contrast-agent 7.1.0 → 7.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81222798666699f86b31b925d531d2ee2229eb7934582d2a502cc61de3ca4e0b
-  data.tar.gz: 7dd4d41a58600b7d57b5f57cf95c42bd2f6d198f5f1906e93751e33c09efa3e0
+  metadata.gz: e64852411fae5dd5c52973361e7f54cdf60813105423ed81cd6455c6ec212330
+  data.tar.gz: d7d6a1ef01242d97b36f1b8fc4767829d300ec2f3ce1dcb21df7fe05aebc22b1
 SHA512:
-  metadata.gz: 02e5d3aa6b342e8c4277ad6cefde65819aed6f6b4a1079cfe7528fcce236ec702aa8a63fc756c403c0df6e3ef38d5d25dc9f1c6e5c450d272122d699b6fd9872
-  data.tar.gz: 9cc83b5f69edeea949784ae766be7e02c1d589e58b2af5b5c1bd7975dcee1450d294bc7de647f60a9a3f18a1ea05a43bfe452a52d4760ed1b1cfcb0a7339a6ab
+  metadata.gz: 86626808971cfc1fcd74febe8cdf2d41be668a78cc02d41d4bf7f6a488e550fef9f2a8fe3230eea7ea9ed63824d09e61956878d34d99375dd3595b77d3a9755f
+  data.tar.gz: 9fb15e1733095b1f7c2a9d5d4bfce96a3a2e9d5f956d77f0cd6c1fb810c44166a7bf0e2b89966a63ca80aa34514dd82e6f87e619a782d5024854d84c1ed93183

data/ext/extconf_common.rb

@@ -5,6 +5,31 @@ require 'mkmf'
 require 'rbconfig'
 require_relative '../lib/contrast/agent/version'
 
+# Create explicit symbol list, that will be set as promise to be loaded dynamic on run time.
+SYMS = %w[
+  _assess
+  _policy
+  _assess_policy
+  _assess_propagator
+  _core_assess
+  _contrast_patcher
+  _contrast_check_prepended
+  _contrast_check_and_register_instance_patch
+  _contrast_register_singleton_prepend_patch
+  _contrast_register_patch
+  _contrast_register_singleton_patch
+  _inst_methods_enter_cntr_scope
+  _inst_methods_enter_method_scope
+  _inst_methods_exit_cntr_scope
+  _inst_methods_exit_method_scope
+  _inst_methods_in_cntr_scope
+  _rb_sym_method
+  _rb_sym_hash_tracked
+  _rb_sym_skip_assess_analysis
+  _rb_sym_skip_contrast_analysis
+  _patch_via_funchook
+].freeze # rubocop:disable Security/Object/Freeze
+
 # The mkmf.rb file uses all passed flags from Ruby configuration (RbConfig::CONFIG) on
 # Ruby build time. Problem with Clang and GCC is that it do not keep up with c89 and finds
 # error on including <ryby.h> as not allowing inline variables.
@@ -32,8 +57,7 @@ require_relative '../lib/contrast/agent/version'
 STANDARD_FLAGS = '-std=gnu89'
 CLANG = 'clang'
 
-# TODO: RUBY-999999 Add -pedantic flag, remove all warning flags and see to it that as many as possible become obsolete.
-# Note: Adding -pedantic could raise <ruby.h> warnings, and we are not in control of that code.
+# Adding -pedantic could raise <ruby.h> warnings, and we are not in control of that code.
 # e.g. error: '_Bool' is a C99 extension [-Werror,-Wc99-extensions] ; empty macros and etc.
 #
 # -Wno-int-conversion => Passing VALUEs as function args but required as unsigned long parameters.
@@ -55,8 +79,19 @@ WARNING_FLAGS = %w[
 # Flags that are only recognized by gcc:
 GCC_FLAGS = %w[-Wno-maybe-uninitialized].freeze # rubocop:disable Security/Object/Freeze
 
