contrast-agent 7.3.2 → 7.4.0

data/lib/contrast/components/protect.rb

@@ -4,6 +4,8 @@
 require 'contrast/components/base'
 require 'contrast/config/exception_configuration'
 require 'contrast/config/protect_rule_configuration'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/state'
 
 module Contrast
   module Components
@@ -68,7 +70,7 @@ module Contrast
           return false if forcibly_disabled?
           return true  if forcibly_enabled?
 
-          ::Contrast::SETTINGS.protect_state.enabled == true
+          state.enabled?
         end
 
         # Check to determine if the base64 decoding is required for user inputs.
@@ -85,12 +87,19 @@ module Contrast
           ::Contrast::CONFIG.protect.rules
         end
 
+        # Current Active Protect rules and the state/mode they are in.
+        #
+        # @return [Contrast::Agent::Protect::State]
+        def state
+          @_state ||= Contrast::Agent::Protect::State.new
+        end
+
         # Returns Protect array of all initialized
         # protect rules.
         #
         # @return defend_rules[Hash<Contrast::SETTINGS.protect_state.rules>]
         def defend_rules
-          ::Contrast::SETTINGS.protect_state.rules
+          state.rules
         end
 
         # The Contrast::CONFIG.protect.rules is object so we need to check it's
@@ -102,16 +111,27 @@ module Contrast
         # @return mode [Symbol]
         def rule_mode rule_id
           str = rule_id.tr('-', '_')
-          ::Contrast::CONFIG.protect.rules[str]&.applicable_mode ||
-              ::Contrast::SETTINGS.application_state.modes_by_id[rule_id] ||
-              :NO_ACTION
+          config_mode = Contrast::CONFIG.protect.rules[str]&.applicable_mode
+          settings_mode = ::Contrast::SETTINGS.application_state.modes_by_id[rule_id]
+
+          if config_mode
+            update_config_for_rule(rule_id, config_mode)
+            return config_mode
+          end
+
+          if settings_mode
+            update_config_for_rule(rule_id, settings_mode, ui_source: true)
+            return settings_mode
+          end
+          :NO_ACTION
         end
 
         # Name of the protect rule
         #
-        # @return [String]
+        # @param name [String]
+        # @return [Contrast::Agent::Protect::Rule::Base]
         def rule name
-          ::Contrast::SETTINGS.protect_state.rules[name]
+          state.rules[name]
         end
 
         def report_any_command_execution?
@@ -124,7 +144,8 @@ module Contrast
 
         def report_custom_code_sysfile_access?
           if @_report_custom_code_sysfile_access.nil?
-            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.tr('-', '_')
+            name_changed = Contrast::Agent::Protect::Rule::PathTraversal::NAME.
+                tr(Contrast::Utils::ObjectShare::DASH, Contrast::Utils::ObjectShare::UNDERSCORE)
             ctrl = rule_config[name_changed]
             @_report_custom_code_sysfile_access = ctrl && true?(ctrl.detect_custom_code_accessing_system_files)
           end
@@ -150,16 +171,15 @@ module Contrast
 
         # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
         def protect_rules_to_effective_config effective_config
-          return unless defend_rules
-
-          defend_rules.each do |key, value|
+          state.rules.each do |key, value|
             next unless key && value
 
             config_prefix = "#{ CANON_NAME }.#{ RULES }.#{ key }"
-            name_prefix = "#{ CONTRAST }.#{ CANON_NAME }.#{ RULES }.#{ key }"
-            add_single_effective_value(effective_config, ENABLE, value.enabled?, config_prefix, name_prefix)
+            add_single_effective_value(effective_config, ENABLE, value.enabled?, config_prefix)
             # Get the mode by checking Current Configs or Settings received:
-            add_single_effective_value(effective_config, MODE, rule_mode(key), config_prefix, name_prefix)
+            mode = rule_mode(key)
+            mode = :OFF if mode == :NO_ACTION
+            add_single_effective_value(effective_config, MODE, mode, config_prefix)
           end
         end
 
