contrast-agent 6.6.4 → 6.8.0

data/lib/contrast/agent_lib/api/input_tracing.rb

@@ -0,0 +1,267 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require 'ffi'
+# require the gem
+require 'contrast-agent-lib'
+require 'contrast/components/logger'
+
+module Contrast
+  module AgentLib
+    # This module is defined in Rust as external, we used it here.
+    # Initializes the AgentLib. Here will be all methods from
+    # the C bindings  contrast_c::input_tracing module.
+    module InputTracing
+      # Struct could be used as parameter to C functions,
+      # and also to save the return data. This is like
+      # specifying a type for pointer.
+      #
+      # Expected struct:
+      # pub struct CCheckQuerySinkResult {
+      #     pub start_index: u64,
+      #     pub end_index: u64,
+      #     pub boundary_overrun_index: u64,
+      #     pub input_boundary_index: u64,
+      # }
+      #
+      class QuerySinkResult < FFI::ManagedStruct
+        layout :start_index,            :ulong_long,
+               :end_index,              :ulong_long,
+               :boundary_overrun_index, :ulong_long,
+               :input_boundary_index,   :ulong_long
+
+        # when QuerySinkResult object gets out of scope it will be GCed.
+        def self.release ptr
+          Contrast::AgentLib::InputTracing.dl__free_check(ptr)
+        end
+      end
+
+      # This class will be used to hold the return type from input tracings
+      # done with the AgentLib. Using the ManagedStruct will automatically
+      # call the release function, and since the memory is allocated by the
+      # AgentLib is should be GC also there.
+      class CEvalResult < FFI::ManagedStruct
+        layout :rule_id, :ulong_long, :input_type, :ulong_long, :score, :double
+
+        def self.release ptr
+          Contrast::AgentLib::InputTracing.dl__free_eval(ptr)
+        end
+      end
+
+      extend FFI::Library
+      include Contrast::Components::Logger::InstanceMethods
+      ffi_lib ContrastAgentLib::CONTRAST_C
+      ffi_convention :stdcall
+
+      DbType = enum(:DB2, :MySQL, :Oracle, :Postgres, :Sqlite, :SqlServer, :Unknown)
+
+      # Returns 0 if evaluation was successful, -1 if there was an unexpected error.
+      attach_function :check_cmd_injection_query, %i[int int string pointer], :int
+      # Return 0 if evaluation was successful, -1 iif there was an unexpected error.
+      attach_function :check_sql_injection_query, [:int, :int, DbType, :string, :pointer], :int
+      # Free function for all input tracing results pass to check functions.
+      attach_function :free_check_query_sink_result, [:pointer], :int
+      # Evaluate header input:
+      attach_function :evaluate_header_input, %i[string string uint64 uint64 pointer pointer], :int
+      # Evaluate input:
+      attach_function :evaluate_input, %i[string uint64 uint64 uint64 pointer pointer], :int
+      # Free input evaluation:
+      attach_function :free_eval_result, [:pointer], :int
+      # function init
+      attach_function :init, [], :int
+
+      # Once we have pointer or returned data the lib
+      # expect us to free it, so it could GCd.
+      # Most of the time we would receive result pointer.
+      # Used with dl__check_cmdi_query and dl__check_sqli_query.
+      #
+      # @param result [Pointer]
+      def self.dl__free_check result
+        free_check_query_sink_result(result)
+      end
+
+      # Free the input evaluation result received from
+      # dl__eval_input, and dl__eval_header_input
+      #
+      # @param result [Pointer]
+      def self.dl__free_eval result
+        free_eval_result(result)
+      end
+
+      private
+
+      # Evaluate a subset of executing shell command for token boundaries being crossed.
+      # This is used by the cmd-injection rule during sink time. If a previously
+      # worth-watching input is contained in the shell command it crosses token
+      # boundaries then an injection should be raised.
+      #
+      # @param input_index [Integer] index in the cmdText string where user input was found.
+      # @param input_length [Integer] length of the user input.
+      # @return result [Hash, nil] output parameter which will contain the result of the evaluation.
