contrast-agent 6.9.0 → 6.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b850f63bce180f09f998f5363f58b01e9c69db61a2f98a31db97fb59b82564d7
-  data.tar.gz: 811072666998fb4daf0f49d2514d875b45c18d79d29398639862f1c2144aa930
+  metadata.gz: 624b29e40ff797608bb6fef0ab00377cc1bc3e6756af01063d4768fad53bfbfa
+  data.tar.gz: 7380498d855e3f6b8a7387ee98351d118b6b70b7bc332536bf1124a870c1a48c
 SHA512:
-  metadata.gz: ac0f4dcea0a62d6aa000659943f2b994a02940148fffdff2901ff4ff61d27fd257170ec4f48d0b1925d569dbc20de89a8866f76a17dd1c22aa15d9c80e4e9eb1
-  data.tar.gz: bd2490f015d1a5c8be5f0e7a0fc60e5acdc436b03e32420cbf19542a53b760c843cd84a17a0e7a8a3794ec69e3aa909e63fabdb32f4c32d5daa48ece261176aa
+  metadata.gz: 44d0b0cc41d92f58cf048212295fdef8367a4aa4475e3d035c9ae09c80bbcad9de08ba2a63f321381de4af41fd90b581dca2710ef3641d8eb486e8664a3d18cf
+  data.tar.gz: cb2f9e2799f8ef7fff7da2ba6714e94022ad5495ddc57c448244c34f649cb70eb756d4f806c1f1274676cbdd37749bf0177cd8539b175ba7b8086857bd1f86a3

data/.gitignore

@@ -23,7 +23,7 @@ ruby-spec
 mspec
 
 # rspec generated files
-/spec/dummy_files/*
+/spec/dummy_files/
 
 # Funchook artifacts
 /ext/**/funchook.h

data/lib/contrast/agent/assess/rule/response/body_rule.rb

@@ -50,7 +50,7 @@ module Contrast
 
               potential_elements(section, element_start_str).flatten.each do |potential_element|
                 next unless potential_element
-                next unless element_openings.any? { |opening| potential_element.starts_with?(opening) }
+                next unless element_openings.any? { |opening| potential_element.start_with?(opening) }
 
                 section_start = section.index(element_start_str, section_start)
                 next unless section_start

data/lib/contrast/agent/middleware.rb

@@ -14,6 +14,7 @@ require 'contrast/utils/telemetry'
 require 'contrast/agent/request_handler'
 require 'contrast/agent/static_analysis'
 require 'contrast/agent/telemetry/events/startup_metrics_event'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
 require 'contrast/utils/middleware_utils'
 require 'contrast/utils/reporting/application_activity_batch_utils'
 require 'contrast/utils/timer'
@@ -23,7 +24,7 @@ module Contrast
     # This class allows the Agent to plug into the Rack middleware stack. When the application is first started, we
     # initialize ourselves as a rack middleware inside of #initialize. Afterwards, we process each http request and
     # response as it goes through the middleware stack inside of #call.
-    class Middleware
+    class Middleware # rubocop:disable Metrics/ClassLength
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
       include Contrast::Utils::MiddlewareUtils
@@ -171,12 +172,13 @@ module Contrast
         with_contrast_scope do
           context.extract_after(response) # update context with final response information
 
-          # Build and report all collected findings prior response
           Contrast::Agent::FINDINGS.report_collected_findings unless Contrast::Agent::FINDINGS.collection.empty?
           # All protect rules, which are trigger but require response to be reported
           Contrast::Agent::EXPLOITS.report_recorded_exploits(context) unless Contrast::Agent::EXPLOITS.collection.empty?
           # Process Worth Watching Inputs for v2 rules
           Contrast::Agent.worth_watching_analyzer&.add_to_queue(context.agent_input_analysis)
+          # Now we can build the ia_results only for postfilter rules.
+          context.protect_postfilter_ia
 
           if Contrast::Agent.framework_manager.streaming?(env)
             context.reset_activity

