contrast-agent 7.4.0 → 7.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1266effb11fb78123e8461ce7295f9b4a67a88b7dda632bc57da5d70cb39f87d
-  data.tar.gz: e553aa33bd73ab712585b774578c10ff6f19ae925fdea8adb89c3b6ac253e399
+  metadata.gz: f6b34ada48cf9e91e05d85ea0f003575119b751bf135ef49709fb1501c475b3e
+  data.tar.gz: 2915fb037c832fec213dfc7835b8d732e1c22005987ef2c4287dfb55264d41a2
 SHA512:
-  metadata.gz: 7abce257d4092010babc21cff242307343ea2fc83bdbd040b8cd95e64be9b2e640963a06ae017053989be17e98442bbc528987c2da5b8f7bc8688b776022c783
-  data.tar.gz: f85de50b08e0eaa5f5d8c6a571fe4d04a03cbbcaab1f9c7f2431dac6b4373b00e04f63be94b5f02d56e222248c5fe256b61fb43ba123d041e1ce585b80e63a5f
+  metadata.gz: 627d1959c5993100f6bc08624d1a68627b02af18f6aa48c074f0cf374925877761b09077ce21366b6d5ddafb3185907472564753b3fbab65f6f7d74d2b74dc10
+  data.tar.gz: 224228b9e9c276c39e6d78a330a456b37cf550b4155c4b96f5ff1d29e7bf7846521c102f510061f8d6ec5e9245b99fe567cce7a5202dd2acfd62c6e7bb9ca795

data/lib/contrast/agent/hooks/at_exit_hook.rb

@@ -27,7 +27,8 @@ module Contrast
                      pp_id: @ppid,
                      process_pid: Process.pid,
                      process_pp_id: Process.ppid)
-
+        $stdout.puts('[Contrast Agent] Graceful shutdown...')
+        report_traces
         context = Contrast::Agent::REQUEST_TRACKER.current
         return unless context
 
@@ -39,6 +40,20 @@ module Contrast
         end
         Contrast::Agent.reporter&.send_event_immediately(context.activity)
       end
+
+      def self.report_traces
+        return unless Contrast::ASSESS.enabled?
+
+        collection = Contrast::Agent::Reporting::ReportingStorage.collection
+
+        # report gathered traces:
+        return if collection.empty?
+
+        collection.each do |_id, finding|
+          preflight = Contrast::Agent::Reporting::BuildPreflight.generate(finding)
+          Contrast::Agent.reporter&.send_event_immediately(preflight)
+        end
+      end
     end
   end
 end

data/lib/contrast/agent/middleware/middleware.rb

@@ -191,7 +191,7 @@ module Contrast
           # Now we can build the ia_results only for postfilter rules.
           context.protect_postfilter_ia
           # Process Worth Watching Inputs for v2 rules
-          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
+          Contrast::Agent.worth_watching_analyzer&.add_to_queue(context)
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -20,6 +20,7 @@ require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss/xss'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
+require 'contrast/utils/duck_utils'
 require 'contrast/agent/protect/rule/input_classification/base64_statistic'
 require 'json'
 
@@ -33,10 +34,10 @@ module Contrast
         DISPOSITION_FILENAME = 'filename'
         PREFILTER_RULES = %w[bot-blocker unsafe-file-upload reflected-xss].cs__freeze
         INFILTER_RULES = %w[
-          sql-injection cmd-injection reflected-xss bot-blocker unsafe-file-upload path-traversal
+          sql-injection cmd-injection bot-blocker unsafe-file-upload path-traversal
           nosql-injection
         ].cs__freeze
-        POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
+        POSTFILTER_RULES = %w[sql-injection cmd-injection path-traversal nosql-injection].cs__freeze
         AGENTLIB_TIMEOUT = 5.cs__freeze
         TIMEOUT_ERROR_MESSAGE = '[AgentLib] Timed out when processing InputAnalysisResult'
         STANDARD_ERROR_MESSAGE = '[InputAnalyzer] Exception raise while doing input analysis:'
@@ -100,12 +101,15 @@ module Contrast
           # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from analyze method.
           # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed.
           def input_classification_for rule_id, input_analysis, interval: AGENTLIB_TIMEOUT
-            return unless input_analysis&.inputs
+            return if input_analysis.analysed_rules.include?(rule_id)
+            return if input_analysis.no_inputs?
             return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
 