+def darwin?
+  RbConfig::CONFIG['target_os'].include?('darwin')
+end
+
 # Extend $CFLAGS passed directly to compiler in ruby mkmf
+#
+# Extended flags are mainly tested with clang and gcc. Experience with other compilers may vary.
+# To that end if something brakes on client side we must have a mechanism to go back to previous
+# non strict gnu89 standard and be able to maintain the build.
+# We can disable newly added changes with this setting CONTRAST_USE_C89=false.
 def extend_cflags
+  return if ENV['CONTRAST__USE_GNU89'] == 'false'
+
   $CFLAGS += " #{ [STANDARD_FLAGS, WARNING_FLAGS].flatten.join(' ') }"
   # Extend with GCC specific flags:
   unless RbConfig::MAKEFILE_CONFIG['CC'].downcase.include?(CLANG) ||
@@ -67,6 +102,52 @@ def extend_cflags
   end
 end
 
+# use C compiler if set.
+def enable_env_cc
+  RbConfig::CONFIG['CC'] = RbConfig::MAKEFILE_CONFIG['CC'] = ENV['CC'] if ENV['CC']
+end
+
+# Since we cannot link directly the bundles created after the extensions being build,
+# we can pass flags to the linker to resolve symbols not being found during compilation,
+# since they are going to be available on load time. Ruby first is loaded then the extensions.
+# MacOS introduced new fixups with Xcode 14. This causes the issue of symbols not being linked during
+# compilation for the Agent, and other ruby related issues with objective C objects being used,
+# bigdecimal being different and so on.
+#
+# Ruby itself is build on MacOS with '--enabled-shared' flag, also Ruby interpreters compiled
+# under Xcode14 no longer specify by default in DLDFLAGS this flag:
+#
+#   '-undefined dynamic_lookup'
+# ( As of Xcode14.3 behavior of dynamic_lookup is reverted back.)
+#
+# This simply is telling the linker that any unknown symbols will be resolved dynamic on extension load.
+# However with the new fixup chain introduced an warning may be produced:
+# ld: warning: -undefined dynamic_lookup may not work with chained fixups.
+# The fixups are responsible for the dynamic linking of the dylibs.
+def mac_symbol_resolve
+  # If this is braking the build, it can be disabled.
+  return if ENV['CONTRAST__NO_MAC_LD_FIX'] == 'true'
+  return unless darwin?
+
+  # Disabled as of the unknown changes to newly ruby interpreter builds:
+  # RbConfig::CONFIG['EXTDLDFLAGS'] = "-bundle_loader #{ RbConfig::CONFIG['EXTDLDFLAGS'] }"
+
+  # Avoid using this, as not desirable:
+  #
+  # Adding -no_fixup_chains will brake older compilers but will work on newer.
+  # This flag solves the problem but on the long run might not be the solution needed, now not being default,
+  # any new feature changes on Mac or Ruby side might brake things again.
+  # Use this only if explicitly set as ENV var,as a backup on client's end.
+  #
+  # $LDFLAGS << " " << flag
+  append_ldflags('-Wl,-no_fixup_chains -undefined dynamic_lookup') if ENV['CONTRAST__MAC_LD_USE_ALT'] == 'true'
+
+  # Another alternative is to use -Wl,-U with explicit listed depending symbols.
+  # Append the symfile:
+  SYMS.each { |sym| $DLDFLAGS << " -Wl,-U,#{ sym }" } unless ENV['CONTRAST__MAC_LD_USE_ALT'] == 'true'
+end
+
+# Generate Makefile.
 def make!
   create_makefile("#{ $TO_MAKE }/#{ $TO_MAKE }")
 end
@@ -75,9 +156,9 @@ end
 # | MOVING CODE BELLOW THIS SECTION MAY BRAKE MAKEFILE. ORDER MATTERS!  |
 # ----------------------------------------------------------------------
 
+# __dir__ is relative to the file you're reading.
+# this file you're reading is presently within $APP_ROOT/ext/.
 def ext_path
-  # __dir__ is relative to the file you're reading.
-  # this file you're reading is presently within $APP_ROOT/ext/.
   __dir__
 end
 
@@ -85,14 +166,7 @@ end
 # funchook.h file. Then we can pass CFLAGS and extend makefile flags and invoke make!
 require_relative './build_funchook'
 
-# Extended flags are mainly tested with clang and gcc. Experience with other compilers may vary.
-# To that end if something brakes on client side we must have a mechanism to go back to previous
-# non strict gnu89 standard and be able to maintain the build.
-# We can disable newly added changes with this setting CONTRAST_USE_C89=false.
-extend_cflags unless ENV['CONTRAST__USE_GNU89'] == 'false'
-
-# use same C compiler if set.
-RbConfig::CONFIG['CC'] = RbConfig::MAKEFILE_CONFIG['CC'] = ENV['CC'] if ENV['CC']
-
-# Generate Makefile.
+enable_env_cc
+mac_symbol_resolve
+extend_cflags
 make!

