contrast-agent 7.1.0 → 7.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81222798666699f86b31b925d531d2ee2229eb7934582d2a502cc61de3ca4e0b
-  data.tar.gz: 7dd4d41a58600b7d57b5f57cf95c42bd2f6d198f5f1906e93751e33c09efa3e0
+  metadata.gz: 1a9469e29e067a8c67e64a771b3d60522c4999ecd1133fdc96c3f6c9ff528f71
+  data.tar.gz: 8cbed6cbdf60a9017c80f0edbd5bbe11ea104620ae606f2eac5db4d2c930667f
 SHA512:
-  metadata.gz: 02e5d3aa6b342e8c4277ad6cefde65819aed6f6b4a1079cfe7528fcce236ec702aa8a63fc756c403c0df6e3ef38d5d25dc9f1c6e5c450d272122d699b6fd9872
-  data.tar.gz: 9cc83b5f69edeea949784ae766be7e02c1d589e58b2af5b5c1bd7975dcee1450d294bc7de647f60a9a3f18a1ea05a43bfe452a52d4760ed1b1cfcb0a7339a6ab
+  metadata.gz: 3ba2a3f4887a593a5b61544ce6622df70cfe54d1a6b7fe6c4e57927714ab5b6c16ccf13b8c7cd703acb0f55e405c6bcb8e55c781e6f7171d087dc48885942a33
+  data.tar.gz: 7d791ee31ffe0857ac51a6d26f7489baf986f3b4445cc697f202df3ab47dd77c2e484a2516ca2ed442afbfe9be02e8139dab2a866dcc0358210774a6c1e33ca9

data/ext/extconf_common.rb

@@ -5,6 +5,31 @@ require 'mkmf'
 require 'rbconfig'
 require_relative '../lib/contrast/agent/version'
 
+# Create explicit symbol list, that will be set as promise to be loaded dynamic on run time.
+SYMS = %w[
+  _assess
+  _policy
+  _assess_policy
+  _assess_propagator
+  _core_assess
+  _contrast_patcher
+  _contrast_check_prepended
+  _contrast_check_and_register_instance_patch
+  _contrast_register_singleton_prepend_patch
+  _contrast_register_patch
+  _contrast_register_singleton_patch
+  _inst_methods_enter_cntr_scope
+  _inst_methods_enter_method_scope
+  _inst_methods_exit_cntr_scope
+  _inst_methods_exit_method_scope
+  _inst_methods_in_cntr_scope
+  _rb_sym_method
+  _rb_sym_hash_tracked
+  _rb_sym_skip_assess_analysis
+  _rb_sym_skip_contrast_analysis
+  _patch_via_funchook
+].freeze # rubocop:disable Security/Object/Freeze
+
 # The mkmf.rb file uses all passed flags from Ruby configuration (RbConfig::CONFIG) on
 # Ruby build time. Problem with Clang and GCC is that it do not keep up with c89 and finds
 # error on including <ryby.h> as not allowing inline variables.
@@ -32,8 +57,7 @@ require_relative '../lib/contrast/agent/version'
 STANDARD_FLAGS = '-std=gnu89'
 CLANG = 'clang'
 
-# TODO: RUBY-999999 Add -pedantic flag, remove all warning flags and see to it that as many as possible become obsolete.
-# Note: Adding -pedantic could raise <ruby.h> warnings, and we are not in control of that code.
+# Adding -pedantic could raise <ruby.h> warnings, and we are not in control of that code.
 # e.g. error: '_Bool' is a C99 extension [-Werror,-Wc99-extensions] ; empty macros and etc.
 #
 # -Wno-int-conversion => Passing VALUEs as function args but required as unsigned long parameters.
@@ -55,8 +79,19 @@ WARNING_FLAGS = %w[
 # Flags that are only recognized by gcc:
 GCC_FLAGS = %w[-Wno-maybe-uninitialized].freeze # rubocop:disable Security/Object/Freeze
 