             input_analysis.inputs.each do |input_type, value|
-              next if value.nil? || value.empty?
+              value = handle_header(input_type, value)
+              next if Contrast::Utils::DuckUtils.empty_duck?(value)
 
+              # Traverse only the Header values:
               Timeout.timeout(interval) do
                 protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
               end
@@ -128,14 +132,12 @@ module Contrast
           #                                                       for each protect rule.
           # @param prefilter [Boolean] flag to set input analysis for prefilter rules only
           # @param postfilter [Boolean] flag to set input analysis for postfilter rules.
-          # @param infilter [Boolean]
           # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed
           # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
           # @raise [Timeout::Error] If timeout is met.
           def input_classification(input_analysis,
                                    prefilter: false,
                                    postfilter: false,
-                                   infilter: false,
                                    interval: AGENTLIB_TIMEOUT)
             return unless input_analysis
 
@@ -147,17 +149,22 @@ module Contrast
                       INFILTER_RULES
                     end
 
-            rules.each do |rule_id|
-              # Check to see if rules is already triggered only for infilter:
-              next if input_analysis.triggered_rules.include?(rule_id) && infilter
-
-              input_classification_for(rule_id, input_analysis, interval: interval)
-            end
+            rules.each { |rule_id| input_classification_for(rule_id, input_analysis, interval: interval) }
             input_analysis
           end
 
           private
 
+          # Extracts header values, and skips keys if input_type is Header.
+          # @param input_type [Symbol]
+          # @param value [Hash, nil]
+          # @return value [Hash, nil]
+          def handle_header input_type, value
+            return value&.values || [] if input_type == Contrast::Agent::Reporting::InputType::HEADER
+
+            value
+          end
+
           # Extract the filename and name of the  Content Disposition Header.
           #
           # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -42,16 +42,15 @@ module Contrast
               next if queue.empty?
 
               report = false
-              # build attack_results for all infilter active protect rules.
-              stored_ia = queue.pop
-              results = build_results(stored_ia)
-              activity = Contrast::Agent::Reporting::ApplicationActivity.new(ia_request: stored_ia.request)
+              stored_context, stored_ia, results, activity = extract_from_context
+
               results.each do |result|
-                next unless (attack_result = eval_input(result))
+                next unless (attack_result = eval_input(stored_context, result, stored_ia))
 
                 activity.attach_defend(attack_result)
                 report = true
               end
+
               report_activity(activity) if report
               # Handle reporting of IA Cache statistics:
               enqueue_cache_event(stored_ia.request)
@@ -62,9 +61,22 @@ module Contrast
           end
         end
 
-        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
-        def add_to_queue input_analysis
-          return unless input_analysis
+        # build attack_results for all infilter active protect rules.
+        # Stored Context will update the logger context and build attack results for protect rules.
+        # Note: call only in thread loop as it extracts from the queue.
+        #
+        # @return [Array<stored_context, stored_ia, results, activity>]
+        def extract_from_context
+          stored_context = queue.pop
+          stored_ia = stored_context.agent_input_analysis
+          results = build_results(stored_ia)
+          activity = Contrast::Agent::Reporting::ApplicationActivity.new(ia_request: stored_ia.request)
+          [stored_context, stored_ia, results, activity]
+        end
+
+        # @param context [Contrast::Agent::RequestContext]
+        def add_to_queue context
+          return unless context
 
           if queue.size >= QUEUE_SIZE
             logger.debug('[WorthWatchingAnalyzer] queue at max size, skip input_result')
@@ -74,7 +86,7 @@ module Contrast
           # we need to save the ia which contains the request and saved extracted user inputs to
           # be evaluated on the thread rather than building results here. This way we allow the
           # request to continue and will build the attack results later.
-          queue << input_analysis.dup
+          queue << context.dup
         end
 
         private
@@ -91,6 +103,9 @@ module Contrast
           Contrast::Agent::Protect::InputAnalyzer.lru_cache.clear_statistics
         end
 
