RubyGems - contrast-agent - Versions diffs - 4.14.0 → 5.2.0 - Mend

contrast-agent 4.14.0 → 5.2.0

Files changed (422) hide show

data/lib/contrast/agent/middleware.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'ipaddr'
@@ -169,9 +169,11 @@ module Contrast
             request_handler.stream_safe_postfilter
           else
             request_handler.ruleset.postfilter
-            request_handler.send_activity_messages
+            request_handler.report_activity
+            request_handler.send_activity_messages # TODO: RUBY-1438 -- remove
           end
         end
+      # unsuccessful attack
       rescue StandardError => e
         raise e if security_exception?(e)

data/lib/contrast/agent/module_data.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/patching/policy/after_load_patch.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/scope'

data/lib/contrast/agent/patching/policy/after_load_patcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/after_load_patch'
@@ -29,14 +29,13 @@ module Contrast
           # there are no require time side effects of loading our core
           # extensions.
           def apply_direct_patches!
-            @_apply_direct_patches ||= begin
+            @_apply_direct_patches ||= begin # TODO: RUBY-1541 - put 'kernel' back
               paths = %w[
                 array
                 basic_object
                 module
                 fiber_track
                 hash
-                kernel
                 marshal_module
                 regexp
                 string
@@ -75,7 +74,6 @@ module Contrast
           def apply_require_patches!
             @_apply_require_patches ||= begin
               require 'contrast/extension/thread'
-              require 'contrast/extension/kernel'
               true
             rescue LoadError, StandardError => e
               logger.error('failed instrumenting apply_require_patches!', e)

data/lib/contrast/agent/patching/policy/method_policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/method_policy_extend'
@@ -13,20 +13,33 @@ module Contrast
           attr_reader   :deadzone_node, :inventory_node, :propagation_node, :protect_node, :trigger_node
           attr_accessor :source_node, :method_name, :method_visibility, :instance_method
-          def initialize(source_node: nil, propagation_node: nil,
-                         trigger_node: nil, inventory_node: nil,
-                         protect_node: nil, deadzone_node: nil,
-                         method_name: nil, method_visibility: nil,
-                         instance_method: nil)
-            @method_name = method_name
-            @method_visibility = method_visibility
-            @instance_method = instance_method
-            @source_node = source_node
-            @propagation_node = propagation_node
-            @trigger_node = trigger_node
-            @inventory_node = inventory_node
-            @protect_node = protect_node
-            @deadzone_node = deadzone_node
+          # Initialize new method policy with:
+          #
+          # @param method_policy [Hash]
+          #  {
+          #   source_node       [ Contrast::Agent::Assesss::Policy::SourceNode      ]
+          #   propagation_node  [ Contrast::Agent::Assesss::Policy::PropagationNode ]
+          #   trigger_node      [ Contrast::Agent::Assesss::Policy::TriggerNode     ]
+          #   inventory_node    [ Contrast::Agent::Inventory::Policy::TriggerNode   ]
+          #   protect_node      [ Contrast::Agent::Protect::Policy::TriggerNode     ]
+          #   deadzone_node     [ Contrast::Agent::Deadzone::Policy::DeadzoneNode   ]
+          #   method_name       [ Symbol                                            ]
+          #                       the name of the method for this policy
+          #   method_visibility [ Symbol                                            ]
+          #                       Public, Private Protected
+          #   instance_method   [ Boolean                                           ]
+          #                       true if this method is an instance method
+          #  }
+          def initialize method_policy
+            @method_name = method_policy[:method_name]
+            @method_visibility = method_policy[:method_visibility]
+            @instance_method = method_policy[:instance_method]
+            @source_node = method_policy[:source_node]
+            @propagation_node = method_policy[:propagation_node]
+            @trigger_node = method_policy[:trigger_node]
+            @inventory_node = method_policy[:inventory_node]
+            @protect_node = method_policy[:protect_node]
+            @deadzone_node = method_policy[:deadzone_node]
           end
           def private_method?

