contrast-agent 7.2.0 → 7.3.0

data/lib/contrast/agent/protect/rule/input_classification/statistics.rb

@@ -0,0 +1,115 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/input_classification/utils'
+require 'contrast/agent/protect/rule/input_classification/match_rates'
+require 'contrast/agent/telemetry/input_analysis_cache_event'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/input_type'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module InputClassification
+          # This class will hold match information for each rule when input classification is being saved in LRU cache.
+          class Statistics
+            include Contrast::Agent::Protect::Rule::InputClassification::Utils
+            include Contrast::Components::Logger::InstanceMethods
+
+            attr_reader :data
+
+            # Protect rules will always be fixed number, on other hand the number of inputs will grow,
+            # we need to limit the number of inputs to be cached.
+            CAPACITY = 30
+
+            def initialize
+              @data = {}
+            end
+
+            # This method will handle the statistics for the input match
+            #
+            # @param rule_id [String] the Protect rule name.
+            # @param cached [Contrast::Agent::Protect::InputClassification::CachedResult]
+            # @param request [Contrast::Agent::Request] the current request.
+            def match! rule_id, cached, request
+              return unless Contrast::Agent::Telemetry::Base.enabled?
+
+              push(rule_id, cached)
+              fetch(rule_id, cached.result.input_type)&.increase_match_for_input
+              return unless cached.request_id == request.__id__
+
+              fetch(rule_id, cached.result.input_type)&.increase_match_for_request
+            end
+
+            # This method will handle the statistics for the input mismatch.
+            # Skip if this is the called with empty cache since it's not fair.
+            #
+            # @param rule_id [String] the Protect rule name.
+            # @param input_type [Symbol] Type of the input
+            def mismatch! rule_id, input_type
+              return unless Contrast::Agent::Telemetry::Base.enabled?
+              return if Contrast::Agent::Protect::InputAnalyzer.lru_cache.empty?
+
+              fetch(rule_id, input_type)&.increase_mismatch_for_input
+            end
+
+            # @return [Array<Contrast::Agent::Telemetry::InputAnalysisCacheEvent>] the events to be sent.
+            def to_events
+              events = []
+              data.each do |_rule_id, match_rates|
+                match_rates.each do |match_rate|
+                  event = Contrast::Agent::Telemetry::InputAnalysisCacheEvent.new(match_rate.rule_id, match_rate)
+                  next if event.empty?
+
+                  events << event
+                end
+              end
+              events
+            rescue StandardError => e
+              logger.error("[IA_LRU_Cache] Error while creating events: #{ e }", stacktrace: e.backtrace)
+              []
+            end
+
+            # Creates new statisctics for protect rule.
+            #
+            # @param rule_id [String] the Protect rule name.
+            # @param cached [Contrast::Agent::Protect::InputClassification::CachedResult]
+            def push rule_id, cached
+              new_entry = Contrast::Agent::Protect::Rule::InputClassification::MatchRates.
+                  new(rule_id, cached.result.input_type, cached.result.score_level)
+
+              @data[rule_id] = [] if Contrast::Utils::DuckUtils.empty_duck?(@data[rule_id])
+              @data[rule_id].shift if @data[rule_id].length >= CAPACITY
+              @data[rule_id] << new_entry unless saved?(rule_id, cached)
+            end
+
+            # Get the statistics for the protect rule.
+            #
+            # @param rule_id [String] the Protect rule name.
+            # @param input_type [Symbol] Type of the input
+            def fetch rule_id, input_type
+              safe_extract(@data[rule_id]&.select { |e| e.input_type == input_type })
+            end
+
+            private
+
+            # Checks if the rate is saved for the input.
+            #
+            # @param rule_id [String] the Protect rule name.
+            # @param new_entry [Contrast::Agent::Protect::InputClassification::CachedResult]
+            def saved? rule_id, new_entry
+              !fetch(rule_id, new_entry&.result&.input_type).nil?
+            end
+
+            # Call this method from the LRU Cache to get the statistics for a given rule_id, so it could be
+            # thread safe.
+            def clear
+              @data.clear
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/input_classification/utils.rb