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -43,6 +43,7 @@ module Contrast
                 return unless analyze?(method_policy, object, ret, args)
                 return if event_limit?(method_policy)
                 return unless (source_node = method_policy.source_node)
+                # Exclusions makes method slow:
                 return if excluded_by_url?
 
                 # used to hold the object and ret
@@ -76,6 +77,7 @@ module Contrast
 
               source_name ||= determine_source_name(source_node, source_data.object, source_data.ret, *args)
 
+              # Exclusions makes method slow:
               return if excluded_by_input?(source_type, source_name)
 
               # We know we only work on certain things.
@@ -188,16 +190,23 @@ module Contrast
             #
             # @return [Boolean]
             def excluded_by_input? source_type, source_name
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              Contrast::SETTINGS.excluder.assess_excluded_by_input?(context.request, source_type, source_name)
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current
+              # skip if the source is collection, it will be evaluated by it's elements. Collections are not
+              # trackable.
+              return false if source_name.cs__is_a?(Hash)
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_input?(source_type, source_name)
             end
 
             # Should a source be excluded because it matches one of the url exclusion rules?
             #
             # @return [Boolean]
             def excluded_by_url?
-              context = Contrast::Agent::REQUEST_TRACKER.current
-              Contrast::SETTINGS.excluder.assess_excluded_by_url?(context.request)
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return false unless Contrast::Agent::REQUEST_TRACKER.current
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_url?
             end
           end
         end

data/lib/contrast/agent/assess/policy/trigger_method.rb

@@ -93,11 +93,11 @@ module Contrast
 
               request = find_request(source)
               return unless reportable?(request&.env)
-              return if excluded_by_url_and_rule?(request, trigger_node.rule_id)
+              return if excluded_by_url_and_rule?(trigger_node.rule_id)
 
               finding = Contrast::Agent::Reporting::Finding.new(trigger_node.rule_id)
               finding.attach_data(trigger_node, source, object, ret, request, *args)
-              return if excluded_by_input_and_rule?(request, finding, trigger_node.rule_id)
+              return if excluded_by_input_and_rule?(finding, trigger_node.rule_id)
 
               finding.hash_code = Contrast::Utils::HashDigest.generate_event_hash(finding, source, request)
               check_for_stored_xss(finding)
@@ -167,28 +167,22 @@ module Contrast
               end
             end
 
-            def build_events finding, event
-              return unless event
-
-              event.parent_events&.each do |parent_event|
-                build_events(finding, parent_event)
-              end
-              # events could technically be nil, but we would have failed the rule check before getting here. not
-              # worth the nil check
-              finding.events << event.to_dtm_event
-            end
-
             # Check if the finding should be excluded due to the assess exclusion rules.
             #
-            # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
             # @param rule_id [String]
             # return [Boolean]
-            def excluded_by_url_and_rule? request, rule_id
-              Contrast::SETTINGS.excluder.assess_excluded_by_url_and_rule?(request, rule_id)
+            def excluded_by_url_and_rule? rule_id
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return unless Contrast::Agent::REQUEST_TRACKER.current
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_url_and_rule?(rule_id)
             end
 
-            def excluded_by_input_and_rule? request, finding, rule_id
-              Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(request, finding, rule_id)
+            def excluded_by_input_and_rule? finding, rule_id
+              return false unless Contrast::SETTINGS.excluder.exclusions.any?
+              return unless Contrast::Agent::REQUEST_TRACKER.current
+
+              Contrast::SETTINGS.excluder.assess_excluded_by_input_and_rule?(finding, rule_id)
             end
 
             # Handles the Stored Xss rule. If a vector is stored in the database

data/lib/contrast/agent/excluder/excluder.rb

@@ -3,6 +3,8 @@
 
 require 'contrast/agent/reporting/settings/url_exclusion'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/utils/object_share'
+require 'contrast/utils/assess/object_store'
 
 module Contrast
   module Agent
@@ -19,11 +21,14 @@ module Contrast
         @exclusions = exclusions
       end
 
