contrast-agent 7.3.1 → 7.4.0

data/lib/contrast/components/sampling.rb

@@ -111,7 +111,6 @@ module Contrast
         include Contrast::Config::BaseConfiguration
 
         CANON_NAME = 'assess.sampling'
-        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }".cs__freeze
         CONFIG_VALUES = %w[enable baseline request_frequency response_frequency window_ms].cs__freeze
 
         # @return [Boolean, nil]
@@ -145,19 +144,13 @@ module Contrast
         def to_effective_config effective_config
           confirm_sources
 
-          add_single_effective_value(effective_config, 'enable', sampling_control[:enabled], canon_name, NAME_PREFIX)
-          add_single_effective_value(effective_config, 'baseline', sampling_control[:baseline], canon_name, NAME_PREFIX)
-          add_single_effective_value(effective_config, 'window_ms', sampling_control[:window], canon_name, NAME_PREFIX)
+          add_single_effective_value(effective_config, 'enable', sampling_control[:enabled], canon_name)
+          add_single_effective_value(effective_config, 'baseline', sampling_control[:baseline], canon_name)
+          add_single_effective_value(effective_config, 'window_ms', sampling_control[:window], canon_name)
           add_single_effective_value(effective_config,
-                                     'request_frequency',
-                                     sampling_control[:request_frequency],
-                                     canon_name,
-                                     NAME_PREFIX)
+                                     'request_frequency', sampling_control[:request_frequency], canon_name)
           add_single_effective_value(effective_config,
-                                     'response_frequency',
-                                     sampling_control[:response_frequency],
-                                     canon_name,
-                                     NAME_PREFIX)
+                                     'response_frequency', sampling_control[:response_frequency], canon_name)
         end
 
         private

data/lib/contrast/components/security_logger.rb

@@ -10,6 +10,7 @@ module Contrast
       class Interface
         include Contrast::Components::ComponentBase
 
+        DEFAULT_CEF_NAME = 'security.log'
         CANON_NAME = 'agent.security_logger'
         CONFIG_VALUES = %w[path level].cs__freeze
 
@@ -30,6 +31,22 @@ module Contrast
           @path = hsh[:path]
           @level = hsh[:level]
         end
+
+        def to_effective_config effective_config
+          path_setting = nil
+          level_setting = nil
+
+          if defined?(Contrast::SETTINGS)
+            path_setting = Contrast::SETTINGS.agent_state.cef_logger_path
+            level_setting = Contrast::SETTINGS.agent_state.cef_logger_level
+          end
+
+          path_setting ||= DEFAULT_CEF_NAME
+          level_setting ||= Contrast::CONFIG.agent.logger.level
+
+          add_single_effective_value(effective_config, config_values[0], path || path_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[1], level || level_setting, CANON_NAME)
+        end
       end
     end
   end

data/lib/contrast/components/settings.rb

@@ -14,10 +14,12 @@ module Contrast
     # directives (likely provided by TeamServer) about product operation.
     # 'Settings' is not a generic term for 'configurable stuff'.
     module Settings
-      APPLICATION_STATE_BASE = Struct.new(:modes_by_id).new(Hash.new(:NO_ACTION))
-      PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
-      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
-                                                                                                            [], nil) do
+      AGENT_STATE_BASE = Struct.new(:logger_path, :logger_level, :cef_logger_path, :cef_logger_level).
+          new(nil, nil, nil, nil)
+      APPLICATION_STATE_BASE = Struct.new(:modes_by_id).new({})
+      PROTECT_STATE_BASE = Struct.new(:enabled).new(false)
+      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).
+          new(false, nil, [], nil) do
         def sampling_settings= new_val
           @sampling_settings = new_val
           Contrast::Utils::Assess::SamplingUtil.instance.update
@@ -32,6 +34,13 @@ module Contrast
 