+      def dl__check_cmdi_query input_index, input_length, input_cmd
+        # The memory for the result is allocated by AgentLib/Rust.  So we need to create just an empty pointer
+        # This pointer will be populated by the output parameter of check_cmd_injection_query#
+        result_ptr = FFI::MemoryPointer.new(:pointer)
+        result_code = check_cmd_injection_query(input_index, input_length, input_cmd, result_ptr)
+
+        unless result_code == -1
+          struct = QuerySinkResult.new(result_ptr.read_pointer)
+          result_hash = dl__struct_to_result(struct)
+
+          return result_hash
+        end
+
+        nil
+      end
+
+      # This function will call the check sql injection query
+      # SAFETY DISCLAIMER
+      # The sql_query parameter must point to an allocated C-string in UTF-8 encoding
+      # The result MUST be free'd using free_check_query_sink_result as soon as result has been processed.
+      #
+      # @param input_index[Integer] index in the sqlQuery string where user input was found
+      # @param input_length[Integer] length of the user input
+      # @param sql_query[String] full SQL query being evaluated
+      # @param db_type[Integer] database engine being evaluated. Must be one of the DbType enum values
+      # @return [Hash, nil] Returns 0 if evaluation was successful, -1 if there was an unexpected error.
+      def dl__check_sql_injection_query input_index, input_length, db_type, sql_query
+        db_type = :Sqlite if db_type.to_s.casecmp('sqlite3').zero?
+        dbtype = DbType[db_type]
+        pointer = FFI::MemoryPointer.new(:pointer)
+        check = check_sql_injection_query(input_index, input_length, dbtype, sql_query, pointer)
+
+        return if check == -1
+
+        struct = QuerySinkResult.new(pointer.read_pointer)
+        dl__struct_to_result(struct)
+      rescue RuntimeError => e
+        # silence the runtime error from the agent lib
+        logger.debug('Following RuntimeError was recording during input tracing: ', e: e)
+        nil
+      ensure
+        pointer.free unless pointer.nil? && pointer.address
+      end
+
+      # Evaluates a header for input tracing rules.
+      #
+      # @param header_name [String] key/name of the header to be evaluated.
+      # NOTE: the only header names used are "custom", "accept", and "user-agent".
+      # Header-name-used is part of the output because the accept and user-agent
+      # headers get special handling by agent-lib, so they are evaluated twice -
+      # once exactly like all other headers and once with the specific header that
+      # gets special handling.
+      # @param header_value [String] header value
+      # @param rule_set [Integer] one or more bit flag of input tracing rules to be evaluated.
+      # The bit flags must match the RuleType enum. Currently supported types:
+      # [RuleType::CmdInjection, RuleType::PathTraversal, RuleType::SqlInjection,
+      # RuleType::UnsafeFileUpload, RuleType::ReflectedXss, RuleType::BotBlocker]
+      #     public enum RuleType : ulong
+      #     {
+      #         UnsafeFileUpload = 1 << 0,
+      #         PathTraversal = 1 << 1,
+      #         ReflectedXss = 1 << 2,
+      #         SqlInjection = 1 << 3,
+      #         CmdInjection = 1 << 4,
+      #         NosqlInjectionMongo = 1 << 5,
+      #         BotBlocker = 1 << 6
+      #     }
+      # @param eval_options [Integer] u64 representation of the EvalOptions enum.
+      #     public enum EvalOptions : ulong
+      #     {
+      #         None = 0,
+      #         PreferWorthWatching = 1 << 0,
+      #     }
+      def dl__eval_header_input header_name, header_value, rule_set, eval_options
+        # The memory for the result is allocated by AgentLib/Rust.  So we need to create just an empty pointer
+        # This pointer will be populated by the output parameter of check_cmd_injection_query#
+        result_ptr = FFI::MemoryPointer.new(:pointer)
+        result_size = FFI::MemoryPointer.new(:uint32)
+        # @param result_size [Integer] output parameter which will contain the number of Results after evaluation:
+        # 0 if no result.