+      def cached_paths
+        @_cached_paths ||= Contrast::Utils::Assess::ObjectStore.new(10)
+      end
+
       # Determine if an input is excluded for protect rule.
       #
       # @param results [Array<Contrast::Agent::Reporting::InputAnalysisResult>]
-      # @param request_path [String] Current request path
-      def protect_excluded_by_input? results, request_path
+      def protect_excluded_by_input? results
         return false unless results.any?
 
         exclusion_matched = 0
@@ -35,8 +40,7 @@ module Contrast
 
             # Based on strategy:
             match = input_match_strategy(exclusion_match,
-                                         input_match?(exclusion_match, rule_result.input_type, rule_result.key),
-                                         request_path)
+                                         input_match?(exclusion_match, rule_result.input_type, rule_result.key))
             exclusion_matched += 1 if match
           end
         end
@@ -48,25 +52,21 @@ module Contrast
       # If an assess URL exclusion rule applies to the current url, *and* is defined as "All Rules"
       # then we can avoid any tracking for the request.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @return [Boolean]
-      def assess_excluded_by_url? request
+      def assess_excluded_by_url?
         assess_url_exclusions_for_all_rules.any? do |exclusion_matcher|
-          path_match?(exclusion_matcher, request.path)
+          path_match?(exclusion_matcher)
         end
       end
 
       # If an assess URL exclusion rule applies to the current url, *and* also covers the
       # provided rule_id, then we can avoid tracking this entry.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @param rule_id [String]
       # return [Boolean]
-      def assess_excluded_by_url_and_rule? request, rule_id
-        request_path = request.path
-
+      def assess_excluded_by_url_and_rule?rule_id
         assess_url_exclusions.any? do |exclusion_matcher|
-          path_match?(exclusion_matcher, request_path) &&
+          path_match?(exclusion_matcher) &&
               (exclusion_matcher.assess_rules.empty? || exclusion_matcher.assess_rules.include?(rule_id))
         end
       end
@@ -74,35 +74,30 @@ module Contrast
       # If an assess INPUT exclusion rule applies to the current url, *and* also covers all
       # rules, then we can avoid tracking this entry.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @param source_type [String]
       # @param source_name [String]
       # return [Boolean]
-      def assess_excluded_by_input? request, source_type, source_name
-        request_path = request.path
-
+      def assess_excluded_by_input?source_type, source_name
         assess_input_exclusions_for_all_rules.any? do |exclusion_matcher|
-          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher, request_path)
+          input_match?(exclusion_matcher, source_type, source_name) && path_match?(exclusion_matcher)
         end
       end
 
       # If an assess INPUT exclusion rule covers the provided rule_id *for all finding event sources*, then we
       # can avoid tracking this entry. If any event source *isn't excluded* then we don't exclude the finding.
       #
-      # @param request [Contrast::Agent::Request] a wrapper around the Rack::Request for the current request
       # @param finding [Contrast::Agent::Reporting::Finding]
       # @param rule [String]
       # return [Boolean]
-      def assess_excluded_by_input_and_rule? request, finding, rule
+      def assess_excluded_by_input_and_rule?finding, rule
         return false if finding.events.empty?
 
         # We need to check for url exclusions here for the input rules as the url exclusions
         # that have already been checked didn't include the INPUT exclusions. So we look for
         # any INPUT exclusions that apply to the current url and the supplied rule.
-        path = request.path
         rule_input_exclusions = assess_input_exclusions.select do |exclusion_matcher|
           (exclusion_matcher.protect_rules.empty? || exclusion_matcher.protect_rules.include?(rule)) &&
-              path_match?(exclusion_matcher, path)
+              path_match?(exclusion_matcher)
         end
         return false if rule_input_exclusions.empty?
 
