<Symbol>]

data/lib/contrast/extension/assess/regexp.rb

@@ -17,7 +17,7 @@ module Contrast
         extend Contrast::Components::Logger::InstanceMethods
         extend Contrast::Components::Scope::InstanceMethods
 
-        REGEXP_EQUAL_SQUIGGLE_HASH = {
+        REGEXP_EQUAL_SQUIGGLE_HASH ||= { # rubocop:disable Lint/OrAssignmentToConstant
             'id' => 'regexp_100',
             'class_name' => 'Regexp',
             'instance_method' => true,
@@ -29,7 +29,7 @@ module Contrast
             'patch_class' => 'Contrast::Extension::Assess::RegexpPropagator',
             'patch_method' => 'track_equal_squiggle'
         }.cs__freeze
-        REGEXP_EQUAL_SQUIGGLE_NODE = Contrast::Agent::Assess::Policy::PropagationNode.new(REGEXP_EQUAL_SQUIGGLE_HASH)
+        REGEXP_EQUAL_SQUIGGLE_NODE ||= Contrast::Agent::Assess::Policy::PropagationNode.new(REGEXP_EQUAL_SQUIGGLE_HASH) # rubocop:disable Lint/OrAssignmentToConstant
         private_constant :REGEXP_EQUAL_SQUIGGLE_HASH
         private_constant :REGEXP_EQUAL_SQUIGGLE_NODE