         # tainted_columns are database columns that receive unsanitized input.
         attr_reader :tainted_columns # This can probably go into assess_state?
+        # Agent state. Used for extracting Agent level settings.
+        #
+        # logger_path[String] Path to the log file.
+        # logger_level[String] Log level for the logger.
+        # cef_logger_path[String] Path to the log file.
+        # cef_logger_level[String] Log level for the logger.
+        attr_reader :agent_state
         # Current state for Assess.
         # enabled [Boolean] Indicate if the assess feature set is enabled for this server or not.
         #
@@ -87,26 +96,17 @@ module Contrast
         end
 
         # @param features_response [Contrast::Agent::Reporting::Response]
-        def update_from_server_features features_response # rubocop:disable Metrics/AbcSize
+        def update_from_server_features features_response
           return unless (server_features = features_response&.server_features)
 
-          log_file = server_features.log_file
-          log_level = server_features.log_level
-          # Update logger:
-          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
-          # Update AgentLib Logger
-          update_agent_lib_log(log_level.to_s)
-          # Update CEFlogger:
-          unless server_features.security_logger.settings_blank?
-            cef_logger.build_logger(server_features.security_logger.log_level, server_features.security_logger.log_file)
-          end
+          update_loggers(server_features)
           # TODO: RUBY-99999 Update Bot-Blocker from server settings - check enable value.
           # For now all protection rules are rebuild on Application update. Bot blocker uses the default
           # enable from the base rule, and update it's mode on app settings update.
           # Here we receive also bots for that rule.
           unless settings_empty?(server_features.protect.enabled?)
             @protect_state.enabled = server_features.protect.enabled?
-            store_in_config(%i[protect enable], server_features.protect.enabled?)
+            update_config_from_settings(%i[protect enable], server_features.protect.enabled?)
           end
           update_assess_server_features(server_features.assess)
           @last_server_update_ms = Contrast::Utils::Timer.now_ms
@@ -118,6 +118,54 @@ module Contrast
           logger.warn('The following error occurred from server update: ', e: e)
         end
 
+        # Update Assess server features
+        #
+        # @param assess [Contrast::Agent::Reporting::Settings::AssessServerFeature]
+        def update_assess_server_features assess
+          return if settings_empty?(assess.enabled?)
+
+          @assess_state.enabled = assess.enabled?
+          update_config_from_settings(%i[assess enable], assess.enabled?)
+          @assess_state.sampling_settings = assess.sampling
+
+          samplings_path = Contrast::Components::Sampling::Interface::CANON_NAME.split('.').map(&:to_sym)
+          Contrast::Components::Sampling::Interface::CONFIG_VALUES.each do |field|
+            lookup_field = field == 'enable' ? :enabled : field.to_sym
+            update_config_from_settings(samplings_path + [field.to_sym], assess.sampling.send(lookup_field))
+          end
+        end
+
+        # Updates logging settings
+        # @param [Contrast::Agent::Reporting::Settings::ServerFeatures]
+        def update_loggers server_features
+          log_file = server_features.log_file
+          log_level = server_features.log_level
+          # Update logger:
+          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+          unless settings_empty?(log_file)
+            update_config_from_settings(%i[agent logger path], log_file)
+            @agent_state.logger_path = log_file
+          end
+          unless settings_empty?(log_level)
+            update_config_from_settings(%i[agent logger level], log_level)
+            @agent_state.logger_level = log_level
+          end
+          # Update AgentLib Logger
+          update_agent_lib_log(log_level.to_s)
+          # Update CEFlogger:
+          return if server_features.security_logger.settings_blank?
+
+          cef_logger.build_logger(server_features.security_logger.log_level, server_features.security_logger.log_file)
+          unless settings_empty?(log_file)
+            update_config_from_settings(%i[agent security_logger path], log_file)
+            @agent_state.cef_logger_level = log_file
+          end
+          return unless settings_empty?(log_level)
+
+          update_config_from_settings(%i[agent security_logger level], log_level)
+          @agent_state.cef_logger_level = log_level
+        end
+
         # Update AgentLib log level
         def update_agent_lib_log new_log_level
           agent_lib_log_level = Contrast::AgentLib::InterfaceBase::LOG_LEVEL[0] if new_log_level.empty?
@@ -135,42 +183,46 @@ module Contrast
           Contrast::AGENT_LIB.change_log_options(true, agent_lib_log_level)
         end
 