@@ -181,6 +201,27 @@ module Contrast
         def report_custom_code_sysfile_access
           report_custom_code_sysfile_access?
         end
+
+        # @param rule_id [String] the canonical name for a config entry (such as api.proxy.enable).
+        # @param mode [Symbol] to set the value of the config entry.
+        # @param ui_source [Boolean] whether to se the source as contrast ui or not.
+        def update_config_for_rule rule_id, mode, ui_source: false
+          str = rule_id.tr('-', '_').to_sym
+          config = Contrast::CONFIG.config.loaded_config
+          return unless config
+
+          config[:protect] ||= {}
+          config[:protect][:rules] ||= {}
+          config[:protect][:rules][str] ||= {}
+          config[:protect][:rules][str][:mode] = mode
+          config[:protect][:rules][str][:enable] = (mode != :NO_ACTION)
+          return unless ui_source
+
+          Contrast::CONFIG.sources.set("#{ CANON_NAME }.#{ RULES }.#{ str }.mode",
+                                       Contrast::Components::Config::Sources::CONTRAST_UI)
+          Contrast::CONFIG.sources.set("#{ CANON_NAME }.#{ RULES }.#{ str }.enable",
+                                       Contrast::Components::Config::Sources::CONTRAST_UI)
+        end
       end
     end
   end

data/lib/contrast/components/sampling.rb

@@ -111,7 +111,6 @@ module Contrast
         include Contrast::Config::BaseConfiguration
 
         CANON_NAME = 'assess.sampling'
-        NAME_PREFIX = "#{ CONTRAST }.#{ CANON_NAME }".cs__freeze
         CONFIG_VALUES = %w[enable baseline request_frequency response_frequency window_ms].cs__freeze
 
         # @return [Boolean, nil]
@@ -145,19 +144,13 @@ module Contrast
         def to_effective_config effective_config
           confirm_sources
 
-          add_single_effective_value(effective_config, 'enable', sampling_control[:enabled], canon_name, NAME_PREFIX)
-          add_single_effective_value(effective_config, 'baseline', sampling_control[:baseline], canon_name, NAME_PREFIX)
-          add_single_effective_value(effective_config, 'window_ms', sampling_control[:window], canon_name, NAME_PREFIX)
+          add_single_effective_value(effective_config, 'enable', sampling_control[:enabled], canon_name)
+          add_single_effective_value(effective_config, 'baseline', sampling_control[:baseline], canon_name)
+          add_single_effective_value(effective_config, 'window_ms', sampling_control[:window], canon_name)
           add_single_effective_value(effective_config,
-                                     'request_frequency',
-                                     sampling_control[:request_frequency],
-                                     canon_name,
-                                     NAME_PREFIX)
+                                     'request_frequency', sampling_control[:request_frequency], canon_name)
           add_single_effective_value(effective_config,
-                                     'response_frequency',
-                                     sampling_control[:response_frequency],
-                                     canon_name,
-                                     NAME_PREFIX)
+                                     'response_frequency', sampling_control[:response_frequency], canon_name)
         end
 
         private

data/lib/contrast/components/security_logger.rb

@@ -10,6 +10,7 @@ module Contrast
       class Interface
         include Contrast::Components::ComponentBase
 
+        DEFAULT_CEF_NAME = 'security.log'
         CANON_NAME = 'agent.security_logger'
         CONFIG_VALUES = %w[path level].cs__freeze
 
@@ -30,6 +31,22 @@ module Contrast
           @path = hsh[:path]
           @level = hsh[:level]
         end
+
+        def to_effective_config effective_config
+          path_setting = nil
+          level_setting = nil
+
+          if defined?(Contrast::SETTINGS)
+            path_setting = Contrast::SETTINGS.agent_state.cef_logger_path
+            level_setting = Contrast::SETTINGS.agent_state.cef_logger_level
+          end
+
+          path_setting ||= DEFAULT_CEF_NAME
+          level_setting ||= Contrast::CONFIG.agent.logger.level
+
+          add_single_effective_value(effective_config, config_values[0], path || path_setting, CANON_NAME)
+          add_single_effective_value(effective_config, config_values[1], level || level_setting, CANON_NAME)
+        end
       end
     end
   end