+        # Enqueue for Telemetry reporting all base64 related events.
+        #
+        # @param request [Contrast::Agent::Request] stored request.
         def enqueue_encoding_event request
           return unless Contrast::Agent::Telemetry::Base.enabled?
           return unless Contrast::PROTECT.normalize_base64?
@@ -102,16 +117,16 @@ module Contrast
 
         # This method will build the attack results from the saved ia.
         #
-        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
+        # @param stored_ia [Contrast::Agent::Reporting::InputAnalysis]
         # @return attack_results [array<Contrast::Agent::Reporting::InputAnalysisResult>] all the results
         # from the input analysis.
-        def build_results input_analysis
+        def build_results stored_ia
           # Construct the input analysis for the all the infilter rules that were not triggered.
           # There is a set timeout for each rule to be analyzed in. The infilter flag will make
           # sure that if a rule is already triggered during the infilter phase it will not be analyzed
           # now, making sure we don't report same rule twice.
-          Contrast::Agent::Protect::InputAnalyzer.input_classification(input_analysis, infilter: true)
-          results = input_analysis.results.reject do |val|
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(stored_ia)
+          results = stored_ia.results.reject do |val|
             val.score_level == Contrast::Agent::Reporting::InputAnalysisResult::SCORE_LEVEL::IGNORE
           end
           return results if results
@@ -119,39 +134,59 @@ module Contrast
           []
         end
 
+        # Evaluates the stored ia results and builds attack results if any.
+        #
+        # @param stored_context [Contrast::Agent::RequestContext]
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
+        # @param stored_ia [Contrast::Agent::Reporting::InputAnalysis] the stored InputAnalysis
         # @return [Contrast::Agent::Reporting::AttackResult, nil] InputAnalysisResult updated Result or nil
-        def eval_input ia_result
-          return build_attack_result(ia_result) unless ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
+        def eval_input stored_context, ia_result, stored_ia
+          return skip_log if ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
 
-          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
-                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
-          nil
+          build_attack_result(stored_context, ia_result, stored_ia)
         end
 
+        # Creates new Attack Event per rule that will be triggered or probed.
+        #
+        # @param stored_context [Contrast::Agent::RequestContext]
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult
         # with a score of :DEFINITEATTACK
+        # @param stored_ia [Contrast::Agent::Reporting::InputAnalysis] the stored InputAnalysis
         # @return [Contrast::Agent::Reporting::AttackResult] the attack result from
         #   this input
-        def build_attack_result ia_result
-          Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(nil, ia_result, nil)
+        def build_attack_result stored_context, ia_result, stored_ia
+          return if stored_ia.triggered_rules.include?(ia_result.rule_id)
+
+          Contrast::PROTECT.rule(ia_result.rule_id).build_attack_without_match(stored_context, ia_result, nil)
         end
 
+        # @return [Queue]
         def queue
           @_queue ||= Queue.new
         end
 
+        # Reports all gather activities to batch.
+        #
+        # @param activity [Contrast::Agent::Reporting::ApplicationActivity]
         def report_activity activity
           logger.debug('[WorthWatchingAnalyzer] preparing to send activity batch')
           add_activity_to_batch(activity)
           report_batch
         end
 
+        # Deletes Queue and closes it.
         def delete_queue!
           @_queue&.clear
           @_queue&.close
           @_queue = nil
         end
+
+        # Logs a message that the input was skipped because it was too large.
+        def skip_log
+          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
+                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
+          nil
+        end
       end
     end
   end

