contrast-agent 6.6.5 → 6.7.0

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/assess/rule/response/header_rule'
 require 'contrast/agent/assess/rule/response/body_rule'
-require 'contrast/agent/assess/rule/response/framework/rails_support'
+require 'contrast/utils/object_share'
 require 'contrast/utils/string_utils'
 require 'json'
 
@@ -16,7 +16,6 @@ module Contrast
           # set incorrectly the cache-control header
           class CacheControl < HeaderRule
             include BodyRule
-            include Framework::RailsSupport
             HEADER_KEYS = %w[Cache-Control].cs__freeze
             ACCEPTED_VALUES = [/no-store/, /no-cache/].cs__freeze
             DEFAULT_SAFE = false
@@ -33,66 +32,65 @@ module Contrast
             # Determine if the Response violates the Rule or not. If it does, return the evidence that proves it so.
             #
             # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence required to prove the violation of the rule
+            # @return [Hash<String,Array<Hash<String,String>>>, nil] the evidence required to prove the violation of
+            #   the rule
             def violated? response
-              return unless header?(response) && meta_tag?(response)
-
-              header_evidence = header_evidence(response)
-              return if header_evidence.nil?
-
-              tag_evidence = tag_evidence(response)
-              return if tag_evidence.nil?
-
-              { DATA => [header_evidence, tag_evidence] }
-            end
-
-            # Is a cache-control header available?
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def header? response
-              cache_control = cache_control_from(response)
-              framework_supported? ? !cache_control.blank? : !!cache_control
-            end
+              cache_header = cache_control_from(response)
+              cache_meta = cache_meta_tags(response)
+
+              has_header = cache_header && !cache_header.blank?
+              has_meta = cache_meta.any?
+              # Because we're not safe by default, the rule should never hit this case, but we'll handle it just in
+              # case.
+              return { DATA => Contrast::Utils::ObjectShare::EMPTY_ARRAY.to_json } unless has_header || has_meta
+
+              evidence = []
+              # If we have a header tag, then we need to make sure it is set safely. If it is, there'll be no evidence
+              # and we can return as the header prevents violation.
+              if has_header
+                header_evidence = header_evidence(cache_header)
+                return unless header_evidence
+
+                evidence << header_evidence
+              end
 
-            # Is a cache-control meta tag available?
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Boolean]
-            def meta_tag? response
-              return false if meta_tags(response).empty?
+              # If we have no header, or an unsafe header, then we need to check the meta tag to make sure it is set
+              # safely. If it is, there'll be no evidence and we can return as the meta tag prevents violation.
+              if has_meta
+                tag_evidence = tag_evidence(cache_meta)
+                return unless tag_evidence
 
-              meta_tags(response).each do |tag|
-                return true if meta_cache_tag?(tag[HTML_PROP])
+                evidence << tag_evidence
               end
 
-              false
+              # Otherwise, we'll report the violation.
+              { DATA => evidence.to_json }
             end
 
-            def meta_tags response
-              return @_meta_tags if defined? @meta_tags
-
-              @_meta_tags = html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR)
+            # @param response [Contrast::Agent::Response] the response of the application
+            # @return [Array<Hash<String,String>]
+            def cache_meta_tags response
+              html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR).
+                  select { |tag| cache_control_tag?(tag[HTML_PROP]) }
             end
 
             # Process Header value to determine if it violates rule
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence hash or nil
-            def header_evidence response
-              cache_control = cache_control_from(response)
-              value = framework_supported? ? cache_control : cache_control_to_s(cache_control)
+            # @param cache_control [String] the value of the Cache-Control header
+            # @return [Hash<String,String>, nil] the evidence hash or nil
+            def header_evidence cache_control
               # If header is valid, then this portion of the rule isn't violated.
-              return if valid_header?(value)
+              return if valid_header?(cache_control)
 
               # evidence requires header value string, pull directly instead of rebuilding from hash
-              evidence(HEADER_TYPE, NAME, value)
+              evidence(HEADER_TYPE, NAME, cache_control)
             end
 
             # Process Body to determine if cache control meta tag violates rule
-            # @param response [Contrast::Agent::Response] the response of the application
-            # @return [Hash, nil] the evidence hash or nil
-            def tag_evidence response
-              meta_tags(response).each do |tag|
-                return evidence(META_TYPE, PRAGMA, tag[HTML_PROP]) if meta_cache_tag?(tag[HTML_PROP])
-              end
+            # @param cache_meta_tags [Array<Hash>] the meta tags which contain Cache-Control values
+            # @return [Hash<String,String>, nil] the evidence hash or nil
+            def tag_evidence cache_meta_tags
+              violation = cache_meta_tags.find { |tag| !safe_meta_cache_tag?(tag[HTML_PROP]) }
+              violation ? evidence(META_TYPE, PRAGMA, violation[HTML_PROP]) : nil
             end
 
             def potential_elements section, element_start
@@ -107,13 +105,27 @@ module Contrast
               [/'no-cache'/i, /"no-cache"/i, /"no-store"/i, /'no-store'/i, /'cache-control'/i, /"cache-control"/i]
             end
 
