contrast-agent 7.3.2 → 7.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4ed370d3625c9e07c5966fb4e091e96cc37a6a2fce8376d63a547e655b27173
-  data.tar.gz: 601a4767e4317af72e2c610df6ba19bb68df2c42f128bb873539204c93801019
+  metadata.gz: 2b62e21b5f8d2c3d786aaaac33005487eab07fd07438e9fe20532742f926bcb0
+  data.tar.gz: 37ff12d328d1a58bddb75e4f0e9c799b44df881daaa78bea62f565f95ae715ff
 SHA512:
-  metadata.gz: 597307a8f3521cd9783c07ccc8b2f54d6bf2cf1631db84bd29fba683fbd93fc4f5eff47bbbc2ed50c37c02fd3c59d5df987526c839c5e731299cdb6e02e30c6f
-  data.tar.gz: 95898f87cbabbcc24d9ce3f0d5ba1397b4399f9ca35f4c4a1290c7e3d9c7cd26d6bf13c99affc013dea2456260aeb918349a97905863ba790ba869a272faccfc
+  metadata.gz: 46f9f576d3a28befa4681e73a250af98602c100d50ace13a1e3fcaa5a22ca2a0d0695b4b19492677d57183ff56203d2f57a5470b7c6fa0fc9c1b15bbbd49dc16
+  data.tar.gz: 427a3dafa3d8108a4aa2130ff02c8c4d52539f7d1c7b265ba78d60dc10f86f142a2b4f1132ae0be02c0c9a41c043ab1459c0a0e3a836dbced2f0db4b550aa970

data/lib/contrast/agent/middleware/middleware.rb

@@ -191,7 +191,7 @@ module Contrast
           # Now we can build the ia_results only for postfilter rules.
           context.protect_postfilter_ia
           # Process Worth Watching Inputs for v2 rules
-          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
+          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context)
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -33,10 +33,10 @@ module Contrast
         DISPOSITION_FILENAME = 'filename'
         PREFILTER_RULES = %w[bot-blocker unsafe-file-upload reflected-xss].cs__freeze
         INFILTER_RULES = %w[
-          sql-injection cmd-injection reflected-xss bot-blocker unsafe-file-upload path-traversal
+          sql-injection cmd-injection bot-blocker unsafe-file-upload path-traversal
           nosql-injection
         ].cs__freeze
-        POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
+        POSTFILTER_RULES = %w[sql-injection cmd-injection path-traversal nosql-injection].cs__freeze
         AGENTLIB_TIMEOUT = 5.cs__freeze
         TIMEOUT_ERROR_MESSAGE = '[AgentLib] Timed out when processing InputAnalysisResult'
         STANDARD_ERROR_MESSAGE = '[InputAnalyzer] Exception raise while doing input analysis:'
@@ -100,10 +100,15 @@ module Contrast
           # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from analyze method.
           # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed.
           def input_classification_for rule_id, input_analysis, interval: AGENTLIB_TIMEOUT
-            return unless input_analysis&.inputs
+            return if input_analysis.analysed_rules.include?(rule_id)
+            return if input_analysis.no_inputs?
             return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
 
             input_analysis.inputs.each do |input_type, value|
+              # TODO: RUBY-2110 Update the HEADER handling if possible.
+              # Analyze only Header values:
+              # This may break bot blocker rule:
+              # value = value.values if input_type == HEADER
               next if value.nil? || value.empty?
 
