contrast-agent 7.2.0 → 7.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a9469e29e067a8c67e64a771b3d60522c4999ecd1133fdc96c3f6c9ff528f71
-  data.tar.gz: 8cbed6cbdf60a9017c80f0edbd5bbe11ea104620ae606f2eac5db4d2c930667f
+  metadata.gz: 4223bb2218df4bdf98b2600c77c4fa148e71b830575e938a968d41e89138fb81
+  data.tar.gz: cc559a6b364c5019d9c50d8ee6b8237486ac1596ec8ade76d8e6ae4e51e1b906
 SHA512:
-  metadata.gz: 3ba2a3f4887a593a5b61544ce6622df70cfe54d1a6b7fe6c4e57927714ab5b6c16ccf13b8c7cd703acb0f55e405c6bcb8e55c781e6f7171d087dc48885942a33
-  data.tar.gz: 7d791ee31ffe0857ac51a6d26f7489baf986f3b4445cc697f202df3ab47dd77c2e484a2516ca2ed442afbfe9be02e8139dab2a866dcc0358210774a6c1e33ca9
+  metadata.gz: 6b88f94ad140a8dd0e8099e2d4f3a396f2221de6ba9a3cbdfaa7e9327644703b7dc275c369ffe4efa29109619bf9eb182f2a0f7b85103c67e2a83246c49c137a
+  data.tar.gz: eaf65ba9546f37ace248a29657e690966deaf02aa26426b169f1f3e9639aa3f7b355ea858afd4ef0a5787bd9e2549d7927b3db89894eb6ef4bcd26daf01382e9

data/lib/contrast/agent/assess/policy/policy_node.rb

@@ -16,6 +16,7 @@ module Contrast
         class PolicyNode < Contrast::Agent::Patching::Policy::PolicyNode
           include Contrast::Components::Logger::InstanceMethods
           include PolicyNodeUtils
+
           JSON_TAGS = 'tags'
           JSON_DATAFLOW = 'dataflow'
           # The keys used to read from policy.json to create the individual
@@ -48,6 +49,9 @@ module Contrast
           ].cs__freeze
           TO_S = %w[to_s to_str].cs__freeze
 
+          # Here are all Responses that will be tracked as sources, or methods they use, like body.
+          RESPONSE_SOURCES = %w[Net::HTTPResponse Rack::Response Sinatra::Response].cs__freeze
+
           def initialize policy_hash = {}
             super(policy_hash)
             @source_string = policy_hash[JSON_SOURCE]
@@ -57,13 +61,14 @@ module Contrast
             @targets = convert_policy_markers(target_string)
             @_use_original_object = ORIGINAL_OBJECT_METHODS.include?(@method_name)
             @_use_original_on_bang_method = assign_on_bang_check(policy_hash)
+            @_use_response_as_source = RESPONSE_SOURCES.include?(@class_name)
           end
 
+          # If we have KEEP action on String, and the method is to_s, that method would return self:
+          # String#to_s => self or string. This method is included here to cover the situations such as
+          # String.to_s.html_safe, where normally the dynamic sources properties get lost. To solve this
+          # we will simply return the original object here.
           def assign_on_bang_check policy_hash
-            # If we have KEEP action on String, and the method is to_s, that method would return self:
-            # String#to_s => self or string. This method is included here to cover the situations such as
-            # String.to_s.html_safe, where normally the dynamic sources properties get lost. To solve this
-            # we will simply return the original object here.
             return true if @_use_original_object && TO_S.include?(policy_hash[JSON_METHOD_NAME])
 
             @_use_original_object &&
@@ -166,7 +171,7 @@ module Contrast
           # that the method is without bang - it does not change the source, but rather
           # creates a copy of it.
           #
-          # @return true | false
+          # @return [Boolean]
           def use_original_object?
             @_use_original_object && Contrast::ASSESS.track_original_object?
           end
@@ -175,10 +180,24 @@ module Contrast
           # that the target return is the same as object - a bang method modifying the
           # source.
           #
-          # @return true | false
+          # @return [Boolean]
           def use_original_on_bang_method?
             @_use_original_on_bang_method && Contrast::ASSESS.track_original_object?
           end
+
+          # This method will check if policy is fit to use response as source.
+          #
+          # @return [Boolean]
+          def use_response_as_source?
+            Contrast::ASSESS.track_response_as_source?
+          end
+
+          # This method will check if the policy node is for response method.
+          #
+          # @return [Boolean]
+          def response_source_node?
+            @_use_response_as_source
+          end
         end
       end
     end