+            # @param tag [String] the tag to check
+            # @return [Boolean] if the tag has cache-control settings or not
+            def cache_control_tag? tag
+              http_equiv_idx = tag =~ /http-equiv=/i
+              return false unless http_equiv_idx
+
+              content_idx = tag =~ /content=/i
+              return false unless content_idx
+
+              # determine the value of the http-equiv if it's cache-control
+              http_equiv_idx += 11
+              accepted_http_values.any? { |el| (tag =~ el) == http_equiv_idx }
+            end
+
             # Determine if the given metatag does not have a valid cache-control tag.
             # Meta tags has the option to set http-equiv and content to set the http response header
             # to define for the document
             #
             # @param tag [String] the meta tag
             # @return [Boolean, nil]
-            def meta_cache_tag? tag
+            def safe_meta_cache_tag? tag
               # Here we should determine the index of the needed keys
               # http-equiv and content
               http_equiv_idx = tag =~ /http-equiv=/i
@@ -128,33 +140,36 @@ module Contrast
               return false unless is_valid
 
               content_idx += 8
-              return false if accepted_values.any? { |value| (tag =~ value) == content_idx }
-
-              true
+              accepted_values.any? { |value| (tag =~ value) == content_idx }
             end
 
-            # This method accepts the violation and transforms it to the proper hash
-            # before returning a violation
+            # This method accepts the violation and transforms it to the proper hash before returning a violation.
+            # Unlike other rules, this returns a complex structure to be converted to JSON on reporting -- do NOT cast
+            # it here as that'll result in extra escaping later.
             #
             # @param type [String] String of Header or META of the type
             # @param name [String] String of either cache-control or pragma
             # @param value [String] String of the violated value
+            # @return [Hash<String, String>]
             def evidence type, name, value
-              { type: type, name: name, value: value }.to_json
+              { 'type' => type, 'name' => name, 'value' => value }
             end
 
+            # return the cache control value from the response, either as a Hash in later versions of Rails or as a
+            # String in all other frameworks/ response types (remember, response can be a few things).
+            #
+            # @param response [Contrast::Agent::Response]
+            # @return [String]
             def cache_control_from response
-              # Rails 7 adds support for the cache_control header directly in the
-              # rack response, we should use that value
-              if framework_supported? && response.rack_response.cs__is_a?(Rack::Response)
-                response.rack_response.cache_control
-              else
-                get_header_value(response)
-              end
+              control = if response.rack_response.cs__is_a?(Rack::Response)
+                          response.rack_response.cache_control
+                        else
+                          get_header_value(response)
+                        end
+              control.cs__is_a?(Hash) ? cache_control_to_s(control) : control
             end
 
-            # Rebuilds the String value of the Cache-Control Header
-            # from the hash build in the Rack::Response
+            # Rebuilds the String value of the Cache-Control Header from the hash build in the Rack::Response
             #
             # @param hsh [Hash]
             # @return [String]

data/lib/contrast/agent/assess/rule/response/csp_header_insecure_rule.rb

@@ -46,7 +46,7 @@ module Contrast
                 settings["#{ key }Secure"] = !value.nil? && value_secure?(value) && value_safe?(value)
                 settings["#{ key }Value"] = value.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : value
               end
-              evidence(settings) if settings.value?(false)
+              evidence(settings.to_json) if settings.value?(false)
             end
 
             # Get the CSP values from and transforms them to key value hash

data/lib/contrast/agent/assess/rule/response/framework/rails_support.rb

@@ -12,7 +12,12 @@ module Contrast
             module RailsSupport
               RAILS_VERSION = Gem::Version.new('7.0.0')
 
-              def framework_supported?
+              # Some rules have features or settings that make them unsupported, meaning unnecessary or unavailable
+              # in that framework. For now, the only distinction required is Rails 7 or not, so that's what we'll
+              # report here.
+              #
+              # @return [Boolean] if the rule is unsupported by the framework
+              def rails_seven?
                 return false unless defined?(::Rails)
 
                 rails_version = ::Rails.version

data/lib/contrast/agent/assess/rule/response/header_rule.rb

@@ -2,9 +2,7 @@
 # frozen_string_literal: true
 
 require 'rack'
-require 'contrast/agent/reporting/reporting_utilities/dtm_message'
 require 'contrast/utils/hash_digest'
-require 'contrast/utils/preflight_util'
 require 'contrast/utils/string_utils'
 require 'contrast/agent/assess/rule/response/base_rule'
 