               Timeout.timeout(interval) do
@@ -128,14 +133,12 @@ module Contrast
           #                                                       for each protect rule.
           # @param prefilter [Boolean] flag to set input analysis for prefilter rules only
           # @param postfilter [Boolean] flag to set input analysis for postfilter rules.
-          # @param infilter [Boolean]
           # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed
           # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
           # @raise [Timeout::Error] If timeout is met.
           def input_classification(input_analysis,
                                    prefilter: false,
                                    postfilter: false,
-                                   infilter: false,
                                    interval: AGENTLIB_TIMEOUT)
             return unless input_analysis
 
@@ -147,12 +150,7 @@ module Contrast
                       INFILTER_RULES
                     end
 
-            rules.each do |rule_id|
-              # Check to see if rules is already triggered only for infilter:
-              next if input_analysis.triggered_rules.include?(rule_id) && infilter
-
-              input_classification_for(rule_id, input_analysis, interval: interval)
-            end
+            rules.each { |rule_id| input_classification_for(rule_id, input_analysis, interval: interval) }
             input_analysis
           end
 

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -42,16 +42,15 @@ module Contrast
               next if queue.empty?
 
               report = false
-              # build attack_results for all infilter active protect rules.
-              stored_ia = queue.pop
-              results = build_results(stored_ia)
-              activity = Contrast::Agent::Reporting::ApplicationActivity.new(ia_request: stored_ia.request)
+              stored_context, stored_ia, results, activity = extract_from_context
+
               results.each do |result|
-                next unless (attack_result = eval_input(result))
+                next unless (attack_result = eval_input(stored_context, result, stored_ia))
 
                 activity.attach_defend(attack_result)
                 report = true
               end
+
               report_activity(activity) if report
               # Handle reporting of IA Cache statistics:
               enqueue_cache_event(stored_ia.request)
@@ -62,9 +61,22 @@ module Contrast
           end
         end
 
-        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
-        def add_to_queue input_analysis
-          return unless input_analysis
+        # build attack_results for all infilter active protect rules.
+        # Stored Context will update the logger context and build attack results for protect rules.
+        # Note: call only in thread loop as it extracts from the queue.
+        #
+        # @return [Array<stored_context, stored_ia, results, activity>]
+        def extract_from_context
+          stored_context = queue.pop
+          stored_ia = stored_context.agent_input_analysis
+          results = build_results(stored_ia)
+          activity = Contrast::Agent::Reporting::ApplicationActivity.new(ia_request: stored_ia.request)
+          [stored_context, stored_ia, results, activity]
+        end
+
+        # @param context [Contrast::Agent::RequestContext]
+        def add_to_queue context
+          return unless context
 
           if queue.size >= QUEUE_SIZE
             logger.debug('[WorthWatchingAnalyzer] queue at max size, skip input_result')
@@ -74,7 +86,7 @@ module Contrast
           # we need to save the ia which contains the request and saved extracted user inputs to
           # be evaluated on the thread rather than building results here. This way we allow the
           # request to continue and will build the attack results later.
-          queue << input_analysis.dup
+          queue << context.dup
         end
 
         private
@@ -91,6 +103,9 @@ module Contrast
           Contrast::Agent::Protect::InputAnalyzer.lru_cache.clear_statistics
         end
 
+        # Enqueue for Telemetry reporting all base64 related events.
+        #
+        # @param request [Contrast::Agent::Request] stored request.
         def enqueue_encoding_event request
           return unless Contrast::Agent::Telemetry::Base.enabled?
           return unless Contrast::PROTECT.normalize_base64?
@@ -102,16 +117,16 @@ module Contrast
 
         # This method will build the attack results from the saved ia.
         #
-        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
+        # @param stored_ia [Contrast::Agent::Reporting::InputAnalysis]
         # @return attack_results [array<Contrast::Agent::Reporting::InputAnalysisResult>] all the results
         # from the input analysis.
-        def build_results input_analysis
+        def build_results stored_ia
           # Construct the input analysis for the all the infilter rules that were not triggered.
           # There is a set timeout for each rule to be analyzed in. The infilter flag will make
           # sure that if a rule is already triggered during the infilter phase it will not be analyzed
           # now, making sure we don't report same rule twice.
-          Contrast::Agent::Protect::InputAnalyzer.input_classification(input_analysis, infilter: true)
-          results = input_analysis.results.reject do |val|
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(stored_ia)
+          results = stored_ia.results.reject do |val|
             val.score_level == Contrast::Agent::Reporting::InputAnalysisResult::SCORE_LEVEL::IGNORE
           end
           return results if results
@@ -119,39 +134,59 @@ module Contrast
           []
         end
 
