contrast-agent 7.1.0 → 7.3.0

data/lib/contrast/agent/protect/rule/input_classification/utils.rb

@@ -0,0 +1,23 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module InputClassification
+          # Utils module for Input Classification.
+          module Utils
+            # Extracts data return as array from the cache.
+            #
+            # @param object [NilClass, Array<Contrast::Agent::Protect::InputClassification::CachedResult>]
+            # @return object [Contrast::Agent::Protect::InputClassification::CachedResult]
+            def safe_extract object
+              Array(object)[0]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -15,7 +15,7 @@ module Contrast
         # to be analyzed at the sink level.
         module NoSqliInputClassification
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
             NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
@@ -96,8 +96,15 @@ module Contrast
             #
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def create_new_input_result request, rule_id, input_type, value
-              score = evaluate_patterns(value)
-              score = evaluate_rules(value, score)
+              return unless Contrast::AGENT_LIB
+
+              # Cache retrieve
+              cached = Contrast::Agent::Protect::InputAnalyzer.lru_cache.lookout(rule_id, value, input_type, request)
+              return cached.result if cached.cs__is_a?(Contrast::Agent::Protect::InputClassification::CachedResult)
+
+              eval_value = base64_decode_input(value, input_type)
+              score = evaluate_patterns(eval_value)
+              score = evaluate_rules(eval_value, score)
 
               score_level = if definite_attack?(score)
                               DEFINITEATTACK
@@ -106,9 +113,12 @@ module Contrast
                             else
                               IGNORE
                             end
-              result = new_ia_result(rule_id, input_type, score_level, request.path, value)
-              add_needed_key(request, result, input_type, value)
-              result
+              ia_result = new_ia_result(rule_id, input_type, score_level, request.path, value)
+              add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
+
+              # Cache save. Cache must be saved after the input evaluation is completed.
+              Contrast::Agent::Protect::InputAnalyzer.lru_cache.save(rule_id, ia_result, request)
+              ia_result
             end
 
             # This method evaluates the patterns relevant to NoSQL Injection to check whether

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -15,27 +15,31 @@ module Contrast
 
           THRESHOLD = 90.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
             # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-
-              input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                          convert_input_type(input_type),
-                                                          Contrast::AGENT_LIB.rule_set[rule_id],
-                                                          Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
+            def build_input_eval rule_id, input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::Agent::Protect::Rule::InputClassification::Base.
+                                                convert_input_type(input_type),
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               score = input_eval&.score || 0
               if score >= THRESHOLD
@@ -50,7 +54,6 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-              add_needed_key(request, ia_result, input_type, value)
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb

@@ -46,7 +46,7 @@ module Contrast
           # @raise [Contrast::SecurityException] if the rule mode ise set
           # to BLOCK and valid cdmi is detected.
           def infilter context, method, path
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
             return unless rule_violated?(path)
 
             result = build_violation(context, path)

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -5,7 +5,7 @@ require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -17,7 +17,7 @@ module Contrast
         module SqliInputClassification
           WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
             include Contrast::Components::Logger::InstanceMethods
           end
         end

data/lib/contrast/agent/protect/rule/sqli/sqli_semantic/sqli_dangerous_functions.rb

@@ -19,7 +19,7 @@ module Contrast
           end
 
           def infilter context, sql_query
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
             return unless violated?(sql_query)
 
             result = build_violation(context, sql_query)

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -16,26 +16,30 @@ module Contrast
           UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
 
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param _input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-              return unless (input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                                         Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
-                                                                         Contrast::AGENT_LIB.rule_set[rule_id],
-                                                                         Contrast::AGENT_LIB.eval_option[:NONE]))
+            def build_input_eval rule_id, _input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.eval_option[:NONE])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               if input_eval.score >= THRESHOLD
                 ia_result.score_level = DEFINITEATTACK
@@ -51,7 +55,6 @@ module Contrast
                               else
                                 Contrast::Utils::ObjectShare::EMPTY_STRING
                               end
-
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/utils/filters.rb

@@ -42,8 +42,8 @@ module Contrast
             return false unless context
             return false unless enabled?
             return false unless (results = gather_ia_results(context)) && results.any?
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
-            return false if protect_excluded_by_input?(results, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
+            return false if protect_excluded_by_input?(results)
 
             true
           end
@@ -68,8 +68,8 @@ module Contrast
           def infilter? context
             return false unless enabled?
             return false unless (results = gather_ia_results(context)) && results.any?
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
-            return false if protect_excluded_by_input?(results, context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
+            return false if protect_excluded_by_input?(results)
 
             true
           end
@@ -89,8 +89,8 @@ module Contrast
           # @raise [Contrast::SecurityException]
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return false if protect_excluded_by_url?(rule_name, context.request.path)
-            return if protect_excluded_by_input?(gather_ia_results(context), context.request.path)
+            return false if protect_excluded_by_url?(rule_name)
+            return if protect_excluded_by_input?(gather_ia_results(context))
 