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -55,10 +55,7 @@ module Contrast
             return unless (ia = context.agent_input_analysis)
 
             Contrast::Agent::Protect::InputAnalyzer.input_classification_for(rule_id, ia)
-            # We add the triggered rule to the list. After request analysis will skip this rule
-            # as already it's input applicable types has been analysed.
-            ia.triggered_rules << rule_name
-            ia
+            context.agent_input_analysis.record_analysed_rule(rule_id)
           end
 
           protected

data/lib/contrast/agent/protect/rule/base.rb

@@ -141,20 +141,30 @@ module Contrast
           end
 
           # With this we log to CEF
-          #
-          # @param result [Contrast::Agent::Reporting::AttackResult]
+          # @param result [Contrast::Agent::Reporting::InputAnalysisResult]
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
-          def cef_logging result, attack = :ineffective_attack, value: nil
+          # @param input_type [String] the input type we want to log
+          # @param context [Contrast::Agent::RequestContext]
+          def cef_logging result, attack = :ineffective_attack, value: nil, input_type: nil, context: nil
             sample = result.samples[0]
             outcome = result.response.to_s
-            input_type = sample.user_input.input_type.to_s
-            input_value = sample.user_input.value || value
-            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
+            input_type = sample&.user_input&.input_type&.to_s || input_type
+            input_value = sample&.user_input&.value || value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value, context)
           end
 
           protected
 
+          # Records the rule being triggered at sink.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          def record_triggered context
+            return unless context
+
+            context.agent_input_analysis.record_rule_triggered(rule_name)
+          end
+
           # Assign the mode from active settings.
           #
           # @return mode [Symbol]
@@ -191,22 +201,20 @@ module Contrast
           # @param potential_attack_string [String, nil]
           # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
           # @param **kwargs
-          # @return [Contrast::Agent::Reporting, nil]
+          # @return [Contrast::Agent::Reporting::AttackResult, nil]
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
             logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
+            return unless ia_results&.any?
+            return build_attack_without_match(context, ia_results[0], nil, **kwargs) unless potential_attack_string
 
-            result = nil
             ia_results.each do |ia_result|
-              if potential_attack_string
-                idx = potential_attack_string.index(ia_result.value)
-                next unless idx
-
-                result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
-              else
-                result = build_attack_without_match(context, ia_result, result, **kwargs)
-              end
+              idx = potential_attack_string.index(ia_result.value)
+              next unless idx
+
+              result = build_attack_with_match(context, ia_result, result || nil, potential_attack_string, **kwargs)
+              return result if result
             end
-            result
+            nil
           end
 
           # By default, rules do not have to find attackers as they do not have
@@ -231,15 +239,17 @@ module Contrast
           #
           # @param context [Contrast::Agent::RequestContext] the context for
           #   the current request
-          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult]
           # @param result [Contrast::Agent::Reporting::AttackResult]
           # @param attack_string [String] Potential attack vector
           # @return [Contrast::Agent::Reporting::AttackResult]
           def update_successful_attack_response context, ia_result, result, attack_string = nil
+            cef_outcome = :successful_attack
             case mode
             when :MONITOR
               # We are checking the result as the ia_result would not contain the sub-rules.
               result.response = if SUSPICIOUS_REPORTING_RULES.include?(result&.rule_id)
+                                  cef_outcome = :suspicious_attack
                                   Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
                                 else
                                   Contrast::Agent::Reporting::ResponseType::MONITORED
@@ -250,7 +260,11 @@ module Contrast
 
             ia_result.attack_count = ia_result.attack_count + 1 if ia_result
             log_rule_matched(context, ia_result, result.response, attack_string)
-
+            cef_logging(result,
+                        cef_outcome,
+                        value: ia_result&.value || attack_string,
+                        input_type: ia_result&.input_type,
+                        context: context)
             result
           end
 