+        # Evaluates the stored ia results and builds attack results if any.
+        #
+        # @param stored_context [Contrast::Agent::RequestContext]
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
+        # @param stored_ia [Contrast::Agent::Reporting::InputAnalysis] the stored InputAnalysis
         # @return [Contrast::Agent::Reporting::AttackResult, nil] InputAnalysisResult updated Result or nil
-        def eval_input ia_result
-          return build_attack_result(ia_result) unless ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
+        def eval_input stored_context, ia_result, stored_ia
+          return skip_log if ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
 
-          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
-                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
-          nil
+          build_attack_result(stored_context, ia_result, stored_ia)
         end
 
+        # Creates new Attack Event per rule that will be triggered or probed.
+        #
+        # @param stored_context [Contrast::Agent::RequestContext]
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult
         # with a score of :DEFINITEATTACK
+        # @param stored_ia [Contrast::Agent::Reporting::InputAnalysis] the stored InputAnalysis
         # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
         #   this input
-        def build_attack_result ia_result
-          Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(nil, ia_result, nil)
+        def build_attack_result stored_context, ia_result, stored_ia
+          return if stored_ia.triggered_rules.include?(ia_result.rule_id)
+
+          Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(stored_context, ia_result, nil)
         end
 
+        # @return [Queue]
         def queue
           @_queue ||= Queue.new
         end
 
+        # Reports all gather activities to batch.
+        #
+        # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
         def report_activity activity
           logger.debug('[WorthWatchingAnalyzer] preparing to send activity batch')
           add_activity_to_batch(activity)
           report_batch
         end
 
+        # Deletes Queue and closes it.
         def delete_queue!
           @_queue&.clear
           @_queue&.close
           @_queue = nil
         end
+
+        # Logs a message that the input was skipped because it was too large.
+        def skip_log
+          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
+                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
+          nil
+        end
       end
     end
   end

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -55,10 +55,7 @@ module Contrast
             return unless (ia = context.agent_input_analysis)
 
             Contrast::Agent::Protect::InputAnalyzer.input_classification_for(rule_id, ia)
-            # We add the triggered rule to the list. After request analysis will skip this rule
-            # as already it's input applicable types has been analysed.
-            ia.triggered_rules << rule_name
-            ia
+            context.agent_input_analysis.record_analysed_rule(rule_id)
           end
 
           protected

data/lib/contrast/agent/protect/rule/base.rb

@@ -45,7 +45,6 @@ module Contrast
           #
           # @return mode [Symbol]
           def initialize
-            ::Contrast::PROTECT.defend_rules[rule_name] = self
             @mode = mode_from_settings
           end
 
@@ -63,6 +62,11 @@ module Contrast
             RULE_NAME
           end
 
+          # Update state form Settings or Configuration.
+          def update
+            @mode = mode_from_settings
+          end
+
           # Should return the short name.
           #
           # @return [String]
@@ -137,20 +141,30 @@ module Contrast
           end
 
           # With this we log to CEF
-          #
-          # @param result [Contrast::Agent::Reporting::AttackResult]
+          # @param result [Contrast::Agent::Reporting::InputAnalysisResult]
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
-          def cef_logging result, attack = :ineffective_attack, value: nil
+          # @param input_type [String] the input type we want to log
+          # @param context [Contrast::Agent::RequestContext]
+          def cef_logging result, attack = :ineffective_attack, value: nil, input_type: nil, context: nil
             sample = result.samples[0]
             outcome = result.response.to_s
-            input_type = sample.user_input.input_type.to_s
-            input_value = sample.user_input.value || value
-            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
+            input_type = sample&.user_input&.input_type&.to_s || input_type
+            input_value = sample&.user_input&.value || value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value, context)
           end
 