+def darwin?
+  RbConfig::CONFIG['target_os'].include?('darwin')
+end
+
 # Extend $CFLAGS passed directly to compiler in ruby mkmf
+#
+# Extended flags are mainly tested with clang and gcc. Experience with other compilers may vary.
+# To that end if something brakes on client side we must have a mechanism to go back to previous
+# non strict gnu89 standard and be able to maintain the build.
+# We can disable newly added changes with this setting CONTRAST_USE_C89=false.
 def extend_cflags
+  return if ENV['CONTRAST__USE_GNU89'] == 'false'
+
   $CFLAGS += " #{ [STANDARD_FLAGS, WARNING_FLAGS].flatten.join(' ') }"
   # Extend with GCC specific flags:
   unless RbConfig::MAKEFILE_CONFIG['CC'].downcase.include?(CLANG) ||
@@ -67,6 +102,52 @@ def extend_cflags
   end
 end
 
+# use C compiler if set.
+def enable_env_cc
+  RbConfig::CONFIG['CC'] = RbConfig::MAKEFILE_CONFIG['CC'] = ENV['CC'] if ENV['CC']
+end
+
+# Since we cannot link directly the bundles created after the extensions being build,
+# we can pass flags to the linker to resolve symbols not being found during compilation,
+# since they are going to be available on load time. Ruby first is loaded then the extensions.
+# MacOS introduced new fixups with Xcode 14. This causes the issue of symbols not being linked during
+# compilation for the Agent, and other ruby related issues with objective C objects being used,
+# bigdecimal being different and so on.
+#
+# Ruby itself is build on MacOS with '--enabled-shared' flag, also Ruby interpreters compiled
+# under Xcode14 no longer specify by default in DLDFLAGS this flag:
+#
+#   '-undefined dynamic_lookup'
+# ( As of Xcode14.3 behavior of dynamic_lookup is reverted back.)
+#
+# This simply is telling the linker that any unknown symbols will be resolved dynamic on extension load.
+# However with the new fixup chain introduced an warning may be produced:
+# ld: warning: -undefined dynamic_lookup may not work with chained fixups.
+# The fixups are responsible for the dynamic linking of the dylibs.
+def mac_symbol_resolve
+  # If this is braking the build, it can be disabled.
+  return if ENV['CONTRAST__NO_MAC_LD_FIX'] == 'true'
+  return unless darwin?
+
+  # Disabled as of the unknown changes to newly ruby interpreter builds:
+  # RbConfig::CONFIG['EXTDLDFLAGS'] = "-bundle_loader #{ RbConfig::CONFIG['EXTDLDFLAGS'] }"
+
+  # Avoid using this, as not desirable:
+  #
+  # Adding -no_fixup_chains will brake older compilers but will work on newer.
+  # This flag solves the problem but on the long run might not be the solution needed, now not being default,
+  # any new feature changes on Mac or Ruby side might brake things again.
+  # Use this only if explicitly set as ENV var,as a backup on client's end.
+  #
+  # $LDFLAGS << " " << flag
+  append_ldflags('-Wl,-no_fixup_chains -undefined dynamic_lookup') if ENV['CONTRAST__MAC_LD_USE_ALT'] == 'true'
+
+  # Another alternative is to use -Wl,-U with explicit listed depending symbols.
+  # Append the symfile:
+  SYMS.each { |sym| $DLDFLAGS << " -Wl,-U,#{ sym }" } unless ENV['CONTRAST__MAC_LD_USE_ALT'] == 'true'
+end
+
+# Generate Makefile.
 def make!
   create_makefile("#{ $TO_MAKE }/#{ $TO_MAKE }")
 end
@@ -75,9 +156,9 @@ end
 # | MOVING CODE BELLOW THIS SECTION MAY BRAKE MAKEFILE. ORDER MATTERS!  |
 # ----------------------------------------------------------------------
 
+# __dir__ is relative to the file you're reading.
+# this file you're reading is presently within $APP_ROOT/ext/.
 def ext_path
-  # __dir__ is relative to the file you're reading.
-  # this file you're reading is presently within $APP_ROOT/ext/.
   __dir__
 end
 