@@ -265,17 +279,32 @@ module Contrast
           #   multiple inputs being found to violate the protection criteria
           # @return [Contrast::Agent::Reporting::AttackResult]
           def update_perimeter_attack_response context, ia_result, result
-            if mode == :BLOCK_AT_PERIMETER
+            cef_outcome = :successful_attack
+            case mode
+            when :BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
                                   Contrast::Agent::Reporting::ResponseType::BLOCKED
                                 else
                                   Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER
                                 end
               log_rule_matched(context, ia_result, result.response)
-            elsif ia_result.nil? || ia_result.attack_count.zero?
+            when :BLOCK && rule_name == Contrast::Agent::Protect::Rule::Xss::NAME
+              # Handle cases like reflected-xss:
+              result.response = Contrast::Agent::Reporting::ResponseType::BLOCKED
+              log_rule_matched(context, ia_result, result.response)
+            else
+              # Handles all other cases including Reflected-xss in MONITOR mode.
+              return unless ia_result.nil? || ia_result.attack_count.zero?
+
               result.response = assign_reporter_response_type(ia_result)
+              cef_outcome = suspicious_rule?(ia_result) ? :suspicious_attack : :ineffective_attack
               log_rule_probed(context, ia_result)
             end
+            cef_logging(result,
+                        cef_outcome,
+                        value: ia_result&.value,
+                        input_type: ia_result&.input_type,
+                        context: context)
 
             result
           end
@@ -334,7 +363,7 @@ module Contrast
           # the rule id.
           #
           # @param context [Contrast::Agent::RequestContext]
-          # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          # @return [Array<Contrast::Agent::Reporting::InputAnalysisResult>]
           def gather_ia_results context
             return [] unless context&.agent_input_analysis&.results
 
@@ -349,7 +378,8 @@ module Contrast
           def blocked_violation? result
             return false unless result
 
-            result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED
+            blocked? && (result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED ||
+                result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER)
           end
 
           private
@@ -359,7 +389,8 @@ module Contrast
           def blocked_rule? ia_result
             [
               Contrast::Agent::Protect::Rule::Sqli::NAME,
-              Contrast::Agent::Protect::Rule::NoSqli::NAME
+              Contrast::Agent::Protect::Rule::NoSqli::NAME,
+              Contrast::Agent::Protect::Rule::Xss::NAME
             ].include?(ia_result&.rule_id)
           end
 
@@ -392,7 +423,7 @@ module Contrast
 
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
-          # @return [Contrast::Agent::Reporting, nil]
+          # @return [Contrast::Agent::Reporting::AttackResult, nil]
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb

@@ -19,6 +19,7 @@ module Contrast
 
           NAME = 'bot-blocker'
           APPLICABLE_USER_INPUTS = [HEADER].cs__freeze
+          BLOCK_MESSAGE = 'Bot Blocker rule triggered. Unsafe Bot blocked.'
 
           def rule_name
             NAME
@@ -28,6 +29,13 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Return the specific blocking message for this rule.
+          #
+          # @return [String] the reason for the raised security exception.
+          def block_message
+            BLOCK_MESSAGE
+          end
+
           # Bot blocker input classification
           #
           # @return [module<Contrast::Agent::Protect::Rule::BotBlockerInputClassification>]
@@ -49,13 +57,13 @@ module Contrast
                 ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
 
             result = build_attack_without_match(context, ia_result, nil)
-            append_to_activity(context, result) if result
-            cef_logging(result, :successful_attack) if result
-            return unless blocked?
+            return unless result
 
+            append_to_activity(context, result)
+            record_triggered(context)
             # Raise BotBlocker error
             exception_message = "#{ rule_name } rule triggered. Unsafe Bot blocked."
-            raise(Contrast::SecurityException.new(self, exception_message))
+            raise(Contrast::SecurityException.new(self, exception_message)) if blocked_violation?(result)
           end
 