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -16,7 +16,6 @@ require 'contrast/agent/protect/rule/path_traversal'
 require 'contrast/agent/protect/rule/path_traversal/path_traversal_input_classification'
 require 'contrast/agent/protect/rule/xss/reflected_xss_input_classification'
 require 'contrast/agent/protect/rule/xss'
-require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
 require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'json'
@@ -29,7 +28,13 @@ module Contrast
       module InputAnalyzer
         DISPOSITION_NAME = 'name'
         DISPOSITION_FILENAME = 'filename'
-        DISPOSITION_KEYS = %w[Content-Disposition CONTENT_DISPOSITION].cs__freeze
+        PREFILTER_RULES = %w[bot-blocker unsafe-file-upload reflected-xss].cs__freeze
+        INFILTER_RULES = %w[
+          sql-injection cmd-injection reflected-xss bot-blocker unsafe-file-upload path-traversal
+          nosql-injection
+        ].cs__freeze
+        POSTFILTER_RULES = %w[sql-injection cmd-injection reflected-xss path-traversal nosql-injection].cs__freeze
+        AGENTLIB_TIMEOUT = 5.cs__freeze
 
         class << self
           include Contrast::Agent::Reporting::InputType
@@ -37,44 +42,8 @@ module Contrast
           include Contrast::Utils::ObjectShare
           include Contrast::Components::Logger::InstanceMethods
 
-          PROTECT_RULES = {
-              sqli: {
-                  rule_name: 'sql-injection',
-                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-              },
-              cmdi: {
-                  rule_name: 'cmd-injection',
-                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-              },
-              # method_tampering: {
-              #     rule_name: 'method-tampering',
-              #     classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-              # },
-              reflected_xss: {
-                  rule_name: Contrast::Agent::Protect::Rule::Xss::NAME,
-                  classification: Contrast::Agent::Protect::Rule::ReflectedXssInputClassification
-              },
-              bot_blocker: {
-                  rule_name: Contrast::Agent::Protect::Rule::BotBlocker::NAME,
-                  classification: Contrast::Agent::Protect::Rule::BotBlockerInputClassification
-              },
-              unsafe_file_upload: {
-                  rule_name: Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
-                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-              },
-              path_traversal: {
-                  rule_name: Contrast::Agent::Protect::Rule::PathTraversal::NAME,
-                  classification: Contrast::Agent::Protect::Rule::PathTraversalInputClassification
-              },
-              nosqli: {
-                  rule_name: Contrast::Agent::Protect::Rule::NoSqli::NAME,
-                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-              }
-          }.cs__freeze
-
           # This method with analyze the user input from the context of the
-          # current request and run each of the protect rules against all
-          # found input types
+          # current request and return new ia with extracted input types.
           #
           # @param request [Contrast::Agent::Request] current request context.
           # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
@@ -87,39 +56,8 @@ module Contrast
 
             input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
             input_analysis.request = request
-            # each rule against each input
-            input_classification(inputs, input_analysis)
-            input_analysis
-          end
-
-          private
-
-          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-          #
-          # @param inputs [String, Array<String>] user input to be analysed.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-          #                                                       for each protect rule.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def input_classification inputs, input_analysis
-            # key = input type, value = user_input
-            inputs.each do |input_type, value|
-              next if value.nil? || value.empty?
-
-              PROTECT_RULES.each do |_key, rule|
-                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-
-                # check if rule is enabled
-                next unless protect_rule&.enabled?
-
-                # method tampering doesn't take value
-                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-                  rule[:classification].send(:classify, rule[:rule_name], input_type, input_analysis)
-                else
-                  rule[:classification].send(:classify, rule[:rule_name], input_type, value, input_analysis)
-                end
-              end
-            end
+            # Save those for trigger time
+            input_analysis.inputs = extract_input(request)
             input_analysis
           end
 