@@ -85,14 +166,7 @@ end
 # funchook.h file. Then we can pass CFLAGS and extend makefile flags and invoke make!
 require_relative './build_funchook'
 
-# Extended flags are mainly tested with clang and gcc. Experience with other compilers may vary.
-# To that end if something brakes on client side we must have a mechanism to go back to previous
-# non strict gnu89 standard and be able to maintain the build.
-# We can disable newly added changes with this setting CONTRAST_USE_C89=false.
-extend_cflags unless ENV['CONTRAST__USE_GNU89'] == 'false'
-
-# use same C compiler if set.
-RbConfig::CONFIG['CC'] = RbConfig::MAKEFILE_CONFIG['CC'] = ENV['CC'] if ENV['CC']
-
-# Generate Makefile.
+enable_env_cc
+mac_symbol_resolve
+extend_cflags
 make!

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -43,6 +43,7 @@ module Contrast
                 return unless analyze?(method_policy, object, ret, args)
                 return if event_limit?(method_policy)
                 return unless (source_node = method_policy.source_node)
+                # Exclusions makes method slow:
                 return if excluded_by_url?
 
                 # used to hold the object and ret
@@ -76,6 +77,7 @@ module Contrast
 
               source_name ||= determine_source_name(source_node, source_data.object, source_data.ret, *args)
 
+              # Exclusions makes method slow:
               return if excluded_by_input?(source_type, source_name)
 
               # We know we only work on certain things.
@@ -188,16 +190,23 @@ module Contrast
             #
             # @return [Boolean]
             def excluded_by_input? source_type, source_name
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              Contrast::SETTINGS.excluder.assess_excluded_by_input?(context.request, source_type, source_name)
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current
+              # skip if the source is collection, it will be evaluated by it's elements. Collections are not
+              # trackable.
+              return false if source_name.cs__is_a?(Hash)
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_input?(source_type, source_name)
             end
 
             # Should a source be excluded because it matches one of the url exclusion rules?
             #
             # @return [Boolean]
             def excluded_by_url?
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              Contrast::SETTINGS.excluder.assess_excluded_by_url?(context.request)
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_url?
             end
           end
         end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -93,11 +93,11 @@ module Contrast
 
               request = find_request(source)
               return unless reportable?(request&.env)
-              return if excluded_by_url_and_rule?(request, trigger_node.rule_id)
+              return if excluded_by_url_and_rule?(trigger_node.rule_id)
 
               finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
               finding.attach_data(trigger_node, source, object, ret, request, *args)
-              return if excluded_by_input_and_rule?(request, finding, trigger_node.rule_id)
+              return if excluded_by_input_and_rule?(finding, trigger_node.rule_id)
 
               finding.hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
               check_for_stored_xss(finding)
@@ -167,28 +167,22 @@ module Contrast
               end
             end
 
-            def build_events finding, event
-              return unless event
-
-              event.parent_events&.each do |parent_event|
-                build_events(finding, parent_event)
-              end
-              # events could technically be nil, but we would have failed the rule check before getting here. not
-              # worth the nil check
-              finding.events << event.to_dtm_event
-            end
-
             # Check if the finding should be excluded due to the assess exclusion rules.
             #
-            # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
             # @param rule_id [String]
             # return [Boolean]
-            def excluded_by_url_and_rule? request, rule_id
-              Contrast::SETTINGS.excluder.assess_excluded_by_url_and_rule?(request, rule_id)
+            def excluded_by_url_and_rule? rule_id
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return unless Contrast::Agent::REQUEST_TRACKER.current
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_url_and_rule?(rule_id)
             end
 
-            def excluded_by_input_and_rule? request, finding, rule_id
-              Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(request, finding, rule_id)
+            def excluded_by_input_and_rule? finding, rule_id
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return unless Contrast::Agent::REQUEST_TRACKER.current
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(finding, rule_id)
             end
 
             # Handles the Stored Xss rule. If a vector is stored in the database

data/lib/contrast/agent/excluder/excluder.rb

@@ -3,6 +3,8 @@
 
 require 'contrast/agent/reporting/settings/url_exclusion'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/utils/object_share'
+require 'contrast/utils/assess/object_store'
 
 module Contrast
   module Agent
@@ -19,11 +21,14 @@ module Contrast
         @exclusions = exclusions
       end
 