-        # Update Assess server features
-        #
-        # @param assess [Contrast::Agent::Reporting::Settings::AssessServerFeature]
-        def update_assess_server_features assess
-          return if settings_empty?(assess.enabled?)
-
-          @assess_state.enabled = assess.enabled?
-          store_in_config(%i[assess enable], assess.enabled?)
-          @assess_state.sampling_settings = assess.sampling
-
-          Contrast::Components::Sampling::Interface::CONFIG_VALUES.each do |field|
-            lookup_field = field == 'enable' ? :enabled : field.to_sym
-            store_in_config(Contrast::Components::Sampling::Interface::CANON_NAME.split('.') + [field.to_sym],
-                            assess.sampling.send(lookup_field))
-          end
-        end
-
         # @param settings_response [Contrast::Agent::Reporting::Response]
         def update_from_application_settings settings_response
           return unless (app_settings = settings_response&.application_settings)
 
-          @application_state.modes_by_id = app_settings.protect.protection_rules_to_settings_hash
-          update_exclusion_matchers(app_settings.exclusions)
-          app_settings.protect.virtual_patches = app_settings.protect.virtual_patches unless
-            settings_empty?(app_settings.protect.virtual_patches)
-          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+          extract_protect_app_settings(app_settings)
+          update_matchers_and_sensitive_data(app_settings)
           @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
+          update_config_from_settings(%i[assess rules disabled_rules], app_settings.assess.disabled_rules)
           new_session_id = app_settings.assess.session_id
-          @assess_state.session_id = new_session_id if new_session_id && !new_session_id.blank?
+          unless settings_empty?(new_session_id)
+            @assess_state.session_id = new_session_id
+            # TODO: RUBY-99999 Update the default values and effective config update from TS.
+            # Using the session_id from the settings response to update the config.
+            # The Effective Config sources values are fetched from the
+            # Contrast::CONFIG.config.loaded_config. Some values are displayed from
+            # their components, however not updated here. Using this may cause some
+            # specs to fails check the update of all values from TS.
+            # Contrast::CONFIG.application.session_id = new_session_id
+            update_config_from_settings(%i[application session_id], new_session_id)
+          end
           @last_app_update_ms = Contrast::Utils::Timer.now_ms
           @app_settings_last_httpdate = header_application_last_update
         end
 
+        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
+        def update_matchers_and_sensitive_data app_settings
+          update_exclusion_matchers(app_settings.exclusions)
+          app_settings.protect.virtual_patches = app_settings.protect.virtual_patches unless
+            settings_empty?(app_settings.protect.virtual_patches)
+          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+        end
+
         # Wipe state to zero.
-        def reset_state
-          @protect_state = PROTECT_STATE_BASE.dup
+        #
+        # @param purge [Boolean] If true, also purge the persistent states.
+        def reset_state purge: false
+          @agent_state = AGENT_STATE_BASE.dup
+          # Keep the protect state, since once set the rules depend ont it.
+          # The state will be update on first settings response from TS.
+          @protect_state = PROTECT_STATE_BASE.dup if purge || @protect_state.nil?
           update_assess_state
           @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
@@ -193,24 +245,6 @@ module Contrast
           @assess_state
         end
 