+        evaluate_header_input(header_name, header_value, rule_set, eval_options, result_size, result_ptr)
+
+        size = result_size.read_int
+        result_size&.free
+
+        unless size.zero?
+          struct = CEvalResult.new(result_ptr.read_pointer)
+          return dl__eval_struct_to_result(struct)
+        end
+        nil
+      end
+
+      # Evaluates an input part for input tracing rules. This should be used for all input parts except headers.
+      #
+      # @param input [String] input value to be evaluated.
+      # @param input_type [Symbol]  type of the input. This needs to be a u64 representation of the
+      # supported InputType enum values:
+      #        {
+      #         CookieName = 1,
+      #         CookieValue = 2,
+      #         HeaderKey = 3,
+      #         HeaderValue = 4,
+      #         JsonKey = 5,
+      #         JsonValue = 6,
+      #         Method = 7,
+      #         ParameterKey = 8,
+      #         ParameterValue = 9,
+      #         UriPath = 10,
+      #         UrlParameter = 11,
+      #         MultipartName = 12,
+      #         XmlValue = 13
+      #        }
+      # @param rule_set [Integer] one or more bit flag of input tracing rules to be evaluated.
+      # The bit flags must match the RuleType enum. Currently supported types:
+      # [RuleType::CmdInjection, RuleType::PathTraversal, RuleType::SqlInjection,
+      # RuleType::UnsafeFileUpload, RuleType::ReflectedXss, RuleType::BotBlocker]
+      # @param eval_options [Integer] u64 representation of the EvalOptions enum.
+      #     public enum EvalOptions : ulong
+      #     {
+      #         None = 0,
+      #         PreferWorthWatching = 1 << 0,
+      #     }
+      def dl__eval_input input, input_type, rule_set, eval_options
+        # The memory for the result is allocated by AgentLib/Rust.  So we need to create just an empty pointer
+        # This pointer will be populated by the output parameter of check_cmd_injection_query#
+        result_ptr = FFI::MemoryPointer.new(:pointer)
+        result_size = FFI::MemoryPointer.new(:uint32)
+        # @param result_size [Integer] output parameter which will contain the number of Results after evaluation:
+        # 0 if no result.
+        evaluate_input(input, input_type, rule_set, eval_options, result_size, result_ptr)
+        size = result_size.read_int
+        result_size&.free
+
+        unless size.zero?
+          struct = CEvalResult.new(result_ptr.read_pointer)
+          return dl__eval_struct_to_result(struct)
+        end
+        nil
+      end
+
+      # Convert c_struct cmdi result to ruby hash
+      #
+      # @param struct [Contrast::AgentLib::QuerySinkResult]
+      # @return hash [Hash]
+      def dl__struct_to_result struct
+        hash = {}
+        hash[:start_index] = struct[:start_index]
+        hash[:end_index] = struct[:end_index]
+        hash[:boundary_overrun_index] = struct[:boundary_overrun_index]
+        hash[:input_boundary_index] = struct[:input_boundary_index]
+        hash
+      end
+
+      # Convert c_struct evaluated input to ruby hash
+      #
+      # @param struct [Contrast::AgentLib::QuerySinkResult]
+      # @return hash [Hash]
+      def dl__eval_struct_to_result struct
+        hash = {}
+        hash[:rule_id] = struct[:rule_id]
+        hash[:input_type] = struct[:input_type]
+        hash[:score] = struct[:score]
+        hash
+      end
+    end
+  end
+end

data/lib/contrast/agent_lib/api/method_tempering.rb

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require 'ffi'
+# require the gem
+require 'contrast-agent-lib'
+
+module Contrast
+  module AgentLib
+    # This module is for method tempering bindings: contrast_c::method_tampering
+    module MethodTempering
+      # TODO: RUBY-1632
+      # extend FFI::Library
+      # ffi_lib ContrastAgentLib::CONTRAST_C
+      #
+      # # returns 1 => true, 0 => false
+      # attach_function :is_method_tampering, [:string], :int32
+      #
+      # # Check to see if method is being tempered or not.