+      def cached_paths
+        @_cached_paths ||= Contrast::Utils::Assess::ObjectStore.new(10)
+      end
+
       # Determine if an input is excluded for protect rule.
       #
       # @param results [Array<Contrast::Agent::Reporting::InputAnalysisResult>]
-      # @param request_path [String] Current request path
-      def protect_excluded_by_input? results, request_path
+      def protect_excluded_by_input? results
         return false unless results.any?
 
         exclusion_matched = 0
@@ -35,8 +40,7 @@ module Contrast
 
             # Based on strategy:
             match = input_match_strategy(exclusion_match,
-                                         input_match?(exclusion_match, rule_result.input_type, rule_result.key),
-                                         request_path)
+                                         input_match?(exclusion_match, rule_result.input_type, rule_result.key))
             exclusion_matched += 1 if match
           end
         end
@@ -48,25 +52,21 @@ module Contrast
       # If an assess URL exclusion rule applies to the current url, *and* is defined as "All Rules"
       # then we can avoid any tracking for the request.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @return [Boolean]
-      def assess_excluded_by_url? request
+      def assess_excluded_by_url?
         assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
-          path_match?(exclusion_matcher, request.path)
+          path_match?(exclusion_matcher)
         end
       end
 
       # If an assess URL exclusion rule applies to the current url, *and* also covers the
       # provided rule_id, then we can avoid tracking this entry.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @param rule_id [String]
       # return [Boolean]
-      def assess_excluded_by_url_and_rule? request, rule_id
-        request_path = request.path
-
+      def assess_excluded_by_url_and_rule?rule_id
         assess_url_exclusions.any? do |exclusion_matcher|
-          path_match?(exclusion_matcher, request_path) &&
+          path_match?(exclusion_matcher) &&
               (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
         end
       end
@@ -74,35 +74,30 @@ module Contrast
       # If an assess INPUT exclusion rule applies to the current url, *and* also covers all
       # rules, then we can avoid tracking this entry.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @param source_type [String]
       # @param source_name [String]
       # return [Boolean]
-      def assess_excluded_by_input? request, source_type, source_name
-        request_path = request.path
-
+      def assess_excluded_by_input?source_type, source_name
         assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
-          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher, request_path)
+          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher)
         end
       end
 
       # If an assess INPUT exclusion rule covers the provided rule_id *for all finding event sources*, then we
       # can avoid tracking this entry. If any event source *isn't excluded* then we don't exclude the finding.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @param finding [Contrast::Agent::Reporting::Finding]
       # @param rule [String]
       # return [Boolean]
-      def assess_excluded_by_input_and_rule? request, finding, rule
+      def assess_excluded_by_input_and_rule?finding, rule
         return false if finding.events.empty?
 
         # We need to check for url exclusions here for the input rules as the url exclusions
         # that have already been checked didn't include the INPUT exclusions. So we look for
         # any INPUT exclusions that apply to the current url and the supplied rule.
-        path = request.path
         rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
           (exclusion_matcher.protect_rules.empty? || exclusion_matcher.protect_rules.include?(rule)) &&
-              path_match?(exclusion_matcher, path)
+              path_match?(exclusion_matcher)
         end
         return false if rule_input_exclusions.empty?
 
@@ -122,13 +117,12 @@ module Contrast
       # then we can avoid using the rule for the request.
       #
       # @param rule_id [String]
-      # @param path [String]
       # return [Boolean]
-      def protect_excluded_by_url? rule_id, path
+      def protect_excluded_by_url? rule_id
         protect_url_exclusions.any? do |exclusion_matcher|
           next unless exclusion_matcher.protection_rule?(rule_id)
 
-          return true if path_match?(exclusion_matcher, path)
+          return true if path_match?(exclusion_matcher)
         end
       end
 
@@ -140,14 +134,13 @@ module Contrast
       #
       # @param exclusion_match [Contrast::Agent::ExclusionMatcher]
       # @param input_match [Boolean] does the input match the exclusion
-      # @param request_path [String] Current request path
       # @return [Boolean]
-      def input_match_strategy exclusion_match, input_match, request_path
+      def input_match_strategy exclusion_match, input_match
         # for ALL urls
         return input_match if exclusion_match.match_all?
 