@@ -122,13 +117,12 @@ module Contrast
       # then we can avoid using the rule for the request.
       #
       # @param rule_id [String]
-      # @param path [String]
       # return [Boolean]
-      def protect_excluded_by_url? rule_id, path
+      def protect_excluded_by_url? rule_id
         protect_url_exclusions.any? do |exclusion_matcher|
           next unless exclusion_matcher.protection_rule?(rule_id)
 
-          return true if path_match?(exclusion_matcher, path)
+          return true if path_match?(exclusion_matcher)
         end
       end
 
@@ -140,14 +134,13 @@ module Contrast
       #
       # @param exclusion_match [Contrast::Agent::ExclusionMatcher]
       # @param input_match [Boolean] does the input match the exclusion
-      # @param request_path [String] Current request path
       # @return [Boolean]
-      def input_match_strategy exclusion_match, input_match, request_path
+      def input_match_strategy exclusion_match, input_match
         # for ALL urls
         return input_match if exclusion_match.match_all?
 
         # for ONLY match we need to check if there is an input and url match.
-        input_match && path_match?(exclusion_match, request_path)
+        input_match && path_match?(exclusion_match)
       end
 
       # @return [Array<Contrast::Agent::ExclusionMatcher>]
@@ -202,12 +195,25 @@ module Contrast
         end
       end
 
+      # Returns true if context.request.path matches any url exclusion.
+      #
       # @return [Boolean]
-      def path_match? exclusion_matcher, path
-        return false unless path
+      def path_match? exclusion_matcher
+        return false unless Contrast::Agent::REQUEST_TRACKER.current&.request&.path
+
+        return_cached_result(exclusion_matcher)
+        matches = 0
+        matches += 1 if exclusion_matcher.wildcard_url
+        exclusion_matcher.urls.any? do |url|
+          if url.match?(Contrast::Agent::REQUEST_TRACKER.current.request.path) ||
+                regexp_match?(url, Contrast::Agent::REQUEST_TRACKER.current.request.path)
+
+            matches += 1
+          end
+        end
 
-        exclusion_matcher.wildcard_url ||
-            exclusion_matcher.urls.any? { |url| url.match?(path) || regexp_match?(url, path) }
+        add_cached_path(exclusion_matcher, matches)
+        matches.positive?
       end
 
       # @param exclusion [Contrast::Agent::ExclusionMatcher]
@@ -301,6 +307,33 @@ module Contrast
       def cookie_types
         @_cookie_types ||= [COOKIE_NAME, COOKIE_VALUE].cs__freeze
       end
+
+      # Adds new cached result unless it already exists
+      #
+      # @param exclusion_matcher [Contrast::Agent::ExclusionMatcher]
+      # @param matches [Boolean] the result of last iteration
+      # @return [Hash, nil]
+      def add_cached_path exclusion_matcher, matches
+        return if cached_paths[Contrast::Agent::REQUEST_TRACKER.current.request.path.__id__]
+
+        cached_paths[Contrast::Agent::REQUEST_TRACKER.
+            current.request.path.__id__] = { matcher: exclusion_matcher.__id__, result: matches.positive? }
+      rescue StandardError
+        nil
+      end
+
+      # returns a cached result if current path and matcher are the same.
+      # @param exclusion_matcher [Contrast::Agent::ExclusionMatcher]
+      # @return [Boolean, nil]
+      def return_cached_result exclusion_matcher
+        return unless !cached_paths[Contrast::Agent::REQUEST_TRACKER.current.request.path.__id__].nil? &&
+            (cached_paths[Contrast::Agent::REQUEST_TRACKER.current.
+              request.path.__id__][:matcher] == exclusion_matcher.__id__)
+
+        cached_paths[Contrast::Agent::REQUEST_TRACKER.current.request.path.__id__][:result]
+      rescue StandardError
+        nil
+      end
     end
   end
 end

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -14,10 +14,13 @@ require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
+require 'contrast/agent/protect/rule/input_classification/lru_cache'
+require 'contrast/agent/protect/rule/input_classification/cached_result'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss/xss'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/input_classification/base64_statistic'
 require 'json'
 
 module Contrast
@@ -35,6 +38,8 @@ module Contrast
         ].cs__freeze
         POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
         AGENTLIB_TIMEOUT = 5.cs__freeze
+        TIMEOUT_ERROR_MESSAGE = '[AgentLib] Timed out when processing InputAnalysisResult'
+        STANDARD_ERROR_MESSAGE = '[InputAnalyzer] Exception raise while doing input analysis:'
 
         class << self
           include Contrast::Agent::Reporting::InputType
@@ -42,6 +47,18 @@ module Contrast
           include Contrast::Utils::ObjectShare
           include Contrast::Components::Logger::InstanceMethods
 