             return if mode == :NO_ACTION || mode == :PERMIT
 

data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -13,28 +13,32 @@ module Contrast
           REFLECTED_XSS_MATCH = 'reflected-xss-input-tracing-v1'.cs__freeze
           WORTHWATCHING_MATCH = 'xss-worth-watching-v2'.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
             # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-
-              input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                          convert_input_type(input_type),
-                                                          Contrast::AGENT_LIB.rule_set[rule_id],
-                                                          Contrast::AGENT_LIB.
-                                                            eval_option[:PREFER_WORTH_WATCHING])
+            def build_input_eval rule_id, input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::Agent::Protect::Rule::InputClassification::Base.
+                                               convert_input_type(input_type),
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.
+                                               eval_option[:PREFER_WORTH_WATCHING])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               score = input_eval&.score || 0
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               if score >= THRESHOLD
@@ -46,8 +50,6 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-
-              add_needed_key(request, ia_result, input_type, value)
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/xxe/xxe.rb

@@ -37,7 +37,7 @@ module Contrast
           # @raise [Contrast::SecurityException] Security exception if an XXE
           #   attack is found and the rule is in block mode.
           def infilter context, framework, xml
-            return if protect_excluded_by_url?(rule_name, context.request.path)
+            return if protect_excluded_by_url?(rule_name)
 
             result = find_attacker(context, xml, framework: framework)
             return unless result

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -5,6 +5,7 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
 require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Agent
@@ -65,6 +66,11 @@ module Contrast
         def details= protect_details
           @_details = protect_details if protect_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
         end
+
+        def empty?
+          Contrast::Utils::DuckUtils.empty_duck?(samples) || Contrast::Utils::DuckUtils.empty_duck?(rule_id) ||
+              response == ::Contrast::Agent::Reporting::ResponseType::NO_ACTION
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/client/interface.rb

@@ -0,0 +1,132 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/client/interface_base'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Client
+        # Interface to safely manage connections across threads.
+        class Interface < Contrast::Agent::Reporting::Client::InterfaceBase
+          # Execute startup routine and
+          def startup
+            with_monitor { reporter_client.startup!(reporting_connection) }
+          end
+
+          # @param event [Contrast::Agent::Reporting::ReportingEvent]
+          # @return [Net::HTTPResponse]
+          def send_event event
+            with_monitor { reporter_client.send_event(event, reporting_connection) }
+          end
+
+          # return [Boolean]
+          def sleep?
+            with_monitor { reporter_client.sleep? }
+          end
+
+          # Retry once than discard the event. This is trigger on too many events of
+          # same kind error.
+          #
+          # @param event [Contrast::Agent::Reporting::ReportingEvent]
+          def handle_resend event
+            with_monitor do
+              reporter_client.handle_resend(event, reporting_connection)
+            end
+          end
+
+          # Check to see if client exists and there is connection
+          #
+          # @return [Boolean
+          def connected?
+            with_monitor do
+              return true if reporter_client && reporting_connection
+
+              false
+            end
+          end
+
+          # Check to see if statup connections are sent or not
+          def startup_messages_sent?
+            with_monitor { reporter_client.status.startup_messages_sent? }
+          end
+
+          # Check to see if event need to be resend
+          #
+          # @return [Boolean, nil]
+          def resending?
+            with_monitor { reporter_client.mode.status == reporter_client.mode.resending }
+          end
+
+          # Return timeout in ms
+          def timeout
+            with_monitor { reporter_client.timeout } || Contrast::Agent::Reporting::ResponseHandler::TIMEOUT
+          end
+
+          # @return headers [Contrast::Agent::Reporting::Headers]
+          def headers
+            with_monitor { reporter_client.headers }
+          end
+
+          # Response_handler
+          #
+          # @return [Contrast::Agent::Reporting::ResponseHandler]
+          def response_handler
+            with_monitor { reporter_client.response_handler }
+          end
+
+          def status
+            with_monitor { reporter_client.status }
+          end
+
+          private
+
+          # @return [Contrast::Agent::Reporting::ReporterClient]
+          def reporter_client
+            @_reporter_client ||= Contrast::Agent::Reporting::ReporterClient.new
+          end
+
+          # @return [Net::HTTP, nil] Return open connection or nil
+          def reporting_connection
+            @_reporting_connection ||= reporter_client.initialize_connection
+          end
+        end
+      end
+
+      module Telemetry
+        # Interface to safely manage connections across threads.
+        class Interface < Contrast::Agent::Reporting::Client::InterfaceBase
+          URL = 'https://telemetry.ruby.contrastsecurity.com/'
+
+          # Check to see if client exists and there is connection
+          #
+          # @return [Boolean
+          def connected?
+            with_monitor do
+              return true if telemetry_client && telemetry_connection
+
+              false
+            end
+          end
+
+          # Starts telemetry request.
+          def request_with_response event
+            with_monitor do
+              telemetry_client.handle_response(telemetry_client.send_request(event, telemetry_connection))
+            end
+          end
+
+          private
+
+          def telemetry_client
+            @_telemetry_client ||= Contrast::Agent::Telemetry::Client.new
+          end
+
+          def telemetry_connection
+            @_telemetry_connection ||= telemetry_client.initialize_connection(URL)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/client/interface_base.rb