-        def build_protect_rules
-          @protect_state.rules = {}
-
-          # Rules. They add themselves on initialize.
-          Contrast::Agent::Protect::Rule::BotBlocker.new
-          cmdi = Contrast::Agent::Protect::Rule::CmdInjection.new
-          cmdi.sub_rules
-          Contrast::Agent::Protect::Rule::Deserialization.new
-          Contrast::Agent::Protect::Rule::NoSqli.new
-          path = Contrast::Agent::Protect::Rule::PathTraversal.new
-          path.sub_rules
-          sqli = Contrast::Agent::Protect::Rule::Sqli.new
-          sqli.sub_rules
-          Contrast::Agent::Protect::Rule::UnsafeFileUpload.new
-          Contrast::Agent::Protect::Rule::Xss.new
-          Contrast::Agent::Protect::Rule::Xxe.new
-        end
-
         # @param exclusions [Contrast::Agent::Reporting::Settings::Exclusions]
         def update_exclusion_matchers exclusions
           matchers = []
@@ -278,21 +312,31 @@ module Contrast
           Contrast::Agent.reporter.client.response_handler.last_application_modified
         end
 
+        # Extract the rules modes from protection_rules or rules_settings fields.
+        #
+        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
+        def extract_protect_app_settings app_settings
+          modes_by_id = app_settings.protect.protection_rules_to_settings_hash
+          modes_by_id = app_settings.protect.rules_settings_to_settings_hash if settings_empty?(modes_by_id)
+          # Preserve previous state if no new settings are extracted:
+          return if settings_empty?(modes_by_id)
+
+          @application_state.modes_by_id = modes_by_id
+        end
+
         # Update the stored config values to ensure that we know about the correct values,
         # and that the sources are correct for entries updated from the UI.
         #
-        # @param parts [Array] the path to the setting in config
+        # NOTE: For each passed component path here, there should br implemented a check for the value from
+        # Config and Settings. For example if enable from CONFIG is nil, check the SETTINGS.
+        # This will keep the value not empty and be reflected in effective config reporting.
+        #
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable)
         # @param value [String, Integer, Array, nil] the value for the configuration setting
-        def store_in_config parts, value
-          level = Contrast::CONFIG.config.loaded_config
-          parts[0...-1].each do |segment|
-            level[segment] ||= {}
-            level = level[segment]
-          end
-          return unless level.cs__is_a?(Hash)
-
-          level[parts[-1]] = value
-          Contrast::CONFIG.sources.set(parts.join('.'), Contrast::Components::Config::Sources::CONTRAST_UI)
+        def update_config_from_settings path, value
+          Contrast::Config::Diagnostics::Tools.update_config(path,
+                                                             value,
+                                                             Contrast::Components::Config::Sources::CONTRAST_UI)
         end
       end
     end

data/lib/contrast/config/certification_configuration.rb

@@ -40,7 +40,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CONTRAST)
+        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME)
       end
     end
   end

data/lib/contrast/config/configuration_files.rb

@@ -29,8 +29,6 @@ module Contrast
 
     # This class will hold all the info about the read file.
     class LocalSourceValue
-      YML_EXT = '.yml'
-      YAML_EXT = '.yaml'
       # @return [String]
       attr_reader :path
       # @return [Hash]

data/lib/contrast/config/diagnostics/config.rb

@@ -52,9 +52,9 @@ module Contrast
               effective_config: effective_config.to_controlled_hash,
               user_configuration_file: user_configuration_file.to_controlled_hash,
               environment_variable: Contrast::Config::Diagnostics::EnvironmentVariables.environment_settings(ENV).
-                  map(&:to_controlled_hash),
-              command_line: Contrast::Config::Diagnostics::CommandLine.command_line_settings.map(&:to_controlled_hash),
-              contrast_ui: Contrast::Config::Diagnostics::ContrastUI.contrast_ui_settings.map(&:to_controlled_hash)
+                  map(&:to_source_hash),
+              command_line: Contrast::Config::Diagnostics::CommandLine.command_line_settings.map(&:to_source_hash),
+              contrast_ui: Contrast::Config::Diagnostics::ContrastUI.contrast_ui_settings.map(&:to_source_hash)
           }.compact
         end
       end