data/lib/contrast/agent/assess/policy/propagator/response.rb

@@ -0,0 +1,64 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/assess/policy/propagator/select'
+require 'contrast/utils/duck_utils'
+
+module Contrast
+  module Agent
+    module Assess
+      module Policy
+        module Propagator
+          # Propagation that results in all the tags of the source being
+          # applied to the target at the point of insertion. The target's
+          # preexisting tags are shifted to account for this insertion.
+          class Response < Contrast::Agent::Assess::Policy::Propagator::Base
+            class << self
+              # This will path the Net::HTTP.request method. It takes two parameters:
+              #  - req: Net::HTTPGenericRequest
+              #  - body: String
+              # As body may be optional, we need to check if it's nil or not.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+              # @param preshift [Contrast::Agent::Assess::Preshift]
+              # @param ret [Object] Return targer from method invocation.
+              # @param _block [nil, {}] block passed.
+              def net_response_keep propagation_node, preshift, ret, _block
+                return unless Contrast::ASSESS.track_response_as_source?
+
+                # Check to see if the argument is of correct type, and whether the body is tracked or not.
+                # if it's tracked and the body is not nil, then copy the properties from the source's body
+                # to the target's body.
+                source_body = if preshift.args.length == 2
+                                preshift.args[1]
+                              else
+                                preshift.args[0]&.body
+                              end
+                copy_body_tags(propagation_node, source_body, ret)
+              end
+
+              private
+
+              # Copy the properties form source body to the response body, if one is present.
+              #
+              # @param propagation_node [Contrast::Agent::Assess::Policy::PropagationNode]
+              # @param source_body [String] the tracked body to copy from.
+              # @param ret [String] the return target from method invocation.
+              # @return [String, nil]
+              def copy_body_tags propagation_node, source_body, ret
+                return if Contrast::Utils::DuckUtils.empty_duck?(source_body)
+                return unless ret&.body&.cs__is_a?(String)
+                return unless source_body&.cs__is_a?(String)
+                return unless (properties = Contrast::Agent::Assess::Tracker.properties!(ret.body))
+
+                # KEEP
+                properties.copy_from(source_body, ret.body, 0, propagation_node.untags)
+                ret
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/assess/policy/propagator.rb

@@ -31,6 +31,7 @@ module Contrast
           require 'contrast/agent/assess/policy/propagator/substitution'
           require 'contrast/agent/assess/policy/propagator/trim'
           require 'contrast/agent/assess/policy/propagator/buffer'
+          require 'contrast/agent/assess/policy/propagator/response'
         end
       end
     end

data/lib/contrast/agent/assess/policy/source_method.rb

@@ -46,6 +46,11 @@ module Contrast
                 # Exclusions makes method slow:
                 return if excluded_by_url?
 
+                # Check to see if the source node is to be used for response as source.
+                if method_policy.source_node.response_source_node? && !method_policy.source_node.use_response_as_source?
+                  return
+                end
+
                 # used to hold the object and ret
                 source_data = Contrast::Agent::Assess::Events::EventData.new(nil, nil, object, ret, nil)
 

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -3,6 +3,7 @@
 
 require 'rack'
 require 'contrast/utils/hash_digest'
+require 'contrast/utils/duck_utils'
 require 'contrast/utils/string_utils'
 require 'contrast/agent/assess/rule/response/base_rule'
 
@@ -44,21 +45,35 @@ module Contrast
             # @param element_start_str [String] element to find in html section
             # @return [Array<Hash>] the found elements of this section, as well as their start and end indexes.
             def html_elements section, element_start_str = '', capture_overflow: false
+              return [] unless section
+              return [] unless (potentials = potential_elements(section, element_start_str).flatten).any?
+
               elements = []
               section_start = 0
-              return [] unless section
 
-              potential_elements(section, element_start_str).flatten.each do |potential_element|
+              potentials.each do |potential_element|
                 next unless potential_element
                 next unless element_openings.any? { |opening| potential_element.start_with?(opening) }
 
-                section_start = section.index(element_start_str, section_start)
-                next unless section_start
+                start = section&.index(element_start_str, section_start)
+                next if Contrast::Utils::DuckUtils.empty_duck?(start)
+
+                stop = potential_element.index('>').to_i
+                next if Contrast::Utils::DuckUtils.empty_duck?(stop)
 