@@ -16,7 +14,7 @@ module Contrast
           # These rules check the content of the HTTP Response to determine if something was set incorrectly or
           # insecurely in it.
           class HeaderRule < BaseRule
-            HEADER_TYPE = 'header'
+            HEADER_TYPE = 'Header'
 
             # Rules discern which responses they can/should analyze.
             #
@@ -44,11 +42,13 @@ module Contrast
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Boolean]
             def headers? response
-              response.headers&.any?
+              !!response.headers&.any?
             end
 
             protected
 
+            # @param response [Contrast::Agent::Response]
+            # @return [Object]
             def get_header_value response
               response_headers = response.headers
               values = response_headers.values_at(*cs__class::HEADER_KEYS, *cs__class::HEADER_KEYS.map(&:to_sym))
@@ -57,7 +57,7 @@ module Contrast
 
             # Determine if the value of the Response Header has a valid value
             #
-            # @param header [Contrast::Agent::Response] a response header
+            # @param header [String] a response header
             # @return [Boolean] whether the header value is valid
             def valid_header? header
               cs__class::ACCEPTED_VALUES.any? { |val| val.match(header) }

data/lib/contrast/agent/assess/rule/response/hsts_header_rule.rb

@@ -14,7 +14,7 @@ module Contrast
           class HSTSHeader < HeaderRule
             HEADER_KEYS = %w[Strict-Transport-Security].cs__freeze
             ACCEPTED_VALUES = [/max-age=(\.)?\d+(\.\d*)?/].cs__freeze
-            DEFAULT_SAFE = true
+            DEFAULT_SAFE = false
 
             def rule_id
               'hsts-header-missing'

data/lib/contrast/agent/assess/rule/response/x_xss_protection_header_rule.rb

@@ -24,7 +24,7 @@ module Contrast
             protected
 
             def analyze_response? response
-              !framework_supported? && super
+              !rails_seven? && super
             end
           end
         end

data/lib/contrast/agent/assess/tracker.rb

@@ -12,7 +12,6 @@ module Contrast
       # have tightly coupled dependencies on each other.
       class Tracker
         PROPERTIES_HASH = Contrast::Agent::Assess::Finalizers::Hash.new
-        KEEP_AGE = 600_000.cs__freeze # 10 minutes
 
         class << self
           # Retrieve the properties of the given Object, iff they exist.
@@ -60,12 +59,7 @@ module Contrast
           # Clean PROPERTIES_HASH of any values older than KEEP_AGE ms or
           # have nil properties
           def cleanup!
-            PROPERTIES_HASH.delete_if do |_k, properties|
-              return true if properties.nil?
-              return false unless (event = properties&.event)
-
-              KEEP_AGE <= (Contrast::Utils::Timer.now_ms - event.time)
-            end
+            PROPERTIES_HASH.cleanup!
           end
         end
       end