@@ -0,0 +1,23 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module InputClassification
+          # Utils module for Input Classification.
+          module Utils
+            # Extracts data return as array from the cache.
+            #
+            # @param object [NilClass, Array<Contrast::Agent::Protect::InputClassification::CachedResult>]
+            # @return object [Contrast::Agent::Protect::InputClassification::CachedResult]
+            def safe_extract object
+              Array(object)[0]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/no_sqli/no_sqli'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -15,7 +15,7 @@ module Contrast
         # to be analyzed at the sink level.
         module NoSqliInputClassification
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
             NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
@@ -96,8 +96,15 @@ module Contrast
             #
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def create_new_input_result request, rule_id, input_type, value
-              score = evaluate_patterns(value)
-              score = evaluate_rules(value, score)
+              return unless Contrast::AGENT_LIB
+
+              # Cache retrieve
+              cached = Contrast::Agent::Protect::InputAnalyzer.lru_cache.lookout(rule_id, value, input_type, request)
+              return cached.result if cached.cs__is_a?(Contrast::Agent::Protect::InputClassification::CachedResult)
+
+              eval_value = base64_decode_input(value, input_type)
+              score = evaluate_patterns(eval_value)
+              score = evaluate_rules(eval_value, score)
 
               score_level = if definite_attack?(score)
                               DEFINITEATTACK
@@ -106,9 +113,12 @@ module Contrast
                             else
                               IGNORE
                             end
-              result = new_ia_result(rule_id, input_type, score_level, request.path, value)
-              add_needed_key(request, result, input_type, value)
-              result
+              ia_result = new_ia_result(rule_id, input_type, score_level, request.path, value)
+              add_needed_key(request, ia_result, input_type, value) if KEYS_NEEDED.include?(input_type)
+
+              # Cache save. Cache must be saved after the input evaluation is completed.
+              Contrast::Agent::Protect::InputAnalyzer.lru_cache.save(rule_id, ia_result, request)
+              ia_result
             end
 
             # This method evaluates the patterns relevant to NoSQL Injection to check whether

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -15,27 +15,31 @@ module Contrast
 
           THRESHOLD = 90.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
             # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-
-              input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                          convert_input_type(input_type),
-                                                          Contrast::AGENT_LIB.rule_set[rule_id],
-                                                          Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
+            def build_input_eval rule_id, input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::Agent::Protect::Rule::InputClassification::Base.
+                                                convert_input_type(input_type),
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.eval_option[:PREFER_WORTH_WATCHING])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               score = input_eval&.score || 0
               if score >= THRESHOLD
@@ -50,7 +54,6 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-              add_needed_key(request, ia_result, input_type, value)
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -5,7 +5,7 @@ require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -17,7 +17,7 @@ module Contrast
         module SqliInputClassification
           WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
             include Contrast::Components::Logger::InstanceMethods
           end
         end

data/lib/contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -16,26 +16,30 @@ module Contrast
           UNSAFE_UPLOAD_MATCH = 'unsafe-file-upload-input-tracing-v1'
 
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param _input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-              return unless (input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                                         Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
-                                                                         Contrast::AGENT_LIB.rule_set[rule_id],
-                                                                         Contrast::AGENT_LIB.eval_option[:NONE]))
+            def build_input_eval rule_id, _input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::AGENT_LIB.input_set[:MULTIPART_NAME],
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.eval_option[:NONE])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               if input_eval.score >= THRESHOLD
                 ia_result.score_level = DEFINITEATTACK
@@ -51,7 +55,6 @@ module Contrast
                               else
                                 Contrast::Utils::ObjectShare::EMPTY_STRING
                               end
-
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/xss/reflected_xss_input_classification.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 
 module Contrast
   module Agent
@@ -13,28 +13,32 @@ module Contrast
           REFLECTED_XSS_MATCH = 'reflected-xss-input-tracing-v1'.cs__freeze
           WORTHWATCHING_MATCH = 'xss-worth-watching-v2'.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             private
 
-            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
-            # key if needed and Creates new isntance of InputAnalysisResult.
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
             #
-            # @param request [Contrast::Agent::Request] the current request context.
             # @param rule_id [String] The name of the Protect Rule.
             # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def create_new_input_result request, rule_id, input_type, value
-              return unless Contrast::AGENT_LIB
-
-              input_eval = Contrast::AGENT_LIB.eval_input(value,
-                                                          convert_input_type(input_type),
-                                                          Contrast::AGENT_LIB.rule_set[rule_id],
-                                                          Contrast::AGENT_LIB.
-                                                            eval_option[:PREFER_WORTH_WATCHING])
+            def build_input_eval rule_id, input_type, value
+              Contrast::AGENT_LIB.eval_input(value,
+                                             Contrast::Agent::Protect::Rule::InputClassification::Base.
+                                               convert_input_type(input_type),
+                                             Contrast::AGENT_LIB.rule_set[rule_id],
+                                             Contrast::AGENT_LIB.
+                                               eval_option[:PREFER_WORTH_WATCHING])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               score = input_eval&.score || 0
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
               if score >= THRESHOLD
@@ -46,8 +50,6 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-
-              add_needed_key(request, ia_result, input_type, value)
               ia_result
             end
           end