data/lib/contrast/components/settings.rb

@@ -14,10 +14,12 @@ module Contrast
     # directives (likely provided by TeamServer) about product operation.
     # 'Settings' is not a generic term for 'configurable stuff'.
     module Settings
-      APPLICATION_STATE_BASE = Struct.new(:modes_by_id).new(Hash.new(:NO_ACTION))
-      PROTECT_STATE_BASE = Struct.new(:enabled, :rules).new(false, {})
-      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).new(false, nil,
-                                                                                                            [], nil) do
+      AGENT_STATE_BASE = Struct.new(:logger_path, :logger_level, :cef_logger_path, :cef_logger_level).
+          new(nil, nil, nil, nil)
+      APPLICATION_STATE_BASE = Struct.new(:modes_by_id).new({})
+      PROTECT_STATE_BASE = Struct.new(:enabled).new(false)
+      ASSESS_STATE_BASE = Struct.new(:enabled, :sampling_settings, :disabled_assess_rules, :session_id).
+          new(false, nil, [], nil) do
         def sampling_settings= new_val
           @sampling_settings = new_val
           Contrast::Utils::Assess::SamplingUtil.instance.update
@@ -32,6 +34,13 @@ module Contrast
 
         # tainted_columns are database columns that receive unsanitized input.
         attr_reader :tainted_columns # This can probably go into assess_state?
+        # Agent state. Used for extracting Agent level settings.
+        #
+        # logger_path[String] Path to the log file.
+        # logger_level[String] Log level for the logger.
+        # cef_logger_path[String] Path to the log file.
+        # cef_logger_level[String] Log level for the logger.
+        attr_reader :agent_state
         # Current state for Assess.
         # enabled [Boolean] Indicate if the assess feature set is enabled for this server or not.
         #
@@ -87,26 +96,17 @@ module Contrast
         end
 
         # @param features_response [Contrast::Agent::Reporting::Response]
-        def update_from_server_features features_response # rubocop:disable Metrics/AbcSize
+        def update_from_server_features features_response
           return unless (server_features = features_response&.server_features)
 
-          log_file = server_features.log_file
-          log_level = server_features.log_level
-          # Update logger:
-          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
-          # Update AgentLib Logger
-          update_agent_lib_log(log_level.to_s)
-          # Update CEFlogger:
-          unless server_features.security_logger.settings_blank?
-            cef_logger.build_logger(server_features.security_logger.log_level, server_features.security_logger.log_file)
-          end
+          update_loggers(server_features)
           # TODO: RUBY-99999 Update Bot-Blocker from server settings - check enable value.
           # For now all protection rules are rebuild on Application update. Bot blocker uses the default
           # enable from the base rule, and update it's mode on app settings update.
           # Here we receive also bots for that rule.
           unless settings_empty?(server_features.protect.enabled?)
             @protect_state.enabled = server_features.protect.enabled?
-            store_in_config(%i[protect enable], server_features.protect.enabled?)
+            update_config_from_settings(%i[protect enable], server_features.protect.enabled?)
           end
           update_assess_server_features(server_features.assess)
           @last_server_update_ms = Contrast::Utils::Timer.now_ms
@@ -118,6 +118,54 @@ module Contrast
           logger.warn('The following error occurred from server update: ', e: e)
         end
 
+        # Update Assess server features
+        #
+        # @param assess [Contrast::Agent::Reporting::Settings::AssessServerFeature]
+        def update_assess_server_features assess
+          return if settings_empty?(assess.enabled?)
+
+          @assess_state.enabled = assess.enabled?
+          update_config_from_settings(%i[assess enable], assess.enabled?)
+          @assess_state.sampling_settings = assess.sampling
+
+          samplings_path = Contrast::Components::Sampling::Interface::CANON_NAME.split('.').map(&:to_sym)
+          Contrast::Components::Sampling::Interface::CONFIG_VALUES.each do |field|
+            lookup_field = field == 'enable' ? :enabled : field.to_sym
+            update_config_from_settings(samplings_path + [field.to_sym], assess.sampling.send(lookup_field))
+          end
+        end
+
+        # Updates logging settings
+        # @param [Contrast::Agent::Reporting::Settings::ServerFeatures]
+        def update_loggers server_features
+          log_file = server_features.log_file
+          log_level = server_features.log_level
+          # Update logger:
+          Contrast::Logger::Log.instance.update(log_file, log_level) if log_file || log_level
+          unless settings_empty?(log_file)
+            update_config_from_settings(%i[agent logger path], log_file)
+            @agent_state.logger_path = log_file
+          end
+          unless settings_empty?(log_level)
+            update_config_from_settings(%i[agent logger level], log_level)
+            @agent_state.logger_level = log_level
+          end
+          # Update AgentLib Logger
+          update_agent_lib_log(log_level.to_s)
+          # Update CEFlogger:
+          return if server_features.security_logger.settings_blank?
+
+          cef_logger.build_logger(server_features.security_logger.log_level, server_features.security_logger.log_file)
+          unless settings_empty?(log_file)
+            update_config_from_settings(%i[agent security_logger path], log_file)
+            @agent_state.cef_logger_level = log_file
+          end
+          return unless settings_empty?(log_level)
+
+          update_config_from_settings(%i[agent security_logger level], log_level)
+          @agent_state.cef_logger_level = log_level
+        end
+
         # Update AgentLib log level
         def update_agent_lib_log new_log_level
           agent_lib_log_level = Contrast::AgentLib::InterfaceBase::LOG_LEVEL[0] if new_log_level.empty?
@@ -135,42 +183,46 @@ module Contrast
           Contrast::AGENT_LIB.change_log_options(true, agent_lib_log_level)
         end
 