           # @param context [Contrast::Agent::RequestContext]

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -22,32 +22,6 @@ module Contrast
           class << self
             include Contrast::Agent::Protect::Rule::InputClassification::Base
 
-            # Input Classification stage is done to determine if an user input is
-            # DEFINITEATTACK or to be ignored.
-            #
-            # @param rule_id [String] Name of the protect rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [Hash<String>] the value of the input.
-            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
-            #                                                       agent analysis from the current
-            #                                                       Request.
-            # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
-            def classify rule_id, input_type, value, input_analysis
-              return unless (rule = Contrast::PROTECT.rule(rule_id))
-              return unless rule.applicable_user_inputs.include?(input_type)
-              return unless input_analysis.request
-
-              value.each_value do |val|
-                result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, val)
-                append_result(input_analysis, result)
-              end
-
-              input_analysis
-            rescue StandardError => e
-              logger.debug("An Error was recorded in the input classification of the #{ rule_id }", error: e)
-              nil
-            end
-
             private
 
             # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's

data/lib/contrast/agent/protect/rule/cmdi/cmd_injection.rb

@@ -84,12 +84,9 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack)
-
-            return unless blocked?
-
+            record_triggered(context)
             # Raise cmdi error
-            raise_error(classname, method)
+            raise_error(classname, method) if blocked_violation?(result)
           end
         end
       end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb

@@ -43,10 +43,8 @@ module Contrast
                                                             **{ classname: classname, method: method }))
 
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack)
-            return unless blocked?
-
-            raise_error(classname, method)
+            record_triggered(context)
+            raise_error(classname, method) if blocked_violation?(result)
           end
 
           private

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -20,7 +20,7 @@ module Contrast
           APPLICABLE_USER_INPUTS = [
             BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
             PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
-            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, UNKNOWN
           ].cs__freeze
 
           # CMDI input classification
@@ -46,6 +46,7 @@ module Contrast
             return unless (result = build_violation(context, command))
 
             append_to_activity(context, result)
+            record_triggered(context)
             raise_error(classname, method) if blocked_violation?(result)
           end
 

data/lib/contrast/agent/protect/rule/deserialization/deserialization.rb

@@ -50,6 +50,7 @@ module Contrast
           end
 
           # Return the specific blocking message for this rule.
+          #
           # @return [String] the reason for the raised security exception.
           def block_message
             BLOCK_MESSAGE
@@ -84,10 +85,9 @@ module Contrast
             kwargs = { GADGET_TYPE: gadget }
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
+            record_triggered(context)
 
-            cef_logging(result, :successful_attack)
-
-            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked_violation?(result)
           end
 
           # Determine if the issued command was called while we're
@@ -106,13 +106,13 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
-            cef_logging(result, :successful_attack, value: gadget_command)
             raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
 
           protected
 
           # Build the RaspRuleSample for the detected Deserialization attack.
+          #
           # @param context [Contrast::Agent::RequestContext] the request
           #   context in which this attack is occurring.
           # @param input_analysis_result [Contrast::Agent::Reporting::InputAnalysis]

data/lib/contrast/agent/protect/rule/input_classification/base.rb

@@ -24,7 +24,7 @@ module Contrast
               COOKIE_VALUE, PARAMETER_VALUE, HEADER, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
             ].cs__freeze
 
-            BASE64_INPUT_TYPES = [BODY, COOKIE_VALUE, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
+            BASE64_INPUT_TYPES = [BODY, HEADER, COOKIE_VALUE, PARAMETER_VALUE, MULTIPART_VALUE, XML_VALUE].cs__freeze
 
             class << self
               include Contrast::Components::Logger::InstanceMethods
@@ -183,9 +183,6 @@ module Contrast
               return value unless Contrast::PROTECT.normalize_base64?
               return value unless BASE64_INPUT_TYPES.include?(input_type)
 
-              # TODO: RUBY-2110 Update the HEADER handling if possible.
-              # We need only the Header values.
-
               cs__decode64(value, input_type)
             end
           end