data/lib/contrast/agent/patching/policy/method_policy_extend.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -26,15 +26,17 @@ module Contrast
             deadzone_node =    find_method_node(module_policy.deadzone_nodes, method_name, instance_method)
             method_visibility = find_visibility(source_node, propagation_node, trigger_node, protect_node,
                                                 inventory_node, deadzone_node)
-            method_policy = MethodPolicy.new(method_name: method_name,
-                                             method_visibility: method_visibility,
-                                             instance_method: instance_method,
-                                             source_node: source_node,
-                                             propagation_node: propagation_node,
-                                             trigger_node: trigger_node,
-                                             protect_node: protect_node,
-                                             inventory_node: inventory_node,
-                                             deadzone_node: deadzone_node)
+            method_policy = MethodPolicy.new({
+                                                 method_name: method_name,
+                                                 method_visibility: method_visibility,
+                                                 instance_method: instance_method,
+                                                 source_node: source_node,
+                                                 propagation_node: propagation_node,
+                                                 trigger_node: trigger_node,
+                                                 protect_node: protect_node,
+                                                 inventory_node: inventory_node,
+                                                 deadzone_node: deadzone_node
+                                             })
             return method_policy unless check_method_policy_nodes_empty? source_node, propagation_node, trigger_node,
                                                                          protect_node, inventory_node, deadzone_node

data/lib/contrast/agent/patching/policy/module_policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/method_policy'

data/lib/contrast/agent/patching/policy/patch.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'monitor'
@@ -49,15 +49,11 @@ module Contrast
             ].cs__freeze
             def enter_method_scope! method_policy
-              method_policy.scopes_to_enter.each do |scope|
-                enter_scope!(scope)
-              end
+              contrast_enter_method_scopes! method_policy.scopes_to_enter
             end
             def exit_method_scope! method_policy
-              method_policy.scopes_to_exit.each do |scope|
-                exit_scope!(scope)
-              end
+              contrast_exit_method_scopes! method_policy.scopes_to_exit
             end
             # @param mod [Module] the module in which the patch should be

data/lib/contrast/agent/patching/policy/patch_status.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast
@@ -125,7 +125,7 @@ module Contrast
             MOD_ARRAY = [Module].cs__freeze
           end
-          attr_reader :patch_status, :rewrite_status
+          attr_reader :patch_status
           def patching!
             @patch_status = :PATCHING
@@ -154,30 +154,6 @@ module Contrast
           def patched?
             @patch_status == :PATCHED || @patch_status == :NONE || @patch_status == :FAILED
           end
-          def rewriting!
-            @rewrite_status = :REWRITING
-          end
-          def no_rewrite!
-            @rewrite_status = :NO_REWRITE
-          end
-          def rewritten!
-            @rewrite_status = :REWRITTEN
-          end
-          def failed_rewrite!
-            @rewrite_status = :FAILED_REWRITE
-          end
-          def rewriting?
-            @rewrite_status == :REWRITING
-          end
-          def rewritten?
-            @rewrite_status == :REWRITTEN || @rewrite_status == :NO_REWRITE || @rewrite_status == :FAILED_REWRITE
-          end
         end
       end
     end

data/lib/contrast/agent/patching/policy/patcher.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'monitor'
@@ -15,8 +15,6 @@ require 'contrast/utils/patching/policy/patcher_utils'
 # assess
 require 'contrast/agent/assess/policy/policy'
 require 'contrast/agent/assess/policy/policy_scanner'
-# TODO: RUBY-714 remove guard w/ EOL of 2.5
-require 'contrast/agent/assess/policy/rewriter_patch' if RUBY_VERSION < '2.6.0'
 require 'contrast/agent/assess/policy/source_method'
 require 'contrast/agent/assess/policy/trigger_method'
@@ -56,8 +54,6 @@ module Contrast
             def patch
               catchup_after_load_patches
               catchup_loaded_methods
-              # TODO: RUBY-714 remove guard w/ EOL of 2.5
-              Contrast::Agent::Assess::Policy::RewriterPatch.rewrite_interpolations if RUBY_VERSION < '2.6.0'
             end
             # Hook to only monkeypatch Contrast. This will not trigger any
@@ -151,7 +147,7 @@ module Contrast
                 return
               end
-              patch_methods status, module_data, module_policy
+              patch_methods(status, module_data, module_policy)
             rescue StandardError => e
               status&.failed_patch!
               logger.warn('Patching failed', e, module: module_data.mod_name)

data/lib/contrast/agent/patching/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'json'

data/lib/contrast/agent/patching/policy/policy_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/scope'

data/lib/contrast/agent/patching/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/extension/module'