-        # Update Assess server features
-        #
-        # @param assess [Contrast::Agent::Reporting::Settings::AssessServerFeature]
-        def update_assess_server_features assess
-          return if settings_empty?(assess.enabled?)
-
-          @assess_state.enabled = assess.enabled?
-          store_in_config(%i[assess enable], assess.enabled?)
-          @assess_state.sampling_settings = assess.sampling
-
-          Contrast::Components::Sampling::Interface::CONFIG_VALUES.each do |field|
-            lookup_field = field == 'enable' ? :enabled : field.to_sym
-            store_in_config(Contrast::Components::Sampling::Interface::CANON_NAME.split('.') + [field.to_sym],
-                            assess.sampling.send(lookup_field))
-          end
-        end
-
         # @param settings_response [Contrast::Agent::Reporting::Response]
         def update_from_application_settings settings_response
           return unless (app_settings = settings_response&.application_settings)
 
           extract_protect_app_settings(app_settings)
-          update_exclusion_matchers(app_settings.exclusions)
-          app_settings.protect.virtual_patches = app_settings.protect.virtual_patches unless
-            settings_empty?(app_settings.protect.virtual_patches)
-          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+          update_matchers_and_sensitive_data(app_settings)
           @assess_state.disabled_assess_rules = app_settings.assess.disabled_rules
+          update_config_from_settings(%i[assess rules disabled_rules], app_settings.assess.disabled_rules)
           new_session_id = app_settings.assess.session_id
-          @assess_state.session_id = new_session_id if new_session_id && !new_session_id.blank?
+          unless settings_empty?(new_session_id)
+            @assess_state.session_id = new_session_id
+            # TODO: RUBY-99999 Update the default values and effective config update from TS.
+            # Using the session_id from the settings response to update the config.
+            # The Effective Config sources values are fetched from the
+            # Contrast::CONFIG.config.loaded_config. Some values are displayed from
+            # their components, however not updated here. Using this may cause some
+            # specs to fails check the update of all values from TS.
+            # Contrast::CONFIG.application.session_id = new_session_id
+            update_config_from_settings(%i[application session_id], new_session_id)
+          end
           @last_app_update_ms = Contrast::Utils::Timer.now_ms
           @app_settings_last_httpdate = header_application_last_update
         end
 
+        # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
+        def update_matchers_and_sensitive_data app_settings
+          update_exclusion_matchers(app_settings.exclusions)
+          app_settings.protect.virtual_patches = app_settings.protect.virtual_patches unless
+            settings_empty?(app_settings.protect.virtual_patches)
+          update_sensitive_data_policy(app_settings.sensitive_data_masking)
+        end
+
         # Wipe state to zero.
-        def reset_state
-          @protect_state = PROTECT_STATE_BASE.dup
+        #
+        # @param purge [Boolean] If true, also purge the persistent states.
+        def reset_state purge: false
+          @agent_state = AGENT_STATE_BASE.dup
+          # Keep the protect state, since once set the rules depend ont it.
+          # The state will be update on first settings response from TS.
+          @protect_state = PROTECT_STATE_BASE.dup if purge || @protect_state.nil?
           update_assess_state
           @application_state = APPLICATION_STATE_BASE.dup
           @tainted_columns = {}
@@ -193,24 +245,6 @@ module Contrast
           @assess_state
         end
 