@@ -0,0 +1,27 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'monitor'
+
+module Contrast
+  module Agent
+    module Reporting
+      module Client
+        # Common methods for Client interface.
+        class InterfaceBase
+          # Execute calls to connection with thread safety.
+          def with_monitor &block
+            monitor.synchronize(&block)
+          end
+
+          private
+
+          # @return [Monitor]
+          def monitor
+            @_monitor ||= Monitor.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/reporting/connection_status.rb

@@ -10,7 +10,6 @@ module Contrast
           @last_success = nil
           @last_failure = nil
           @startup_messages_sent = false
-          @_startup_server_message_sent = false
         end
 
         # Whether we have sent startup message to TeamServer. True after successfully sending startup messages to

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -9,13 +9,8 @@ module Contrast
     module Reporting
       # This class will do ia analysis for our protect rules
       class InputAnalysis
-        def inputs
-          @_inputs
-        end
-
-        def inputs= extracted_inputs
-          @_inputs = extracted_inputs
-        end
+        # @return [Hash] Stored request inputs for this context.
+        attr_accessor :inputs
 
         def triggered_rules
           @_triggered_rules ||= []

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
-require 'contrast/agent/reporting/input_analysis/details/protect_rule_details'
+require 'contrast/agent/reporting/details/protect_rule_details'
 
 module Contrast
   module Agent
@@ -61,6 +61,17 @@ module Contrast
           @_key = key if key.is_a?(String)
         end
 
+        # @param key_type [Symbol]
+        # @return @_key [String]
+        def key_type= key_type
+          @_key_type = key_type if INPUT_TYPE.to_a.include?(key_type)
+        end
+
+        # @return @_key [String]
+        def key_type
+          @_key_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
         # @return value [String]
         def value
           @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING
@@ -112,14 +123,16 @@ module Contrast
 
         # Additional per rule details containing more specific info.
         #
-        # @param protect_rule_details [Contrast::Agent::Reporting::ProtectRuleDetails]
+        # @param protect_rule_details [Contrast::Agent::Reporting::Details::ProtectRuleDetails]
         def details= protect_rule_details
-          @_details = protect_rule_details if protect_rule_details.is_a?(Contrast::Agent::Reporting::ProtectRuleDetails)
+          return unless protect_rule_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
+
+          @_details = protect_rule_details
         end
 
         # Additional per rule details containing more specific info.
         #
-        # @return [Contrast::Agent::Reporting::ProtectRuleDetails, nil]
+        # @return [Contrast::Agent::Reporting::Details::ProtectRuleDetails, nil]
         def details
           @_details
         end

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -30,13 +30,45 @@ module Contrast
         UNKNOWN                 = :UNKNOWN.cs__freeze
 
         class << self
+          # @return
           def to_a
-            [
+            @_to_a ||= [
               UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
               QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
               MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
             ]
           end
+
+          # This is a hash of the input types and their corresponding values.
+          #
+          # @return [Hash]
+
+          def to_hash
+            {
+                UNDEFINED_TYPE: '1',
+                BODY: '2',
+                COOKIE_NAME: '3',
+                COOKIE_VALUE: '4',
+                HEADER: '5',
+                PARAMETER_NAME: '6',
+                PARAMETER_VALUE: '7',
+                QUERYSTRING: '8',
+                URI: '9',
+                SOCKET: '10',
+                JSON_VALUE: '11',
+                JSON_ARRAYED_VALUE: '12',
+                MULTIPART_CONTENT_TYPE: '13',
+                MULTIPART_VALUE: '14',
+                MULTIPART_FIELD_NAME: '15',
+                MULTIPART_NAME: '16',
+                XML_VALUE: '17',
+                DWR_VALUE: '18',
+                METHOD: '19',
+                REQUEST: '20',
+                URL_PARAMETER: '21',
+                UNKNOWN: '22'
+            }
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/masker/masker_utils.rb

@@ -23,7 +23,7 @@ module Contrast
           hash = URI.decode_www_form(query).to_h
           mask_with_dictionary(results, hash)
           # Restore to string form.
-          hash.each { |k, v| masked += "#{ k }=#{ v }&" }
+          hash.each { |k, v| masked += "#{ k }#{ EQUALS }#{ v }#{ AMPERSAND }" }
           query = masked
           query.chomp!(masked[-1])
         end