data/lib/contrast/agent/reporting/attack_result/attack_result.rb

@@ -5,6 +5,7 @@ require 'contrast/utils/object_share'
 require 'contrast/utils/timer'
 require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/duck_utils'
 
 module Contrast
   module Agent
@@ -65,6 +66,11 @@ module Contrast
         def details= protect_details
           @_details = protect_details if protect_details.is_a?(Contrast::Agent::Reporting::Details::ProtectRuleDetails)
         end
+
+        def empty?
+          Contrast::Utils::DuckUtils.empty_duck?(samples) || Contrast::Utils::DuckUtils.empty_duck?(rule_id) ||
+              response == ::Contrast::Agent::Reporting::ResponseType::NO_ACTION
+        end
       end
     end
   end

data/lib/contrast/agent/reporting/input_analysis/input_analysis.rb

@@ -9,13 +9,8 @@ module Contrast
     module Reporting
       # This class will do ia analysis for our protect rules
       class InputAnalysis
-        def inputs
-          @_inputs
-        end
-
-        def inputs= extracted_inputs
-          @_inputs = extracted_inputs
-        end
+        # @return [Hash] Stored request inputs for this context.
+        attr_accessor :inputs
 
         def triggered_rules
           @_triggered_rules ||= []

data/lib/contrast/agent/reporting/input_analysis/input_analysis_result.rb

@@ -61,6 +61,17 @@ module Contrast
           @_key = key if key.is_a?(String)
         end
 
+        # @param key_type [Symbol]
+        # @return @_key [String]
+        def key_type= key_type
+          @_key_type = key_type if INPUT_TYPE.to_a.include?(key_type)
+        end
+
+        # @return @_key [String]
+        def key_type
+          @_key_type ||= INPUT_TYPE::UNDEFINED_TYPE
+        end
+
         # @return value [String]
         def value
           @_value ||= Contrast::Utils::ObjectShare::EMPTY_STRING

data/lib/contrast/agent/reporting/input_analysis/input_type.rb

@@ -30,13 +30,45 @@ module Contrast
         UNKNOWN                 = :UNKNOWN.cs__freeze
 
         class << self
+          # @return
           def to_a
-            [
+            @_to_a ||= [
               UNDEFINED_TYPE, BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_NAME, PARAMETER_VALUE,
               QUERYSTRING, URI, SOCKET, JSON_VALUE, JSON_ARRAYED_VALUE, MULTIPART_CONTENT_TYPE, MULTIPART_VALUE,
               MULTIPART_FIELD_NAME, MULTIPART_NAME, XML_VALUE, DWR_VALUE, METHOD, REQUEST, URL_PARAMETER, UNKNOWN
             ]
           end
+
+          # This is a hash of the input types and their corresponding values.
+          #
+          # @return [Hash]
+
+          def to_hash
+            {
+                UNDEFINED_TYPE: '1',
+                BODY: '2',
+                COOKIE_NAME: '3',
+                COOKIE_VALUE: '4',
+                HEADER: '5',
+                PARAMETER_NAME: '6',
+                PARAMETER_VALUE: '7',
+                QUERYSTRING: '8',
+                URI: '9',
+                SOCKET: '10',
+                JSON_VALUE: '11',
+                JSON_ARRAYED_VALUE: '12',
+                MULTIPART_CONTENT_TYPE: '13',
+                MULTIPART_VALUE: '14',
+                MULTIPART_FIELD_NAME: '15',
+                MULTIPART_NAME: '16',
+                XML_VALUE: '17',
+                DWR_VALUE: '18',
+                METHOD: '19',
+                REQUEST: '20',
+                URL_PARAMETER: '21',
+                UNKNOWN: '22'
+            }
+          end
         end
       end
     end

data/lib/contrast/agent/reporting/masker/masker_utils.rb

@@ -23,7 +23,7 @@ module Contrast
           hash = URI.decode_www_form(query).to_h
           mask_with_dictionary(results, hash)
           # Restore to string form.
-          hash.each { |k, v| masked += "#{ k }=#{ v }&" }
+          hash.each { |k, v| masked += "#{ k }#{ EQUALS }#{ v }#{ AMPERSAND }" }
           query = masked
           query.chomp!(masked[-1])
         end

data/lib/contrast/agent/reporting/reporting_events/application_defend_activity.rb

@@ -40,6 +40,7 @@ module Contrast
         # @param attack_result [Contrast::Agent::Reporting::AttackResult]
         def attach_data attack_result
           return unless attack_result&.cs__is_a?(Contrast::Agent::Reporting::AttackResult)
+          return if attack_result&.empty?
 