           protected
 
+          # Records the rule being triggered at sink.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          def record_triggered context
+            return unless context
+
+            context.agent_input_analysis.record_rule_triggered(rule_name)
+          end
+
           # Assign the mode from active settings.
           #
           # @return mode [Symbol]
@@ -187,22 +201,20 @@ module Contrast
           # @param potential_attack_string [String, nil]
           # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
           # @param **kwargs
-          # @return [Contrast::Agent::Reporting, nil]
+          # @return [Contrast::Agent::Reporting::AttackResult, nil]
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
             logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
+            return unless ia_results&.any?
+            return build_attack_without_match(context, ia_results[0], nil, **kwargs) unless potential_attack_string
 
-            result = nil
             ia_results.each do |ia_result|
-              if potential_attack_string
-                idx = potential_attack_string.index(ia_result.value)
-                next unless idx
-
-                result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
-              else
-                result = build_attack_without_match(context, ia_result, result, **kwargs)
-              end
+              idx = potential_attack_string.index(ia_result.value)
+              next unless idx
+
+              result = build_attack_with_match(context, ia_result, result || nil, potential_attack_string, **kwargs)
+              return result if result
             end
-            result
+            nil
           end
 
           # By default, rules do not have to find attackers as they do not have
@@ -227,15 +239,17 @@ module Contrast
           #
           # @param context [Contrast::Agent::RequestContext] the context for
           #   the current request
-          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
           # @param result [Contrast::Agent::Reporting::AttackResult]
           # @param attack_string [String] Potential attack vector
           # @return [Contrast::Agent::Reporting::AttackResult]
           def update_successful_attack_response context, ia_result, result, attack_string = nil
+            cef_outcome = :successful_attack
             case mode
             when :MONITOR
               # We are checking the result as the ia_result would not contain the sub-rules.
               result.response = if SUSPICIOUS_REPORTING_RULES.include?(result&.rule_id)
+                                  cef_outcome = :suspicious_attack
                                   Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
                                 else
                                   Contrast::Agent::Reporting::ResponseType::MONITORED
@@ -246,7 +260,11 @@ module Contrast
 
             ia_result.attack_count = ia_result.attack_count + 1 if ia_result
             log_rule_matched(context, ia_result, result.response, attack_string)
-
+            cef_logging(result,
+                        cef_outcome,
+                        value: ia_result&.value || attack_string,
+                        input_type: ia_result&.input_type,
+                        context: context)
             result
           end
 
@@ -261,17 +279,32 @@ module Contrast
           #   multiple inputs being found to violate the protection criteria
           # @return [Contrast::Agent::Reporting::AttackResult]
           def update_perimeter_attack_response context, ia_result, result
-            if mode == :BLOCK_AT_PERIMETER
+            cef_outcome = :successful_attack
+            case mode
+            when :BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
                                   Contrast::Agent::Reporting::ResponseType::BLOCKED
                                 else
                                   Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER
                                 end
               log_rule_matched(context, ia_result, result.response)
-            elsif ia_result.nil? || ia_result.attack_count.zero?
+            when :BLOCK && rule_name == Contrast::Agent::Protect::Rule::Xss::NAME
+              # Handle cases like reflected-xss:
+              result.response = Contrast::Agent::Reporting::ResponseType::BLOCKED
+              log_rule_matched(context, ia_result, result.response)
+            else
+              # Handles all other cases including Reflected-xss in MONITOR mode.
+              return unless ia_result.nil? || ia_result.attack_count.zero?
+
               result.response = assign_reporter_response_type(ia_result)
+              cef_outcome = suspicious_rule?(ia_result) ? :suspicious_attack : :ineffective_attack
               log_rule_probed(context, ia_result)
             end
+            cef_logging(result,
+                        cef_outcome,
+                        value: ia_result&.value,
+                        input_type: ia_result&.input_type,
+                        context: context)
 
             result
           end
@@ -330,7 +363,7 @@ module Contrast
           # the rule id.
           #
           # @param context [Contrast::Agent::RequestContext]
-          # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          # @return [Array<Contrast::Agent::Reporting::InputAnalysisResult>]
           def gather_ia_results context
             return [] unless context&.agent_input_analysis&.results
 