         # for ONLY match we need to check if there is an input and url match.
-        input_match && path_match?(exclusion_match, request_path)
+        input_match && path_match?(exclusion_match)
       end
 
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
@@ -202,12 +195,25 @@ module Contrast
         end
       end
 
+      # Returns true if context.request.path matches any url exclusion.
+      #
       # @return [Boolean]
-      def path_match? exclusion_matcher, path
-        return false unless path
+      def path_match? exclusion_matcher
+        return false unless Contrast::Agent::REQUEST_TRACKER.current&.request&.path
+
+        return_cached_result(exclusion_matcher)
+        matches = 0
+        matches += 1 if exclusion_matcher.wildcard_url
+        exclusion_matcher.urls.any? do |url|
+          if url.match?(Contrast::Agent::REQUEST_TRACKER.current.request.path) ||
+                regexp_match?(url, Contrast::Agent::REQUEST_TRACKER.current.request.path)
+
+            matches += 1
+          end
+        end
 
-        exclusion_matcher.wildcard_url ||
-            exclusion_matcher.urls.any? { |url| url.match?(path) || regexp_match?(url, path) }
+        add_cached_path(exclusion_matcher, matches)
+        matches.positive?
       end
 
       # @param exclusion [Contrast::Agent::ExclusionMatcher]
@@ -301,6 +307,33 @@ module Contrast
       def cookie_types
         @_cookie_types ||= [COOKIE_NAME, COOKIE_VALUE].cs__freeze
       end
+
+      # Adds new cached result unless it already exists
+      #
+      # @param exclusion_matcher [Contrast::Agent::ExclusionMatcher]
+      # @param matches [Boolean] the result of last iteration
+      # @return [Hash, nil]
+      def add_cached_path exclusion_matcher, matches
+        return if cached_paths[Contrast::Agent::REQUEST_TRACKER.current.request.path.__id__]
+
+        cached_paths[Contrast::Agent::REQUEST_TRACKER.
+            current.request.path.__id__] = { matcher: exclusion_matcher.__id__, result: matches.positive? }
+      rescue StandardError
+        nil
+      end
+
+      # returns a cached result if current path and matcher are the same.
+      # @param exclusion_matcher [Contrast::Agent::ExclusionMatcher]
+      # @return [Boolean, nil]
+      def return_cached_result exclusion_matcher
+        return unless !cached_paths[Contrast::Agent::REQUEST_TRACKER.current.request.path.__id__].nil? &&
+            (cached_paths[Contrast::Agent::REQUEST_TRACKER.current.
+              request.path.__id__][:matcher] == exclusion_matcher.__id__)
+
+        cached_paths[Contrast::Agent::REQUEST_TRACKER.current.request.path.__id__][:result]
+      rescue StandardError
+        nil
+      end
     end
   end
 end

data/lib/contrast/agent/protect/rule/base.rb

@@ -166,17 +166,15 @@ module Contrast
           # Check if the protect rules is excluded by url from the exclusion rules for this application.
           #
           # @param rule_id [String]
-          # @param request_path [String] Current request path
-          def protect_excluded_by_url? rule_id, request_path
-            Contrast::SETTINGS.excluder.protect_excluded_by_url?(rule_id, request_path)
+          def protect_excluded_by_url? rule_id
+            Contrast::SETTINGS.excluder.protect_excluded_by_url?(rule_id)
           end
 
           # Check if the protect rules is excluded by input from the exclusion rules for this application.
           #
           # @param results [Array<Contrast::Agent::Reporting::InputAnalysis>]
-          # @param request_path [String] Current request path
-          def protect_excluded_by_input? results, request_path
-            Contrast::SETTINGS.excluder.protect_excluded_by_input?(results, request_path)
+          def protect_excluded_by_input? results
+            Contrast::SETTINGS.excluder.protect_excluded_by_input?(results)
           end
 