           attacker_activity = Contrast::Agent::Reporting::ApplicationDefendAttackerActivity.new(ia_request: @request)
           attacker_activity.attach_data(attack_result)

data/lib/contrast/agent/reporting/reporting_events/application_defend_attacker_activity.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/utils/duck_utils'
 require 'contrast/agent/reporting/reporting_events/reportable_hash'
+require 'contrast/agent/reporting/attack_result/response_type'
 require 'contrast/agent/reporting/reporting_events/application_defend_attack_activity'
 
 module Contrast

data/lib/contrast/agent/reporting/reporting_utilities/reporter_client_utils.rb

@@ -118,7 +118,7 @@ module Contrast
           mode.resend.reset_rescue_attempts
           findings_to_return.each do |index|
             preflight_message = event.messages[index.to_i]
-            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message.data)
+            corresponding_finding = Contrast::Agent::Reporting::ReportingStorage.delete(preflight_message&.data)
             next unless corresponding_finding
 
             send_event(corresponding_finding, connection)

data/lib/contrast/agent/telemetry/base.rb

@@ -143,6 +143,8 @@ module Contrast
           super
           delete_queue!
           Contrast::TELEMETRY_EXCEPTIONS&.clear
+          Contrast::TELEMETRY_IA_CACHE&.clear
+          Contrast::TELEMETRY_BASE64_HASH&.clear
         end
 
         private
@@ -174,8 +176,7 @@ module Contrast
               break unless attempt_to_start?
 
               # Start pushing exceptions to queue for reporting.
-              Contrast::TELEMETRY_EXCEPTIONS&.each_value { |value| queue << value }
-              Contrast::TELEMETRY_EXCEPTIONS&.clear
+              gather_telemetry_events
               until queue.empty?
                 event = queue.pop
                 begin
@@ -189,6 +190,31 @@ module Contrast
             end
           end
         end
+
+        # Fills the queue with events that were not able to be sent previously.
+        def gather_telemetry_events
+          gather_exceptions
+          gather_encoding_events
+          gather_ia_cache_events
+        end
+
+        # Retrieves the exceptions that were accumulated.
+        def gather_exceptions
+          Contrast::TELEMETRY_EXCEPTIONS&.each_value { |value| queue << value }
+          Contrast::TELEMETRY_EXCEPTIONS&.clear
+        end
+
+        # Retrieves the base64 encoded events that were accumulated.
+        def gather_encoding_events
+          Contrast::TELEMETRY_BASE64_HASH&.each_value { |values| values.each { |event| queue << event } }
+          Contrast::TELEMETRY_BASE64_HASH&.clear
+        end
+
+        # Retrieves the IA cache events that were accumulated.
+        def gather_ia_cache_events
+          Contrast::TELEMETRY_IA_CACHE&.each_value { |values| values.each { |event| queue << event } }
+          Contrast::TELEMETRY_IA_CACHE&.clear
+        end
       end
     end
   end

data/lib/contrast/agent/telemetry/base64_hash.rb

@@ -0,0 +1,55 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/telemetry/input_analysis_encoding_event'
+
+module Contrast
+  module Agent
+    module Telemetry
+      # This hash will store the telemetry data for the Protect InputAnalysis cache.
+      class Base64Hash < Hash
+        include Contrast::Components::Logger::InstanceMethods
+        # Set per request:
+        HASH_SIZE_LIMIT = 100
+
+        # Wrapper to set a value in this Telemetry::Hash only if the provided value is of the data_type for this
+        # Telemetry::CacheHash or the hash has not reached its limit for unique keys.
+        # Saves Array of reportable events.
+        #
+        # @param key [Object] the key to which to associate the value
+        # @param events [array<Object>]
+        # @return [Object, nil] echo back out the value as the Hash#[]= method does, or nil if not of the expected
+        #   data_type
+        def []= key, events
+          # If telemetry is not running, do not add more as we want to avoid a memory leak.
+          return unless Contrast::Agent.telemetry_queue&.running?
+          # If the Hash is full, do not add more as we want to avoid consuming all application resources.
+          return if at_limit?
+          # If the given value is of unexpected type, do not add it to avoid issues later where type is assumed.
+          return unless valid_event?(events)
+
+          super(key, events)
+        end
+
+        # Determine if hash has reached exception event limit.
+        #
+        # @return [Boolean]
+        def at_limit?
+          unless length < HASH_SIZE_LIMIT
+            logger.debug("[Telemetry] Number of IA base64 events exceeds limit of #{ HASH_SIZE_LIMIT }")
+            return true
+          end
+          false
+        end
+
+        private
+
+        # Checks to see if the given object is a valid event.
+        # @param events [Contrast::Agent::Telemetry::InputAnalysisEncodingEvent]
+        def valid_event? events
+          events&.all?(Contrast::Agent::Telemetry::InputAnalysisEncodingEvent)
+        end
+      end
+    end
+  end
+end