@@ -345,7 +378,8 @@ module Contrast
           def blocked_violation? result
             return false unless result
 
-            result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED
+            blocked? && (result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED ||
+                result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER)
           end
 
           private
@@ -355,7 +389,8 @@ module Contrast
           def blocked_rule? ia_result
             [
               Contrast::Agent::Protect::Rule::Sqli::NAME,
-              Contrast::Agent::Protect::Rule::NoSqli::NAME
+              Contrast::Agent::Protect::Rule::NoSqli::NAME,
+              Contrast::Agent::Protect::Rule::Xss::NAME
             ].include?(ia_result&.rule_id)
           end
 
@@ -388,7 +423,7 @@ module Contrast
 
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
-          # @return [Contrast::Agent::Reporting, nil]
+          # @return [Contrast::Agent::Reporting::AttackResult, nil]
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb

@@ -19,6 +19,7 @@ module Contrast
 
           NAME = 'bot-blocker'
           APPLICABLE_USER_INPUTS = [HEADER].cs__freeze
+          BLOCK_MESSAGE = 'Bot Blocker rule triggered. Unsafe Bot blocked.'
 
           def rule_name
             NAME
@@ -28,6 +29,13 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
+          def block_message
+            BLOCK_MESSAGE
+          end
+
           # Bot blocker input classification
           #
           # @return [module<Contrast::Agent::Protect::Rule::BotBlockerInputClassification>]
@@ -49,13 +57,13 @@ module Contrast
                 ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
 
             result = build_attack_without_match(context, ia_result, nil)
-            append_to_activity(context, result) if result
-            cef_logging(result, :successful_attack) if result
-            return unless blocked?
+            return unless result
 
+            append_to_activity(context, result)
+            record_triggered(context)
             # Raise BotBlocker error
             exception_message = "#{ rule_name } rule triggered. Unsafe Bot blocked."
-            raise(Contrast::SecurityException.new(self, exception_message))
+            raise(Contrast::SecurityException.new(self, exception_message)) if blocked_violation?(result)
           end
 
           # @param context [Contrast::Agent::RequestContext]

data/lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb

@@ -21,25 +21,32 @@ module Contrast
           include Contrast::Components::Logger::InstanceMethods
           include Contrast::Agent::Reporting::InputType
           NAME = 'cmd-injection'
-          APPLICABLE_USER_INPUTS = [
-            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
-            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
-            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
-          ].cs__freeze
 
           def rule_name
             NAME
           end
 
+          # Sub-rules forwarders:
+
+          # @return [Contrast::Agent::Protect::Rule::CmdiBackdoors]
+          def command_backdoors
+            @_command_backdoors ||= Contrast::Agent::Protect::Rule::CmdiBackdoors.new
+          end
+
+          # @return [Contrast::Agent::Protect::Rule::CmdiChainedCommand]
+          def semantic_chained_commands
+            @_semantic_chained_commands ||= Contrast::Agent::Protect::Rule::CmdiChainedCommand.new
+          end
+
+          def semantic_dangerous_paths
+            @_semantic_dangerous_paths ||= Contrast::Agent::Protect::Rule::CmdiDangerousPath.new
+          end
+
           # Array of sub_rules:
           #
           # @return [Array]
           def sub_rules
-            @_sub_rules ||= [
-              Contrast::Agent::Protect::Rule::CmdiBackdoors.new,
-              Contrast::Agent::Protect::Rule::CmdiChainedCommand.new,
-              Contrast::Agent::Protect::Rule::CmdiDangerousPath.new
-            ].cs__freeze
+            @_sub_rules ||= [command_backdoors, semantic_chained_commands, semantic_dangerous_paths].cs__freeze
           end
 
           def applicable_user_inputs
@@ -72,12 +79,9 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack)
-
-            return unless blocked?
-
+            record_triggered(context)
             # Raise cmdi error
-            raise_error(classname, method)
+            raise_error(classname, method) if blocked_violation?(result)
           end
         end
       end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb