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb ADDED Viewed

@@ -0,0 +1,94 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
+require 'json'
+module Contrast
+  module Agent
+    module Protect
+      # InputAnalyzer will extract input form current request context and will analyze it.
+      # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
+      module InputAnalyzer
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Agent::Protect::Rule::SqliWorthWatching
+          PROTECT_RULES = { sqli: 'sql-injection' }.cs__freeze
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::SETTINGS.protect_state.enabled
+            return if request.nil?
+            inputs = extract_input request
+            return unless inputs
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification inputs, input_analysis
+            input_analysis
+          end
+          private
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              PROTECT_RULES.each do |_key, rule_id|
+                # check if rule is enabled
+                next unless Contrast::PROTECT.rule(rule_id).enabled?
+                # start with sqli rule
+                case rule_id
+                when PROTECT_RULES[:sqli]
+                  Contrast::Agent::Protect::Rule::SqliInputClassification.classify input_type, value, input_analysis
+                else
+                  return nil
+                end
+              end
+            end
+            input_analysis
+          end
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs.compact!
+            inputs
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/cmd_injection'

data/lib/contrast/agent/protect/policy/applies_deserialization_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/deserialization'

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/no_sqli'

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/path_traversal'

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/sqli'

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/xxe'

data/lib/contrast/agent/protect/policy/policy.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/policy'

data/lib/contrast/agent/protect/policy/rule_applicator.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'

data/lib/contrast/agent/protect/policy/trigger_node.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/patching/policy/trigger_node'

data/lib/contrast/agent/protect/rule/base.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/components/logger'
@@ -173,6 +173,19 @@ module Contrast
             context.activity.results << result if result
           end
+          # With this we log to CEF
+          #
+          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param attack [Symbol] the type of message we want to send
+          # @param value [String] the input value we want to log
+          def cef_logging result, attack = :ineffective_attack, value = nil
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
+            outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+            input_type = extract_input_type sample_to_json[:user_input].input_type
+            input_value = value || sample_to_json[:user_input].value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
+          end
           protected
           def mode_from_settings
@@ -232,7 +245,13 @@ module Contrast
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+              result.response = if ia_result&.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+                                  # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+                                  # and should be treated equivalent to Blocked mode if set
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+                                else
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+                                end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
               result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
@@ -293,6 +312,14 @@ module Contrast
                          result: response)
           end
+          # This method returns the symbol for the enum
+          #
+          # @param enum [Enumerable]
+          # @return [Symbol]
+          def extract_input_type enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+          end
           private
           def log_rule_probed _context, ia_result

data/lib/contrast/agent/protect/rule/base_service.rb CHANGED Viewed

@@ -1,7 +1,8 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -10,6 +11,8 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
           def rule_name
             'base-service'
           end
@@ -41,6 +44,7 @@ module Contrast
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
+            cef_logging result
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
@@ -83,7 +87,12 @@ module Contrast
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
+                                         Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
+                                       else
+                                         # legacy implementation for DEFINITEATATACK
+                                         Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+                                       end
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -39,6 +39,8 @@ module Contrast
             return unless result
             append_to_activity(context, result)
+            cef_logging result, :successful_attack
             return unless blocked?
             raise Contrast::SecurityException.new(self,

data/lib/contrast/agent/protect/rule/default_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 # The base class used to determine if a user input crosses a token boundary or

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -1,7 +1,8 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
         # Deserialization Protect rule.
         class Deserialization < Contrast::Agent::Protect::Rule::Base
           # The TeamServer recognized name of this rule
+          include Contrast::Components::Logger::InstanceMethods
           NAME = 'untrusted-deserialization'
           # The rule specific reason for raising a security exception.
@@ -78,6 +81,8 @@ module Contrast
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
+            cef_logging result, :successful_attack
             raise Contrast::SecurityException.new(self, block_message) if blocked?
           end
@@ -97,6 +102,7 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
+            cef_logging result, :successful_attack, gadget_command
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -34,7 +34,11 @@ module Contrast
                      else
                        build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
-            append_to_activity(context, result) if result
+            return unless result
+            append_to_activity(context, result)
+            cef_logging result, :ineffective_attack
           end
           protected

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 module Contrast

data/lib/contrast/agent/protect/rule/no_sqli.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/agent/protect/rule/base_service'
@@ -35,6 +35,7 @@ module Contrast
             append_to_activity(context, result)
+            cef_logging result, :successful_attack
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end