-        def build_protect_rules
-          @protect_state.rules = {}
-
-          # Rules. They add themselves on initialize.
-          Contrast::Agent::Protect::Rule::BotBlocker.new
-          cmdi = Contrast::Agent::Protect::Rule::CmdInjection.new
-          cmdi.sub_rules
-          Contrast::Agent::Protect::Rule::Deserialization.new
-          Contrast::Agent::Protect::Rule::NoSqli.new
-          path = Contrast::Agent::Protect::Rule::PathTraversal.new
-          path.sub_rules
-          sqli = Contrast::Agent::Protect::Rule::Sqli.new
-          sqli.sub_rules
-          Contrast::Agent::Protect::Rule::UnsafeFileUpload.new
-          Contrast::Agent::Protect::Rule::Xss.new
-          Contrast::Agent::Protect::Rule::Xxe.new
-        end
-
         # @param exclusions [Contrast::Agent::Reporting::Settings::Exclusions]
         def update_exclusion_matchers exclusions
           matchers = []
@@ -278,23 +312,6 @@ module Contrast
           Contrast::Agent.reporter.client.response_handler.last_application_modified
         end
 
-        # Update the stored config values to ensure that we know about the correct values,
-        # and that the sources are correct for entries updated from the UI.
-        #
-        # @param parts [Array] the path to the setting in config
-        # @param value [String, Integer, Array, nil] the value for the configuration setting
-        def store_in_config parts, value
-          level = Contrast::CONFIG.config.loaded_config
-          parts[0...-1].each do |segment|
-            level[segment] ||= {}
-            level = level[segment]
-          end
-          return unless level.cs__is_a?(Hash)
-
-          level[parts[-1]] = value
-          Contrast::CONFIG.sources.set(parts.join('.'), Contrast::Components::Config::Sources::CONTRAST_UI)
-        end
-
         # Extract the rules modes from protection_rules or rules_settings fields.
         #
         # @param app_settings [Contrast::Agent::Reporting::Settings::ApplicationSettings]
@@ -302,7 +319,24 @@ module Contrast
           modes_by_id = app_settings.protect.protection_rules_to_settings_hash
           modes_by_id = app_settings.protect.rules_settings_to_settings_hash if settings_empty?(modes_by_id)
           # Preserve previous state if no new settings are extracted:
-          @application_state.modes_by_id = modes_by_id unless settings_empty?(modes_by_id)
+          return if settings_empty?(modes_by_id)
+
+          @application_state.modes_by_id = modes_by_id
+        end
+
+        # Update the stored config values to ensure that we know about the correct values,
+        # and that the sources are correct for entries updated from the UI.
+        #
+        # NOTE: For each passed component path here, there should br implemented a check for the value from
+        # Config and Settings. For example if enable from CONFIG is nil, check the SETTINGS.
+        # This will keep the value not empty and be reflected in effective config reporting.
+        #
+        # @param path [String] the canonical name for the config entry (such as api.proxy.enable)
+        # @param value [String, Integer, Array, nil] the value for the configuration setting
+        def update_config_from_settings path, value
+          Contrast::Config::Diagnostics::Tools.update_config(path,
+                                                             value,
+                                                             Contrast::Components::Config::Sources::CONTRAST_UI)
         end
       end
     end

data/lib/contrast/config/certification_configuration.rb

@@ -40,7 +40,7 @@ module Contrast
       #
       # @param effective_config [Contrast::Config::Diagnostics::EffectiveConfig]
       def to_effective_config effective_config
-        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME, CONTRAST)
+        add_effective_config_values(effective_config, CONFIG_VALUES, CANON_NAME)
       end
     end
   end

data/lib/contrast/config/configuration_files.rb

@@ -29,8 +29,6 @@ module Contrast
 
     # This class will hold all the info about the read file.
     class LocalSourceValue
-      YML_EXT = '.yml'
-      YAML_EXT = '.yaml'
       # @return [String]
       attr_reader :path
       # @return [Hash]

data/lib/contrast/config/diagnostics/config.rb

@@ -52,9 +52,9 @@ module Contrast
               effective_config: effective_config.to_controlled_hash,
               user_configuration_file: user_configuration_file.to_controlled_hash,
               environment_variable: Contrast::Config::Diagnostics::EnvironmentVariables.environment_settings(ENV).
-                  map(&:to_controlled_hash),
-              command_line: Contrast::Config::Diagnostics::CommandLine.command_line_settings.map(&:to_controlled_hash),
-              contrast_ui: Contrast::Config::Diagnostics::ContrastUI.contrast_ui_settings.map(&:to_controlled_hash)
+                  map(&:to_source_hash),
+              command_line: Contrast::Config::Diagnostics::CommandLine.command_line_settings.map(&:to_source_hash),
+              contrast_ui: Contrast::Config::Diagnostics::ContrastUI.contrast_ui_settings.map(&:to_source_hash)
           }.compact
         end
       end