-                element_stop = potential_element.index('>').to_i
-                next unless element_stop
+                section_close = start + 6 + stop
+                # Now we have valid tag section with start and stop.
+                # Save new boundaries. This is to make sure that If
+                # on previous iteration there were non valid section,
+                # the start_section will be assigned to nil, thus making
+                # the detection of new section not possible, and throwing
+                # an error. To that end old values are kept safe.
+                #
+                # Assign new start index.
+                section_start = start
+                # Assign new end index.
+                element_stop = stop
 
-                section_close = section_start + 6 + element_stop
                 elements << capture(section, section_start, section_close, element_stop, overflow: capture_overflow)
                 section_start = section_close
               end

data/lib/contrast/agent/assess/rule/response/cache_control_header_rule.rb

@@ -70,7 +70,10 @@ module Contrast
             # @param response [Contrast::Agent::Response] the response of the application
             # @return [Array<Hash<String,String>]
             def cache_meta_tags response
-              html_elements(response.body&.split(HEAD_TAG)&.last, META_START_STR).
+              head_tag = response.body&.split(HEAD_TAG)&.last
+              return [] unless head_tag
+
+              html_elements(head_tag, META_START_STR, capture_overflow: false).
                   select { |tag| cache_control_tag?(tag[HTML_PROP]) }
             end
 

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -14,10 +14,13 @@ require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
+require 'contrast/agent/protect/rule/input_classification/lru_cache'
+require 'contrast/agent/protect/rule/input_classification/cached_result'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss/xss'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/input_classification/base64_statistic'
 require 'json'
 
 module Contrast
@@ -35,6 +38,8 @@ module Contrast
         ].cs__freeze
         POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
         AGENTLIB_TIMEOUT = 5.cs__freeze
+        TIMEOUT_ERROR_MESSAGE = '[AgentLib] Timed out when processing InputAnalysisResult'
+        STANDARD_ERROR_MESSAGE = '[InputAnalyzer] Exception raise while doing input analysis:'
 
         class << self
           include Contrast::Agent::Reporting::InputType
@@ -42,6 +47,18 @@ module Contrast
           include Contrast::Utils::ObjectShare
           include Contrast::Components::Logger::InstanceMethods
 
+          # Cache for storing the input analysis result per rule
+          #
+          # @return [Contrast::Agent::Protect::Rule::InputClassification::LRUCache]
+          def lru_cache
+            @_lru_cache ||= Contrast::Agent::Protect::Rule::InputClassification::LRUCache.new
+          end
+
+          # Input decoding statistic.
+          def base64_statistic
+            @_base64_statistic ||= Contrast::Agent::Protect::Rule::InputClassification::Base64Statistic.new
+          end
+
           # This method with analyze the user input from the context of the
           # current request and return new ia with extracted input types.
           #
@@ -51,13 +68,13 @@ module Contrast
             return unless Contrast::PROTECT.enabled?
             return if request.nil?
 
-            inputs = extract_input(request)
+            inputs = extract_inputs(request)
             return unless inputs
 
             input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
             input_analysis.request = request
             # Save those for trigger time
-            input_analysis.inputs = extract_input(request)
+            input_analysis.inputs = inputs
             input_analysis
           end
 
@@ -69,16 +86,9 @@ module Contrast
           #
           # @param request [Contrast::Agent::Request] current request context.
           # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          def extract_input request
+          def extract_inputs request
             inputs = {}
-            inputs[BODY] = request.body
-            inputs[COOKIE_NAME] = request.cookies.keys
-            inputs[COOKIE_VALUE] = request.cookies.values
-            inputs[HEADER] = request.headers
-            inputs[PARAMETER_NAME] = request.parameters.keys
-            inputs[PARAMETER_VALUE] = request.parameters.values
-            inputs[QUERYSTRING] = request.query_string
-            inputs[METHOD] = request.request_method
+            extract_request_inputs(inputs, request)
             extract_multipart(inputs, request)
             inputs.compact!
             inputs
@@ -86,22 +96,29 @@ module Contrast
 
           # classify input by rule
           #
-          # @param rule_id [String] name of the rule
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from
-          # analyze method.
-          def input_classification_for rule_id, input_analysis
+          # @param rule_id [String] name of the rule.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from analyze method.
+          # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed.
+          def input_classification_for rule_id, input_analysis, interval: AGENTLIB_TIMEOUT
             return unless input_analysis&.inputs
             return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
 
             input_analysis.inputs.each do |input_type, value|
               next if value.nil? || value.empty?
 