data/lib/contrast/config/diagnostics/effective_config.rb

@@ -20,7 +20,7 @@ module Contrast
         end
 
         def to_controlled_hash
-          { values: @values&.map(&:to_controlled_hash) }
+          @values&.map(&:to_controlled_hash)
         end
       end
     end

data/lib/contrast/config/diagnostics/environment_variables.rb

@@ -14,36 +14,46 @@ module Contrast
           NON_COMMON_ENV = %w[
             CONTRAST_CONFIG_PATH CONTRAST_AGENT_TELEMETRY_OPTOUT CONTRAST_AGENT_TELEMETRY_TEST
           ].cs__freeze
+          MASKED_ENV = %w[CONTRAST__API__API_KEY CONTRAST__API__SERVICE_KEY].cs__freeze
 
           # This method will fill the canonical name for each env var and will check for any uncommon ones.
           #
           # @param env [Hash]
           # @return [Array] array of all the values needed to be written.
-          def environment_settings env
+          def environment_settings env # rubocop:disable Metrics/MethodLength
             env_hash = env.select do |e|
               e.to_s.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
             end
             environment_settings = []
-            env_hash.each do |key, value|
+            env_hash.each do |key, value| # rubocop:disable Metrics/BlockLength
               efc_value = Contrast::Config::Diagnostics::EffectiveConfigValue.new.tap do |effective_value|
                 next unless value
 
                 effective_value.canonical_name = if NON_COMMON_ENV.include?(key)
                                                    key.gsub(Contrast::Utils::ObjectShare::UNDERSCORE,
-                                                            Contrast::Utils::ObjectShare::PERIOD).downcase
+                                                            Contrast::Utils::ObjectShare::PERIOD).downcase.
+                                                       gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
+                                                            Contrast::Utils::ObjectShare::EMPTY_STRING)
                                                  else
                                                    key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
-                                                            Contrast::Utils::ObjectShare::PERIOD).downcase
+                                                            Contrast::Utils::ObjectShare::PERIOD).downcase.
+                                                       gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
+                                                            Contrast::Utils::ObjectShare::EMPTY_STRING)
                                                  end
-                if effective_value.canonical_name
-                  effective_value.key =
-                    effective_value.canonical_name.gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
-                                                        Contrast::Utils::ObjectShare::EMPTY_STRING)
-                end
-                effective_value.value = Contrast::Config::Diagnostics::Tools.value_to_s(value)
+                effective_value.value = if MASKED_ENV.include?(key)
+                                          Contrast::Configuration::EFFECTIVE_REDACTED
+                                        else
+                                          Contrast::Config::Diagnostics::Tools.value_to_s(value)
+                                        end
                 effective_value.key = key
               end
-              environment_settings << efc_value if efc_value
+              next unless efc_value
+
+              environment_settings << efc_value
+              Contrast::Config::Diagnostics::Tools.
+                  update_config(efc_value.key,
+                                efc_value.value,
+                                Contrast::Components::Config::Sources::ENVIRONMENT_VARIABLE)
             end
             environment_settings
           end

data/lib/contrast/config/diagnostics/monitor.rb

@@ -102,7 +102,7 @@ module Contrast
           extract_settings
           File.open(File.join(dir_name, FILE_NAME), WRITE) do |file|
             file.truncate(0)
-            file.write(JSON.pretty_generate(to_controlled_hash, { space: Contrast::Utils::ObjectShare::EMPTY_STRING }))
+            file.write(JSON.pretty_generate(to_controlled_hash, { space: Contrast::Utils::ObjectShare::SPACE }))
             status = true if file
             file.close
           end