data/lib/contrast/agent/excluder.rb

@@ -0,0 +1,206 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    # Given an array of exclusion matcher instances provides methods to
+    # determine if the exclusions apply to particular urls.
+    class Excluder # rubocop:disable Metrics/ClassLength
+      attr_reader :exclusions
+
+      def initialize exclusions = []
+        @exclusions = exclusions
+      end
+
+      # If an assess URL exclusion rule applies to the current url, *and* is defined as "All Rules"
+      # then we can avoid any tracking for the request.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # return [Boolean]
+      def assess_excluded_by_url? request
+        request_path = request.path
+
+        assess_url_exclusions_for_all_rules.any? do |exclusion|
+          path_match?(exclusion, request_path)
+        end
+      end
+
+      # If an assess URL exclusion rule applies to the current url, *and* also covers the
+      # provided rule_id, then we can avoid tracking this entry.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param rule_id [String]
+      # return [Boolean]
+      def assess_excluded_by_url_and_rule? request, rule_id
+        request_path = request.path
+
+        assess_url_exclusions.any? do |exclusion|
+          path_match?(exclusion, request_path) &&
+              (exclusion.assessment_rules.empty? || exclusion.assessment_rules.include?(rule_id))
+        end
+      end
+
+      # If an assess INPUT exclusion rule applies to the current url, *and* also covers all
+      # rules, then we can avoid tracking this entry.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param rule_id [String]
+      # return [Boolean]
+      def assess_excluded_by_input? request, source_type, source_name
+        request_path = request.path
+
+        assess_input_exclusions_for_all_rules.any? do |exclusion|
+          input_match?(exclusion, source_type, source_name) && path_match?(exclusion, request_path)
+        end
+      end
+
+      # If an assess INPUT exclusion rule covers the provided rule_id *for all finding event sources*, then we
+      # can avoid tracking this entry. If any event source *isn't excluded* then we don't exclude the finding.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # @param finding [Contrast::Agent::Reporting::Finding]
+      # @param rule [String]
+      # return [Boolean]
+      def assess_excluded_by_input_and_rule? request, finding, rule
+        return false if finding.events.empty?
+
+        # We need to check for url exclusions here for the input rules as the url exclusions
+        # that have already been checked didn't include the INPUT exclusions. So we look for
+        # any INPUT exclusions that apply to the current url and the suppleid rule.
+        path = request.path
+        rule_input_exclusions = assess_input_exclusions.select do |exclusion|
+          (exclusion.protection_rules.empty? || exclusion.protection_rules.include?(rule)) && path_match?(exclusion,
+                                                                                                          path)
+        end
+        return false if rule_input_exclusions.empty?
+
+        event_sources = finding.events.flat_map(&:event_sources)
+        event_sources.each do |event_source|
+          return false unless rule_input_exclusions.any? do |exclusion|
+            input_match?(exclusion, event_source.type, event_source.name) # rubocop:disable Security/Module/Name
+          end
+        end
+
+        # If we reach here, and we have event sources then all of them matched so we should exclude
+        # this finding. On the other hand, if there were no event sources we have nothing to exclude.
+        event_sources.any?
+      end
+
+      # If a protect URL exclusion rule applies to the current url, *and* is defined as "All Rules"
+      # then we can avoid using the rule for the request.
+      #
+      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
+      # return [Boolean]
+      def protect_excluded_by_url? request
+        request_path = request.path
+
+        protect_url_exclusions_for_all_rules.any? do |exclusion|
+          path_match?(exclusion, request_path)
+        end
+      end
+
+      private
+
+      def assess_url_exclusions_for_all_rules
+        @_assess_url_exclusions_for_all_rules ||= assess_url_exclusions.select do |exclusion|
+          exclusion.assessment_rules.empty?
+        end
+      end
+
+      def assess_url_exclusions
+        @_assess_url_exclusions ||= assess_exclusions.select do |exclusion|
+          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        end
+      end
+
+      def assess_input_exclusions_for_all_rules
+        @_assess_input_exclusions_for_all_rules ||= assess_input_exclusions.select do |exclusion|
+          exclusion.assessment_rules.empty?
+        end
+      end
+
+      def assess_input_exclusions
+        @_assess_input_exclusions ||= assess_exclusions.select do |exclusion|
+          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::INPUT
+        end
+      end
+
+      def assess_exclusions
+        @_assess_exclusions ||= @exclusions.select(&:assess)
+      end
+
+      def protect_url_exclusions_for_all_rules
+        @_protect_url_exclusions_for_all_rules ||= protect_url_exclusions.select do |exclusion|
+          exclusion.protection_rules.empty?
+        end
+      end
+
+      def protect_url_exclusions
+        @_protect_url_exclusions ||= protect_exclusions.select do |exclusion|
+          exclusion.type == Contrast::Api::Settings::Exclusion::ExclusionType::URL
+        end
+      end
+
+      def protect_exclusions
+        @_protect_exclusions ||= @exclusions.select(&:protect)
+      end
+
+      def path_match? exclusion, path
+        exclusion.wildcard_url || exclusion.urls.any? { |url| url.match?(path) }
+      end
+
+      def input_match? exclusion, source_type, source_name
+        case exclusion.input_type
+        when Contrast::Api::Settings::Exclusion::InputType::PARAMETER
+          input_match_parameter?(exclusion, source_type, source_name)
+        when Contrast::Api::Settings::Exclusion::InputType::COOKIE
+          input_match_cookie?(exclusion, source_type, source_name)
+        when Contrast::Api::Settings::Exclusion::InputType::HEADER
+          input_match_header?(exclusion, source_type, source_name)
+        when Contrast::Api::Settings::Exclusion::InputType::BODY
+          Contrast::Agent::Assess::Policy::SourceMethod::BODY_TYPE == source_type
+        when Contrast::Api::Settings::Exclusion::InputType::QUERYSTRING
+          Contrast::Agent::Assess::Policy::SourceMethod::QUERYSTRING_TYPE == source_type
+        else
+          false
+        end
+      end
+
+      def input_match_parameter? exclusion, source_type, source_name
+        return false unless [
+          Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_TYPE,
+          Contrast::Agent::Assess::Policy::SourceMethod::PARAMETER_KEY_TYPE
+        ].include?(source_type)
+
+        exclusion.wildcard_input || (exclusion.input_name == source_name) || regexp_match?(exclusion.input_name,
+                                                                                           source_name)
+      end
+
+      def input_match_cookie? exclusion, source_type, source_name
+        return false unless [
+          Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_TYPE,
+          Contrast::Agent::Assess::Policy::SourceMethod::COOKIE_KEY_TYPE
+        ].include?(source_type)
+
+        exclusion.wildcard_input || exclusion.input_name == source_name || regexp_match?(exclusion.input_name,
+                                                                                         source_name)
+      end
+
+      def input_match_header? exclusion, source_type, source_name
+        return false unless [
+          Contrast::Agent::Assess::Policy::SourceMethod::HEADER_TYPE,
+          Contrast::Agent::Assess::Policy::SourceMethod::HEADER_KEY_TYPE
+        ].include?(source_type)
+
+        exclusion.wildcard_input || exclusion.input_name.casecmp(source_name).zero? || regexp_match?(
+            exclusion.input_name, source_name)
+      end
+
+      def regexp_match? possible_pattern, source_name
+        Regexp.new("^#{ possible_pattern }$").match?(source_name)
+      rescue RegexpError
+        false
+      end
+    end
+  end
+end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -11,6 +11,12 @@ module Contrast
     class ExclusionMatcher
       include Contrast::Components::Logger::InstanceMethods
 