+      # # Used with Protect method-tampering rule.
+      # #
+      # # @param method [String] method to check
+      # # @return [Boolean]
+      # def dl__method_tempered? method
+      #   is_method_tampering(method).positive?
+      # end
+    end
+  end
+end

data/lib/contrast/agent_lib/api/panic.rb

@@ -0,0 +1,87 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require 'ffi'
+# require the gem
+require 'contrast-agent-lib'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module AgentLib
+    # This module is defined in Rust as external, we used it here.
+    # Initializes the AgentLib. Here will be all methods from
+    # the C bindings contrast_c::panic_error module.
+    module Panic
+      extend FFI::Library
+      ffi_lib ContrastAgentLib::CONTRAST_C
+
+      attach_function :last_error_message, %i[pointer int32 pointer int32], :int32
+      attach_function :last_error_message_length, [], :int32
+      attach_function :last_error_stack_length, [], :int32
+
+      private
+
+      # Returns the last Error message saved for the thread.
+      # If there is no message it will return empty string.
+      #
+      # @return [String] Empty string if no errors, or a
+      # message + stack trace concat String.
+      def dl__get_error
+        message_length = last_error_message_length
+        stack_length = last_error_stack_length
+        return Contrast::Utils::ObjectShare::EMPTY_STRING if message_length.zero?
+
+        # If the buffer size is retrieved as 0 we need to add 1 byte for it
+        # else the Agent-Lib check for allocated memory would fail.
+        stack_length += 1 if stack_length.zero?
+        message_buffer = FFI::MemoryPointer.new(:char, message_length)
+        stack_buffer = FFI::MemoryPointer.new(:char, stack_length)
+        return dl__parse_error(message_buffer, stack_buffer) if last_error_message(message_buffer,
+                                                                                   message_length,
+                                                                                   stack_buffer,
+                                                                                   stack_length).positive?
+
+        Contrast::Utils::ObjectShare::EMPTY_STRING
+      ensure
+        # The free methods are auto called form the FFI::MemoryPointer
+        # when the variable is out of scope. Making sure it's all free,
+        # and call with safe navigation if is been already cleaned.
+        message_buffer&.free
+        stack_buffer&.free
+      end
+
+      # Retrieves the buffer bytecode and transforms it into String.
+      #
+      # @param buffer [FFI::MemoryPointer, nil] of type char (String)
+      # @return [String] the received message.
+      def dl__read_buffer buffer
+        return Contrast::Utils::ObjectShare::EMPTY_STRING unless buffer
+
+        string = buffer.read_string
+        return string unless string.empty?
+
+        # If there is a incorrect buffer size or the message can't be read
+        # from the FFI::MemoryPointer#read_string method we can still try
+        # and get the partial message:
+        bytes = buffer.get_array_of_int8(0, buffer.size)&.map { |byte| byte.zero? ? nil : byte }
+        bytes.compact.pack('C*').force_encoding('UTF-8') if bytes&.cs__is_a?(Array)
+      end
+
+      # The stack_message is still not integrated in the AgentLib.
+      # It always returns "". For now we are returning the message,
+      # but keeping the functionality for feature use.
+      #
+      # @param message_buffer [FFI::MemoryPointer, nil] of type char (String)
+      # @param stack_buffer [FFI::MemoryPointer, nil] of type char (String)
+      # @return [String] the received error message with stack.
+      def dl__parse_error message_buffer, stack_buffer
+        message = dl__read_buffer(message_buffer)
+        stack = dl__read_buffer(stack_buffer)
+
+        error_message = "Message: #{ message }"
+        error_message + " Stack Trace: #{ stack }" unless stack.empty?
+        error_message
+      end
+    end
+  end
+end

data/lib/contrast/agent_lib/api/path_semantic_file_security_bypass.rb

@@ -0,0 +1,40 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: false
+
+require 'ffi'
+require 'contrast-agent-lib'
+require 'contrast/utils/object_share'
+
+module Contrast
+  module AgentLib
+    # This module is defined in Rust as external, we used it here.