data/lib/contrast/config/diagnostics/singleton_tools.rb

@@ -0,0 +1,170 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Config
+    module Diagnostics
+      # Tools to help with the config diagnostics, called directly from the module.
+      module SingletonTools
+        API_CREDENTIALS = %w[api_key service_key].cs__freeze
+        CONTRAST_MARK = 'CONTRAST_'
+
+        # Creates new config instances for each read config entry from the flat generated configs.
+        #
+        # @param flats [Array] of flatten configs produced by #flatten_settings
+        # @param source [Boolean] flag to set the desired value class, it may be a effective or source value.
+        # @param cli [Boolean] flag to check if the value comes from cli.
+        # @return [Array<Contrast::Config::Diagnostics::SourceConfigValue>]
+        def to_config_values flats, source: false, cli: false
+          config_value_klass = if source
+                                 Contrast::Config::Diagnostics::SourceConfigValue
+                               else
+                                 Contrast::Config::Diagnostics::EffectiveConfigValue
+                               end
+          settings = []
+          flats.each do |entry|
+            entry.each do |key, value|
+              efc_value = config_value_klass.new.tap do |config_value|
+                config_value.canonical_name = key
+                if cli && key.to_s.include?(CONTRAST_MARK)
+                  config_value.canonical_name = key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
+                                                         Contrast::Utils::ObjectShare::PERIOD).downcase
+                end
+                config_value.key = key
+                config_value.value = if API_CREDENTIALS.include?(key.to_s)
+                                       Contrast::Configuration::EFFECTIVE_REDACTED
+                                     else
+                                       value_to_s(value)
+                                     end
+              end
+              next unless efc_value
+
+              settings << efc_value
+            end
+          end
+          settings
+        end
+
+        # Flattens out the read settings from file, env or contrast ui.
+        # example: {"agent.polling.server_settings_ms"=>"50000"}
+        #
+        # If cli is set we avoid adding the path and additional '.' to the key.
+        #
+        #  @param data [Hash, nil]
+        #  @param path  [String] where to look for settings.
+        #  @param config [Hash] symbolized config to fetch keys from.
+        #  @param cli [Boolean] does the config come from cli.
+        def flatten_settings data, path = [], config: Contrast::CONFIG.config.loaded_config, cli: false
+          return [] unless data
+
+          data.each_with_object([]) do |(k, v), entries|
+            if v.cs__is_a?(Hash)
+              entries.concat(flatten_settings(v, path.dup.append(k.to_sym)))
+            else
+              if API_CREDENTIALS.include?(k.to_s)
+                entries << { k.to_s => Contrast::Configuration::EFFECTIVE_REDACTED } if cli
+                entries << { "#{ path.join('.') }.#{ k }" => Contrast::Configuration::EFFECTIVE_REDACTED } unless cli
+                next
+              end
+              entries << { k.to_s => value_to_s(config.dig(*path, k)) } if cli
+              entries << { "#{ path.join('.') }.#{ k }" => value_to_s(config.dig(*path, k)) } unless cli
+            end
+          end.flatten # rubocop:disable Style/MethodCalledOnDoEndBlock
+        end
+
+        # Update the stored config values to ensure that we know about the correct values,
+        # and that the sources are correct for entries updated from the UI.
+        #
+        # @param parts [Array<Symbols>, String] the path to the setting in config
+        #   Accepts Array: [:agent :enable] or String: 'agent.enable'
+        # @param value [String, Integer, Array, nil] the value for the configuration setting
+        # @param source_type [String] the source of the configuration setting
+        def update_config parts, value, source_type
+          parts_array, string = handle_parts_array(parts)
+          path = string ? parts : parts_array.join('.')
+          return unless parts_array
+
+          # Check to see whether the source has been overridden by local settings,
+          # Before updating from Contrast UI.
+          if source_type == Contrast::Components::Config::Sources::CONTRAST_UI &&
+                Contrast::CONFIG.sources.source_overridden?(path)
+
+            return
+          end
+
+          level = Contrast::CONFIG.config.loaded_config
+          parts_array[0...-1]&.each do |segment|
+            level[segment] ||= {}
+            level = level[segment]
+          end
+          return unless level.cs__is_a?(Hash)
+
+          level[parts_array[-1]] = value
+          Contrast::CONFIG.sources.set(path, source_type)
+        end
+
+        # Recursively converts each value to string.
+        #
+        # @param value [Hash, nil]
+        def value_to_s value
+          case value
+          when String
+            if Contrast::Utils::DuckUtils.empty_duck?(value)
+              Contrast::Config::Diagnostics::SourceConfigValue::NULL
+            else
+              value
+            end
+          when Array
+            handle_array_to_s(value)
+          when Hash
+            handle_hash_to_s(value)
+          when TrueClass, FalseClass, Symbol, Integer
+            value.to_s
+          else
+            Contrast::Config::Diagnostics::SourceConfigValue::NULL
+          end
+        end
+
+        private
+
+        # Checks the type of path and converts it to array.
+        # If the path is string it splits it by '.' and converts each element to symbol.
+        #
+        # @param parts [Array<Symbols>, String] the path to the setting in config
+        # @return [Array<Symbols>, String]
+        def handle_parts_array parts
+          string = false
+          arr = if parts.cs__is_a?(String)
+                  string = true
+                  parts.split('.')&.map&.each(&:to_sym)
+                else
+                  parts
+                end
+          [arr, string]
+        end
+
+        # @param hash [Hash]
+        # @return [Hash]
+        def handle_hash_to_s hash
+          hash&.each_with_object({}) do |(k, v), m| # rubocop:disable Style/HashTransformValues
+            m[k] = if v.cs__is_a?(Hash)
+                     value_to_s(v)
+                   elsif v.cs__is_a?(Array)
+                     v.map(&:to_s)
+                   else
+                     v.to_s
+                   end
+          end
+        end
+
+        # @param array [Array]
+        # @return [String]
+        def handle_array_to_s array
+          return Contrast::Config::Diagnostics::SourceConfigValue::NULL if Contrast::Utils::DuckUtils.empty_duck?(array)
+
+          array.join(',')
+        end
+      end
+    end
+  end
+end