+      extend Forwardable
+
+      attr_reader :protect, :assess, :urls, :wildcard_url, :wildcard_input
+
+      def_delegators :@exclusion, :type, :assessment_rules, :protection_rules, :input_type, :input_name
+
       # Create a matcher around an exclusion sent from TeamServer.
       #
       # @param excl [Contrast::Api::Settings::Exclusion]

data/lib/contrast/agent/inventory/database_config.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/reporting/reporting_events/architecture_component'
-require 'contrast/api/decorators/architecture_component'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
@@ -25,10 +24,7 @@ module Contrast
         LOCALHOST = 'localhost'
 
         class << self
-          # Append the available database connection information to the message being sent to TeamServer. This message
-          # may be a Contrast::Api::Dtm::Activity or Contrast::Agent::Reporting::ApplicationUpdate.
-          # Both report the same
-          # Contrast::Api::Dtm::ArchitectureComponent, but have different names for their fields.
+          # Append the available database connection information to the message being sent to TeamServer.
           #
           # @param activity_or_update [Contrast::Agent::Reporting::ApplicationUpdate]
           # @param hash_or_str [Hash, String] the database connection information
@@ -73,8 +69,8 @@ module Contrast
           # The classes we instrument in order to determine which, if any, database(s) an application connects to take
           # either a Hash or a String as a parameter. We install this one patch into all of those methods, letting our
           # code here, rather than at the patch level, make the determination of which path to call. We'll make that
-          # decision and then parse the given configuration to create a Contrast::Api::Dtm::ArchitectureComponent for
-          # reporting.
+          # decision and then parse the given configuration to create a
+          # Contrast::Agent::Reporting::ArchitectureComponent for reporting.
           #
           # @param hash_or_str [Hash, String]
           # @return [Array<Contrast::Agent::Reporting::ArchitectureComponent>, nil]
@@ -93,8 +89,8 @@ module Contrast
             end
           end
 
-          # Convert the Hash used to create a database connection into an Contrast::Api::Dtm::ArchitectureComponent
-          # understandable by TeamServer.
+          # Convert the Hash used to create a database connection into a
+          # Contrast::Agent::Reporting::ArchitectureComponent understandable by TeamServer.
           #
           # @param hash [Hash] the information used to open a database connection
           # @return [Array<Contrast::Agent::Reporting::ArchitectureComponent>]
@@ -150,7 +146,7 @@ module Contrast
           end
 
           # Parse the given string used to connect to a database into its composite components, allowing for the
-          # generation of a Contrast::Api::Dtm::ArchitectureComponent
+          # generation of a Contrast::Agent::Reporting::ArchitectureComponent
           #
           # @param str [String] the DB connection string
           # @return [Array<String>, nil] the adapter, hosts, and database

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -33,6 +33,10 @@ module Contrast
               clazz = object.is_a?(Module) ? object : object.cs__class
               class_name = clazz.cs__name
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              # invoke cmdi sub-rules.
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              end
             end
 
             protected

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -30,6 +30,7 @@ module Contrast
 
               sql = args[index]
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
+              rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
             end
 
             protected