           # Allows for the InputAnalysis from Agent Library to be extracted early

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb

@@ -77,7 +77,7 @@ module Contrast
           # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def build_sample context, ia_result, _candidate_string, **_kwargs
             sample = build_base_sample(context, ia_result)
-            sample.details = Contrast::Agent::Reporting::BotBlockerDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::BotBlockerDetails.new
             sample.details.bot = ia_result.value
             sample.details.user_agent = context&.request&.user_agent
             sample

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -3,7 +3,7 @@
 
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
-require 'contrast/agent/reporting/input_analysis/details/bot_blocker_details'
+require 'contrast/agent/reporting/details/bot_blocker_details'
 require 'contrast/utils/input_classification_base'
 require 'contrast/utils/object_share'
 
@@ -73,7 +73,7 @@ module Contrast
               if score >= THRESHOLD
                 ia_result.score_level = DEFINITEATTACK
                 ia_result.ids << BOT_BLOCKER_MATCH
-                ia_result.details = Contrast::Agent::Reporting::BotBlockerDetails.new
+                ia_result.details = Contrast::Agent::Reporting::Details::BotBlockerDetails.new
                 # details:
                 add_details(ia_result, value)
               else

data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb

@@ -37,7 +37,7 @@ module Contrast
           # @raise [Contrast::SecurityException] if the rule mode ise set
           # to BLOCK and valid cdmi is detected.
           def infilter context, classname, method, command
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
             return unless backdoors_match?(command)
             return unless (result = build_attack_with_match(context, nil, nil, command,
                                                             **{ classname: classname, method: method }))

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -43,7 +43,7 @@ module Contrast
           # to BLOCK and valid cdmi is detected.
           def infilter context, classname, method, command
             return unless infilter?(command)
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
             return unless (result = build_violation(context, command))
 
             append_to_activity(context, result)

data/lib/contrast/agent/protect/rule/deserialization/deserialization.rb

@@ -58,9 +58,9 @@ module Contrast
           # Per the spec, this rule applies regardless of input. Only the mode
           # of the rule and code exclusions apply at this point.
           # @return [Boolean] should the rule apply to this call.
-          def infilter? context
+          def infilter?_context
             return false unless enabled?
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
 
             true
           end

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb

@@ -46,7 +46,7 @@ module Contrast
           # @raise [Contrast::SecurityException] if the rule mode ise set
           # to BLOCK and valid cdmi is detected.
           def infilter context, method, path
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
             return unless rule_violated?(path)
 
             result = build_violation(context, path)

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb

@@ -19,7 +19,7 @@ module Contrast
           end
 
           def infilter context, sql_query
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
             return unless violated?(sql_query)
 
             result = build_violation(context, sql_query)

data/lib/contrast/agent/protect/rule/utils/filters.rb

@@ -42,8 +42,8 @@ module Contrast
             return false unless context
             return false unless enabled?
             return false unless (results = gather_ia_results(context)) && results.any?
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
-            return false if protect_excluded_by_input?(results, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
+            return false if protect_excluded_by_input?(results)
 
             true
           end
@@ -68,8 +68,8 @@ module Contrast
           def infilter? context
             return false unless enabled?
             return false unless (results = gather_ia_results(context)) && results.any?
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
-            return false if protect_excluded_by_input?(results, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
+            return false if protect_excluded_by_input?(results)
 
             true
           end
@@ -89,8 +89,8 @@ module Contrast
           # @raise [Contrast::SecurityException]
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
-            return if protect_excluded_by_input?(gather_ia_results(context), context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
+            return if protect_excluded_by_input?(gather_ia_results(context))
 
             return if mode == :NO_ACTION || mode == :PERMIT
 

data/lib/contrast/agent/protect/rule/xxe/xxe.rb

@@ -37,7 +37,7 @@ module Contrast
           # @raise [Contrast::SecurityException] Security exception if an XXE
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
 
             result = find_attacker(context, xml, framework: framework)
             return unless result