@@ -43,10 +43,8 @@ module Contrast
                                                             **{ classname: classname, method: method }))
 
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack)
-            return unless blocked?
-
-            raise_error(classname, method)
+            record_triggered(context)
+            raise_error(classname, method) if blocked_violation?(result)
           end
 
           private

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -20,7 +20,7 @@ module Contrast
           APPLICABLE_USER_INPUTS = [
             BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
             PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
-            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, UNKNOWN
           ].cs__freeze
 
           # CMDI input classification
@@ -46,6 +46,7 @@ module Contrast
             return unless (result = build_violation(context, command))
 
             append_to_activity(context, result)
+            record_triggered(context)
             raise_error(classname, method) if blocked_violation?(result)
           end
 

data/lib/contrast/agent/protect/rule/deserialization/deserialization.rb

@@ -50,6 +50,7 @@ module Contrast
           end
 
           # Return the specific blocking message for this rule.
+          #
           # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
@@ -84,10 +85,9 @@ module Contrast
             kwargs = { GADGET_TYPE: gadget }
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
+            record_triggered(context)
 
-            cef_logging(result, :successful_attack)
-
-            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
           end
 
           # Determine if the issued command was called while we're
@@ -106,13 +106,13 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack, value: gadget_command)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
 
           protected
 
           # Build the RaspRuleSample for the detected Deserialization attack.
+          #
           # @param context [Contrast::Agent::RequestContext] the request
           #   context in which this attack is occurring.
           # @param input_analysis_result [Contrast::Agent::Reporting::InputAnalysis]

data/lib/contrast/agent/protect/rule/input_classification/base.rb

@@ -24,7 +24,7 @@ module Contrast
               COOKIE_VALUE, PARAMETER_VALUE, HEADER, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
             ].cs__freeze
 
-            BASE64_INPUT_TYPES = [BODY, COOKIE_VALUE, HEADER, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
+            BASE64_INPUT_TYPES = [BODY, COOKIE_VALUE, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
 
             class << self
               include Contrast::Components::Logger::InstanceMethods
@@ -172,7 +172,9 @@ module Contrast
             end
 
             # Decodes the value for the given input type.
-            # Applies to BODY, COOKIE_VALUE, HEADER, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE
+            #
+            # This applies to Values sources only:
+            # BODY, COOKIE_VALUE, HEADER, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE
             #
             # @param value [String]
             # @param input_type [Symbol]
@@ -181,6 +183,9 @@ module Contrast
               return value unless Contrast::PROTECT.normalize_base64?
               return value unless BASE64_INPUT_TYPES.include?(input_type)
 
+              # TODO: RUBY-2110 Update the HEADER handling if possible.
+              # We need only the Header values.
+
               cs__decode64(value, input_type)
             end
           end

data/lib/contrast/agent/protect/rule/input_classification/encoding.rb

@@ -16,7 +16,7 @@ module Contrast
 
             # Still a list is needed for this one, as it is not possible to determine if the value is encoded or not.
             # As long as the list is short the method has a good percentage of success.
-            KNOWN_DECODING_EXCEPTIONS = %w[cmd].cs__freeze
+            KNOWN_DECODING_EXCEPTIONS = %w[cmd version if_modified_since].cs__freeze
 
             # This methods is not performant, but is more safe for false positive.
             # Base64 check is no trivial task. For example if one passes a value like 'stringdw' it will return true,