-              protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+              Timeout.timeout(interval) do
+                protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+              end
             end
 
             input_analysis
           rescue StandardError => e
-            logger.error('[INPUT_ANALYZER] Error', error: e)
+            if e.cs__class == Timeout::Error
+              log_error(rule_id, TIMEOUT_ERROR_MESSAGE, e)
+            else
+              log_error(rule_id, STANDARD_ERROR_MESSAGE, e, level: :error)
+            end
+            nil
           end
 
           # classify input by array of rules. There is a timeout for the AgentLib analysis if not set it
@@ -134,14 +151,9 @@ module Contrast
               # Check to see if rules is already triggered only for infilter:
               next if input_analysis.triggered_rules.include?(rule_id) && infilter
 
-              Timeout.timeout(interval) do
-                input_classification_for(rule_id, input_analysis)
-              end
+              input_classification_for(rule_id, input_analysis, interval: interval)
             end
             input_analysis
-          rescue Timeout::Error => e
-            logger.warn('AgentLib timed out when processing InputAnalysisResult', e, ia_result)
-            nil
           end
 
           private
@@ -158,6 +170,33 @@ module Contrast
             name = filename[DISPOSITION_NAME.to_sym]
             inputs[MULTIPART_NAME] = name if name
           end
+
+          # Extract the parameters and query string from the request context.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_request_inputs inputs, request
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[METHOD] = request.request_method
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+          end
+
+          # Logs any errrors that occur during the analysis
+          # Accepts a level parameter to determine if the error should be logged as an error or warning.
+          #
+          # @param rule_id [String] name of the rule.
+          def log_error rule_id, message, error, level: :error
+            if level == :error
+              logger.error(message, rule_id: rule_id, error: error)
+            else
+              logger.warn(message, rule_id: rule_id, error: error)
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -5,7 +5,10 @@ require 'contrast/agent/thread/worker_thread'
 require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/reporting_events/application_activity'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
+require 'contrast/agent/telemetry/input_analysis_cache_event'
+require 'contrast/agent/telemetry/input_analysis_encoding_event'
+require 'contrast/utils/reporting/application_activity_batch_utils'
 
 module Contrast
   module Agent
@@ -15,7 +18,8 @@ module Contrast
       # Currently only includes: cmd_injection & sqli_injection rules
       class WorthWatchingInputAnalyzer < WorkerThread
         include Timeout
-        include Contrast::Agent::Protect::Rule::InputClassificationBase
+        include Contrast::Agent::Protect::Rule::InputClassification::Base
+        include Contrast::Utils::Reporting::ApplicationActivityBatchUtils
 
         QUEUE_SIZE = 1000.cs__freeze
         AGENTLIB_TIMEOUT = 5.cs__freeze
@@ -48,8 +52,10 @@ module Contrast
                 activity.attach_defend(attack_result)
                 report = true
               end
-              Contrast::Agent::Reporting::Masker.mask(activity)
-              Contrast::Agent.reporter.send_event(activity) if report
+              report_activity(activity) if report
+              # Handle reporting of IA Cache statistics:
+              enqueue_cache_event(stored_ia.request)
+              enqueue_encoding_event(stored_ia.request)
             rescue StandardError => e
               logger.error('[WorthWatchingAnalyzer] thread could not process result because of:', e)
             end
@@ -73,6 +79,27 @@ module Contrast
 
         private
 
+        # After we have finished with all IA results, we need to send the cache statistics to Telemetry.
+        # Now the request cycle is finished and we can send the cache statistics.
+        #
+        # @param request [Contrast::Agent::Request] stored request.
+        def enqueue_cache_event request
+          return unless Contrast::Agent::Telemetry::Base.enabled?
+
+          Contrast::TELEMETRY_IA_CACHE[request.__id__] = Contrast::Agent::Protect::InputAnalyzer.
+              lru_cache.statistics.to_events.dup
+          Contrast::Agent::Protect::InputAnalyzer.lru_cache.clear_statistics
+        end
+
+        def enqueue_encoding_event request
+          return unless Contrast::Agent::Telemetry::Base.enabled?
+          return unless Contrast::PROTECT.normalize_base64?
+
+          Contrast::TELEMETRY_BASE64_HASH[request.__id__] = Contrast::Agent::Protect::InputAnalyzer.
+              base64_statistic.to_events.dup
+          Contrast::Agent::Protect::InputAnalyzer.base64_statistic.clear
+        end
+
         # This method will build the attack results from the saved ia.
         #
         # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
@@ -114,6 +141,12 @@ module Contrast
           @_queue ||= Queue.new
         end
 