+    # Initializes the AgentLib. Here will be all methods from
+    # the C bindings contrast_c::path_semantic_file_security_bypass module.
+    module PathSemanticFileSecurityBypass
+      extend FFI::Library
+      ffi_lib ContrastAgentLib::CONTRAST_C
+
+      # Attach all the needed functions
+      # @param file_path[String] This is the full path of the file, being accessed
+      # @param is_custom_code[Integer] whether the file is being accessed by custom (user) code,
+      #     rather than framework code.
+      attach_function :does_file_path_bypass_security, %i[string int], :int
+
+      private
+
+      # do we need to get the full path before we invoke it or here I need to extract the full path?
+
+      # This is the function from the agent lib, that checks if
+      # a given file_path is attempting to access system files
+      # or bypass file security
+      # This is used for the `path-traversal-semantic-file-security-bypass` rule.
+      #
+      # @param file_path[String] This is the full path of the file, being accessed
+      # @param is_custom_code[Integer] whether the file is being accessed by custom (user) code,
+      #     rather than framework code.
+      def dl__does_file_bypass_security file_path, is_custom_code
+        does_file_path_bypass_security(file_path, is_custom_code)
+      end
+    end
+  end
+end

data/lib/contrast/agent_lib/interface.rb

@@ -0,0 +1,260 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent_lib/api/init'
+require 'contrast/agent_lib/api/command_injection'
+require 'contrast/agent_lib/api/input_tracing'
+require 'contrast/agent_lib/api/panic'
+require 'contrast/agent_lib/api/method_tempering'
+require 'contrast/agent_lib/api/path_semantic_file_security_bypass'
+require 'contrast/components/logger'
+require 'contrast/utils/object_share'
+require 'fileutils'
+require 'ffi'
+require 'contrast/agent_lib/return_types/eval_result'
+require 'contrast/agent_lib/interface_base'
+
+module Contrast
+  module AgentLib
+    # The interface to react with the AgentLib. This will be the one place of
+    # contact with the DynamicLib, synchronized and loaded with modules to use.
+    class Interface < InterfaceBase
+      # Include the modules to use from the FFI wrappers of the AgentLib.
+      include Contrast::AgentLib::Init
+      include Contrast::AgentLib::Panic
+      include Contrast::AgentLib::InputTracing
+      include Contrast::AgentLib::CommandInjection
+      # TODO: RUBY-1632
+      # include Contrast::AgentLib::MethodTempering
+      include Contrast::AgentLib::PathSemanticFileSecurityBypass
+      include Contrast::Components::Logger::InstanceMethods
+
+      # Attached methods are always public. We need to make them private
+      # so that this interface is the only mean to call native functions.
+      # The dl__ (dynamic lib) wrapper methods are used to transfer and
+      # convert data to required by the AgentLib types. If native method
+      # is called with wrong arguments a panic is raised. Public instance
+      # methods in this module are used to safe guard and set state by
+      # instance variables. Add any newly attached native functions
+      # included above here:
+      private :init, :init_with_options, :change_log_settings, :check_cmd_injection_query,
+              :free_check_query_sink_result, :get_index_of_chained_command, :last_error_message,
+              :does_command_contain_dangerous_path, :last_error_message_length, :last_error_stack_length,
+              :evaluate_header_input, :evaluate_input, :free_eval_result, :check_sql_injection_query,
+              :free_check_query_sink_result
+
+      # @return enable_log [Boolean] flag to enable or disable logging.
+      attr_reader :enable_log
+      # @return log_dir [String] path to existing log directory.
+      attr_reader :log_dir
+      # @return log_level [String] OFF, ERROR, WARN, INFO, DEBUG or TRACE.
+      attr_reader :log_level
+      # @return enable_log_change [Boolean] flag set during initialization.
+      # If true the log level and enable status could be change during
+      # runtime.
+      attr_reader :enable_log_change
+      # Initialization status
+      # @return [Boolean]
+      attr_reader :init_status
+      # We need to synchronize all calls to the AgentLib vie mutex or monitor.