data/lib/contrast/config/diagnostics/effective_config.rb

@@ -20,7 +20,7 @@ module Contrast
         end
 
         def to_controlled_hash
-          { values: @values&.map(&:to_controlled_hash) }
+          @values&.map(&:to_controlled_hash)
         end
       end
     end

data/lib/contrast/config/diagnostics/environment_variables.rb

@@ -14,36 +14,46 @@ module Contrast
           NON_COMMON_ENV = %w[
             CONTRAST_CONFIG_PATH CONTRAST_AGENT_TELEMETRY_OPTOUT CONTRAST_AGENT_TELEMETRY_TEST
           ].cs__freeze
+          MASKED_ENV = %w[CONTRAST__API__API_KEY CONTRAST__API__SERVICE_KEY].cs__freeze
 
           # This method will fill the canonical name for each env var and will check for any uncommon ones.
           #
           # @param env [Hash]
           # @return [Array] array of all the values needed to be written.
-          def environment_settings env
+          def environment_settings env # rubocop:disable Metrics/MethodLength
             env_hash = env.select do |e|
               e.to_s.start_with?(Contrast::Configuration::CONTRAST_ENV_MARKER) || NON_COMMON_ENV.include?(e.to_s)
             end
             environment_settings = []
-            env_hash.each do |key, value|
+            env_hash.each do |key, value| # rubocop:disable Metrics/BlockLength
               efc_value = Contrast::Config::Diagnostics::EffectiveConfigValue.new.tap do |effective_value|
                 next unless value
 
                 effective_value.canonical_name = if NON_COMMON_ENV.include?(key)
                                                    key.gsub(Contrast::Utils::ObjectShare::UNDERSCORE,
-                                                            Contrast::Utils::ObjectShare::PERIOD).downcase
+                                                            Contrast::Utils::ObjectShare::PERIOD).downcase.
+                                                       gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
+                                                            Contrast::Utils::ObjectShare::EMPTY_STRING)
                                                  else
                                                    key.gsub(Contrast::Utils::ObjectShare::DOUBLE_UNDERSCORE,
-                                                            Contrast::Utils::ObjectShare::PERIOD).downcase
+                                                            Contrast::Utils::ObjectShare::PERIOD).downcase.
+                                                       gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
+                                                            Contrast::Utils::ObjectShare::EMPTY_STRING)
                                                  end
-                if effective_value.canonical_name
-                  effective_value.key =
-                    effective_value.canonical_name.gsub(Contrast::Utils::ObjectShare::CONTRAST_DOT,
-                                                        Contrast::Utils::ObjectShare::EMPTY_STRING)
-                end
-                effective_value.value = Contrast::Config::Diagnostics::Tools.value_to_s(value)
+                effective_value.value = if MASKED_ENV.include?(key)
+                                          Contrast::Configuration::EFFECTIVE_REDACTED
+                                        else
+                                          Contrast::Config::Diagnostics::Tools.value_to_s(value)
+                                        end
                 effective_value.key = key
               end
-              environment_settings << efc_value if efc_value
+              next unless efc_value
+
+              environment_settings << efc_value
+              Contrast::Config::Diagnostics::Tools.
+                  update_config(efc_value.key,
+                                efc_value.value,
+                                Contrast::Components::Config::Sources::ENVIRONMENT_VARIABLE)
             end
             environment_settings
           end

data/lib/contrast/config/diagnostics/monitor.rb

@@ -102,7 +102,7 @@ module Contrast
           extract_settings
           File.open(File.join(dir_name, FILE_NAME), WRITE) do |file|
             file.truncate(0)
-            file.write(JSON.pretty_generate(to_controlled_hash, { space: Contrast::Utils::ObjectShare::EMPTY_STRING }))
+            file.write(JSON.pretty_generate(to_controlled_hash, { space: Contrast::Utils::ObjectShare::SPACE }))
             status = true if file
             file.close
           end