data/lib/contrast/config/diagnostics/source_config_value.rb

@@ -1,11 +1,16 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
+
 module Contrast
   module Config
     module Diagnostics
       # All config values from all sources, stored in a easy to write representation.
       class SourceConfigValue
+        NULL = 'null'
+
         # @return [String] Name of the config starting form root of yaml config.
         attr_accessor :canonical_name
         # @return [String] Name of the config.
@@ -20,23 +25,23 @@ module Contrast
         def to_controlled_hash
           {
               canonical_name: canonical_name,
-              name: key,
-              value: value.cs__is_a?(Array) ? value.map(&:to_s) : value.to_s,
-              source: source,
-              filename: filename
-          }.compact
+              name: key || Contrast::Utils::ObjectShare::EMPTY_STRING,
+              value: Contrast::Config::Diagnostics::Tools.value_to_s(value),
+              source: source || Contrast::Utils::ObjectShare::EMPTY_STRING,
+              filename: filename || Contrast::Utils::ObjectShare::EMPTY_STRING
+          }
         end
 
         def to_source_hash
           {
               canonical_name: canonical_name,
-              name: key,
-              value: value.cs__is_a?(Array) ? value.map(&:to_s) : value.to_s
-          }.compact
+              name: key || Contrast::Utils::ObjectShare::EMPTY_STRING,
+              value: Contrast::Config::Diagnostics::Tools.value_to_s(value)
+          }
         end
 
         # Assigns file name of the config iv viable, Currently supported formats for config file are *.yaml
-        # and *.yml
+        # and *.yml. For the config loaded from file the filename is kept as source.
         #
         # @param source [String] name of the source file yaml | yml
         # @return [Array<String>, nil]