+      #
+      # @return mutex [Mutex] to synchronize calls, also to prevent situations
+      # such as calling a re_init on not init lib:
+      # This is not the thread you are looking for.
+      attr_reader :mutex
+      # retrieves last error message.
+      # note: last_error_message is the name of the attached function and will
+      # override the agent_lib native method if renamed.
+      #
+      # @return last_error_message [String]
+      attr_reader :last_error
+
+      # Initializes the Agent lib.
+      #
+      # @param enable_logging [Boolean, nil] flag to enable or disable logging.
+      # @param set_log_level [Integer, nil]
+      # @param set_log_dir [String, nil] dir to write log files.
+      # @return [Boolean] true if success.
+      # @raise [StandardError] Any Errors raised in the init process are most
+      # likely to be a C segfaults and termination, probably redundant but safe.
+      def initialize enable_logging = nil, set_log_level = nil, set_log_dir = nil
+        super
+        @mutex = Mutex.new
+        @enable_log = !!enable_logging
+        self.log_level = set_log_level
+        @log_dir = create_log_dir(set_log_dir)
+        @init_status = if enable_log && log_dir && log_level
+                         # Preferred as we will be able to to set the log level at run time.
+                         @enable_log_change = true
+                         with_mutex { dl__init_with_options(enable_log, log_dir, log_level) }
+                       else
+                         # Initialize the lib without logging.
+                         # The log level could not be changed during runtime.
+                         @enable_log_change = false
+                         with_mutex { dl__init }
+                       end
+      rescue StandardError => e
+        logger.error('Could not start АgentLib', error: e, backtrace: e.backtrace)
+      end
+
+      # Changes the logs level in runtime.
+      #
+      # @param new_enable_log [Boolean] flag to enable or disable logging this sets the inner flag.
+      # @param new_log_level [Integer]
+      def change_log_options new_enable_log, new_log_level
+        return unless @enable_log_change
+
+        update_logging(new_log_level, new_enable_log)
+        with_mutex { dl__change_log_settings(enable_log, log_level) }
+      end
+
+      # Set the log_level of the Interface.
+      #
+      # @param level [Integer, nil] one of:
+      # [-1...4]
+      def log_level= level = nil
+        set_level = level.nil? ? 3 : level
+        update_log_level(set_level)
+      end
+
+      # Execute calls to Native methods with mutex.
+      # If Error is raised from the AgentLib it will
+      # be logged. If C error occurs there will be a
+      # segfault and termination.
+      #
+      # @raise [StandardError] Capture any unforeseen errors.
+      # @return [String, Boolean, Integer, nil] Wrapper method's
+      # return types, or nil if something terrible happens.
+      def with_mutex &block
+        return_value = mutex.synchronize(&block)
+      rescue StandardError => e
+        logger.error('AgentLib runtime error', error: e, backtrace: e.backtrace)
+        handle_error
+      ensure
+        # Since every method is called with_mutex this is
+        # the natural candidate for handling any errors
+        # from the AgentLib.
+        handle_error
+        # The return value is used to set some instance
+        # variable state depending on the original return
+        # of the wrapper methods.
+        return_value
+      end
+
+      # Method to extract last error if any and log it.
+      def handle_error
+        @last_error = mutex.synchronize { dl__get_error }
+        logger.error('AgentLib encountered exception: ', error: @last_error) unless @last_error.empty?
+      end
+
+      # Checks that a given shell command contained a chained command.
+      # This is used for the cmd-injection-semantic-chained-commands rule.
+      #
+      # @param cmd [String] command to check.
+      # @return index[Integer, nil] Returns the index of the command chaining if found.
+      # If the chaining index is >= 0, an injection is detected. Returns -1 when no
+      # command chaining is found.
+      def chained_cmdi_index cmd
+        return unless cmd
+
+        with_mutex { dl__index_of_chained_command(cmd) }
+      end
+
+      # Checks if a given shell command is trying to access a dangerous path.
+      # This is used for the cmd-injection-semantic-dangerous-paths rule.
+      #
+      # @param path [String] path to check.