+          # Cache for storing the input analysis result per rule
+          #
+          # @return [Contrast::Agent::Protect::Rule::InputClassification::LRUCache]
+          def lru_cache
+            @_lru_cache ||= Contrast::Agent::Protect::Rule::InputClassification::LRUCache.new
+          end
+
+          # Input decoding statistic.
+          def base64_statistic
+            @_base64_statistic ||= Contrast::Agent::Protect::Rule::InputClassification::Base64Statistic.new
+          end
+
           # This method with analyze the user input from the context of the
           # current request and return new ia with extracted input types.
           #
@@ -51,13 +68,13 @@ module Contrast
             return unless Contrast::PROTECT.enabled?
             return if request.nil?
 
-            inputs = extract_input(request)
+            inputs = extract_inputs(request)
             return unless inputs
 
             input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
             input_analysis.request = request
             # Save those for trigger time
-            input_analysis.inputs = extract_input(request)
+            input_analysis.inputs = inputs
             input_analysis
           end
 
@@ -69,16 +86,9 @@ module Contrast
           #
           # @param request [Contrast::Agent::Request] current request context.
           # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          def extract_input request
+          def extract_inputs request
             inputs = {}
-            inputs[BODY] = request.body
-            inputs[COOKIE_NAME] = request.cookies.keys
-            inputs[COOKIE_VALUE] = request.cookies.values
-            inputs[HEADER] = request.headers
-            inputs[PARAMETER_NAME] = request.parameters.keys
-            inputs[PARAMETER_VALUE] = request.parameters.values
-            inputs[QUERYSTRING] = request.query_string
-            inputs[METHOD] = request.request_method
+            extract_request_inputs(inputs, request)
             extract_multipart(inputs, request)
             inputs.compact!
             inputs
@@ -86,22 +96,29 @@ module Contrast
 
           # classify input by rule
           #
-          # @param rule_id [String] name of the rule
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from
-          # analyze method.
-          def input_classification_for rule_id, input_analysis
+          # @param rule_id [String] name of the rule.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from analyze method.
+          # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed.
+          def input_classification_for rule_id, input_analysis, interval: AGENTLIB_TIMEOUT
             return unless input_analysis&.inputs
             return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
 
             input_analysis.inputs.each do |input_type, value|
               next if value.nil? || value.empty?
 
-              protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+              Timeout.timeout(interval) do
+                protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+              end
             end
 
             input_analysis
           rescue StandardError => e
-            logger.error('[INPUT_ANALYZER] Error', error: e)
+            if e.cs__class == Timeout::Error
+              log_error(rule_id, TIMEOUT_ERROR_MESSAGE, e)
+            else
+              log_error(rule_id, STANDARD_ERROR_MESSAGE, e, level: :error)
+            end
+            nil
           end
 
           # classify input by array of rules. There is a timeout for the AgentLib analysis if not set it
@@ -134,14 +151,9 @@ module Contrast
               # Check to see if rules is already triggered only for infilter:
               next if input_analysis.triggered_rules.include?(rule_id) && infilter
 
-              Timeout.timeout(interval) do
-                input_classification_for(rule_id, input_analysis)
-              end
+              input_classification_for(rule_id, input_analysis, interval: interval)
             end
             input_analysis
-          rescue Timeout::Error => e
-            logger.warn('AgentLib timed out when processing InputAnalysisResult', e, ia_result)
-            nil
           end
 
           private
@@ -158,6 +170,33 @@ module Contrast
             name = filename[DISPOSITION_NAME.to_sym]
             inputs[MULTIPART_NAME] = name if name
           end
+
+          # Extract the parameters and query string from the request context.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_request_inputs inputs, request
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[METHOD] = request.request_method
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+          end
+
+          # Logs any errrors that occur during the analysis
+          # Accepts a level parameter to determine if the error should be logged as an error or warning.
+          #
+          # @param rule_id [String] name of the rule.
+          def log_error rule_id, message, error, level: :error
+            if level == :error
+              logger.error(message, rule_id: rule_id, error: error)
+            else
+              logger.warn(message, rule_id: rule_id, error: error)
+            end
+          end
         end
       end
     end