+        def report_activity activity
+          logger.debug('[WorthWatchingAnalyzer] preparing to send activity batch')
+          add_activity_to_batch(activity)
+          report_batch
+        end
+
         def delete_queue!
           @_queue&.clear
           @_queue&.close

data/lib/contrast/agent/protect/rule/base.rb

@@ -63,6 +63,10 @@ module Contrast
             RULE_NAME
           end
 
+          # Should return the short name.
+          #
+          # @return [String]
+
           # Should return list of all sub_rules.
           # Extend for each main rule any sub-rules.
           #
@@ -328,7 +332,7 @@ module Contrast
           # @param context [Contrast::Agent::RequestContext]
           # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
           def gather_ia_results context
-            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
+            return [] unless context&.agent_input_analysis&.results
 
             context.agent_input_analysis.results.select do |ia_result|
               ia_result.rule_id == rule_name && ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/details/bot_blocker_details'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 require 'contrast/utils/object_share'
 
 module Contrast
@@ -20,7 +20,7 @@ module Contrast
           BOT_BLOCKER_MATCH = 'bot-blocker-input-tracing-v1'
 
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
 
             # Input Classification stage is done to determine if an user input is
             # DEFINITEATTACK or to be ignored.
@@ -45,6 +45,7 @@ module Contrast
               input_analysis
             rescue StandardError => e
               logger.debug("An Error was recorded in the input classification of the #{ rule_id }", error: e)
+              nil
             end
 
             private
@@ -57,19 +58,35 @@ module Contrast
             # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
             # @param value [String, Array<String>] the value of the input.
             #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult, nil]
             def create_new_input_result request, rule_id, input_type, value
               return unless request.headers.key(value) == USER_AGENT
-              return unless Contrast::AGENT_LIB
 
-              # If there is no match this would return nil.
-              header_eval = Contrast::AGENT_LIB.eval_header(AGENT_LIB_HEADER_NAME,
-                                                            value,
-                                                            Contrast::AGENT_LIB.rule_set[rule_id],
-                                                            Contrast::AGENT_LIB.eval_option[:NONE])
+              super(request, rule_id, input_type, value)
+            end
+
+            # Creates new instance of AgentLib evaluation result with direct call to AgentLib.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param _input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            def build_input_eval rule_id, _input_type, value
+              Contrast::AGENT_LIB.eval_header(AGENT_LIB_HEADER_NAME,
+                                              value,
+                                              Contrast::AGENT_LIB.rule_set[rule_id],
+                                              Contrast::AGENT_LIB.eval_option[:NONE])
+            end
 
+            # Creates specific result from the AgentLib evaluation.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param input_eval [Contrast::AgentLib::EvalResult] the result of the input evaluation.
+            def build_ia_result rule_id, input_type, value, request, input_eval
               ia_result = new_ia_result(rule_id, input_type, request.path, value)
-              score = header_eval&.score || 0
+              score = input_eval&.score || 0
               if score >= THRESHOLD
                 ia_result.score_level = DEFINITEATTACK
                 ia_result.ids << BOT_BLOCKER_MATCH
@@ -79,7 +96,6 @@ module Contrast
               else
                 ia_result.score_level = IGNORE
               end
-              add_needed_key(request, ia_result, input_type, value)
               ia_result
             end
 

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -43,7 +43,6 @@ module Contrast
           # to BLOCK and valid cdmi is detected.
           def infilter context, classname, method, command
             return unless infilter?(command)
-            return if protect_excluded_by_url?(rule_name)
             return unless (result = build_violation(context, command))
 
             append_to_activity(context, result)

data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb

@@ -4,7 +4,7 @@
 require 'contrast/agent/protect/rule/cmdi/cmd_injection'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
-require 'contrast/utils/input_classification_base'
+require 'contrast/agent/protect/rule/input_classification/base'
 require 'contrast/components/logger'
 
 module Contrast
@@ -17,7 +17,7 @@ module Contrast
         module CmdiInputClassification
           WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'.cs__freeze
           class << self
-            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::InputClassification::Base
             include Contrast::Components::Logger::InstanceMethods
           end
         end