+      # @return index[Boolean] Returns true if a dangerous path is found.
+      # Returns false if no dangerous paths are found.
+      def dangerous_path? path
+        return unless path
+
+        with_mutex { dl__dangerous_path?(path) }
+      end
+
+      # Evaluate a subset of executing shell command for token boundaries being crossed.
+      # This is used by the cmd-injection rule during sink time. If a previously
+      # worth-watching input is contained in the shell command it crosses token
+      # boundaries then an injection should be raised.
+      #
+      # @param input_index [Integer] index in the cmdText string where user input was found.
+      # @param input_length [Integer] length of the user input.
+      # @param input_cmd [String] full text of the command being executed.
+      # @return result [Hash, nil] output parameter which will contain the result of the evaluation.
+      def check_cmdi_query input_index, input_length, input_cmd
+        return unless input_index && input_length && input_cmd
+
+        with_mutex { dl__check_cmdi_query(input_index, input_length, input_cmd) }
+      end
+
+      # Evaluates a header for input tracing rules.
+      #
+      # @param header_name [String] key/name of the header to be evaluated.
+      # NOTE: the only header names used are "custom", "accept", and "user-agent".
+      # Header-name-used is part of the output because the accept and user-agent
+      # headers get special handling by agent-lib, so they are evaluated twice -
+      # once exactly like all other headers and once with the specific header that
+      # gets special handling.
+      # @param header_value [String] header value
+      # @param rule_set [Integer] One of Contrast::AgentLib::Interface::RULE_SET
+      # @param eval_options [Integer] 0 or 1 from Contrast::AgentLib::Interface::EVAL_OPTIONS
+      # @return [Contrast::AgentLib::EvalResult, nil]
+      def eval_header header_name, header_value, rule_set, eval_options
+        return unless header_name && header_value && rule_set && eval_options
+
+        result = with_mutex { dl__eval_header_input(header_name, header_value, rule_set, eval_options) }
+        return EvalResult.new(result) if result
+
+        nil
+      end
+
+      # Evaluates an input part for input tracing rules. This should be used for all input parts except headers.
+      #
+      # @param input [String] input value to be evaluated.
+      # @param input_type [Integer]  type of the input one of Contrast::AgentLib::Interface::INPUT_SET
+      # @param rule_set [Integer] One of Contrast::AgentLib::Interface::RULE_SET
+      # @param eval_options [Integer] 0 or 1 from Contrast::AgentLib::Interface::EVAL_OPTIONS
+      # @return [Contrast::AgentLib::EvalResult, nil]
+      def eval_input input, input_type, rule_set, eval_options
+        return unless input && input_type && rule_set && eval_options
+
+        result = with_mutex { dl__eval_input(input, input_type, rule_set, eval_options) }
+        return EvalResult.new(result) if result
+
+        nil
+      end
+
+      def check_sql_query input_index, input_length, db_type, sql_query
+        return unless input_index && input_length && db_type && sql_query
+
+        with_mutex { dl__check_sql_injection_query(input_index, input_length, db_type, sql_query) }
+      end
+
+      # Invoke Path Semantic File Security Bypass
+      #
+      # @param file_path[String] the absolute file path
+      # @param is_custom_code[Integer] is this is being called from customer (user) code
+      #     or the framework
+      # @return result[Integer, nil] returns:
+      #     1 => security bypass is detected.
+      #     0 => no security bypass is detected.
+      def check_path_semantic_security_bypass file_path, is_custom_code
+        return unless file_path || is_custom_code
+
+        with_mutex { dl__does_file_bypass_security(file_path, is_custom_code) }
+      end
+
+      # TODO: RUBY-1632 Test after integration and if method-tempering is covered
+      # # Check to see if method is being tempered or not.
+      # # Used with Protect method-tampering rule.
+      # #
+      # # @param method [String] method to check
+      # # @return [Boolean]
+      # def method_tempered? method
+      #   return false unless method
+      #
+      #   with_mutex { dl__method_tempered?(method) }
+      # end
+    end
+  end
+end