@@ -146,22 +84,77 @@ module Contrast
             inputs
           end
 
+          # classify input by rule
+          #
+          # @param rule_id [String] name of the rule
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] from
+          # analyze method.
+          def input_classification_for rule_id, input_analysis
+            return unless input_analysis&.inputs
+            return unless (protect_rule = Contrast::PROTECT.rule(rule_id)) && protect_rule.enabled?
+
+            input_analysis.inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              # append to results.
+              protect_rule.classification.classify(rule_id, input_type, value, input_analysis)
+            end
+            input_analysis
+          end
+
+          # classify input by array of rules. There is a timeout for the AgentLib analysis if not set it
+          # will use the default 5s.
+          #
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @param prefilter [Boolean] flag to set input analysis for prefilter rules only
+          # @param postfilter [Boolean] flag to set input analysis for postfilter rules.
+          # @param infilter [Boolean]
+          # @param interval [Integer] The timeout determined for the AgentLib analysis to be performed
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          # @raise [Timeout::Error] If timeout is met.
+          def input_classification(input_analysis,
+                                   prefilter: false,
+                                   postfilter: false,
+                                   infilter: false,
+                                   interval: AGENTLIB_TIMEOUT)
+            return unless input_analysis
+
+            rules = if prefilter
+                      PREFILTER_RULES
+                    elsif postfilter
+                      POSTFILTER_RULES
+                    else
+                      INFILTER_RULES
+                    end
+
+            rules.each do |rule_id|
+              # Check to see if rules is already triggered only for infilter:
+              next if input_analysis.triggered_rules.include?(rule_id) && infilter
+
+              Timeout.timeout(interval) do
+                input_classification_for(rule_id, input_analysis)
+              end
+            end
+            input_analysis
+          rescue Timeout::Error => e
+            logger.warn('AgentLib timed out when processing InputAnalysisResult', e, ia_result)
+            nil
+          end
+
+          private
+
           # Extract the filename and name of the  Content Disposition Header.
           #
           # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
           # @param request [Contrast::Agent::Request] current request context.
           def extract_multipart inputs, request
-            disposition = request.rack_request.env[DISPOSITION_KEYS[0]]
-            disposition = request.rack_request.env[DISPOSITION_KEYS[1]] if disposition.nil? || disposition.empty?
-            return unless disposition
-
-            pairs = {}
-            disposition.split(SEMICOLON).each do |elem|
-              new_pair = elem.strip.split(EQUALS, 2)
-              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-            end
-            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+            return unless (parsed_data = Rack::Multipart.parse_multipart(request.rack_request.env))
+
+            filename = parsed_data[DISPOSITION_FILENAME]
+            inputs[MULTIPART_FIELD_NAME] = filename[DISPOSITION_FILENAME.to_sym] if filename
+            name = filename[DISPOSITION_NAME.to_sym]
+            inputs[MULTIPART_NAME] = name if name
           end
         end
       end

data/lib/contrast/agent/protect/input_analyzer/worth_watching_analyzer.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/worker_thread'
+require 'contrast/agent/reporting/input_analysis/input_analysis_result'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/reporting/reporting_events/application_activity'
 require 'contrast/utils/input_classification_base'
@@ -28,69 +29,73 @@ module Contrast
           return if running?
 
           @_thread = Contrast::Agent::Thread.new do
-            logger.info('Starting Worth Watching Analyzer thread.')
+            logger.info('[WorthWatchingAnalyzer] Starting thread.')
             loop do
               sleep(REPORT_INTERVAL_SECOND)
               next if queue.empty?
 
               report = false
-              num_to_report = queue.length
+              # build attack_results for all infilter active protect rules.
+              results = build_results(queue.pop)
               activity = Contrast::Agent::Reporting::ApplicationActivity.new
-              num_to_report.times do
-                next unless (attack_result = eval_input(queue.pop))
+              results.each do |result|
+                next unless (attack_result = eval_input(result))
 
                 activity.attach_defend(attack_result)
                 report = true
               end
               Contrast::Agent.reporter.send_event_immediately(activity) if report
             rescue StandardError => e
-              logger.debug('Worth Watching Analyzer thread could not process result because of:', e)
+              logger.debug('[WorthWatchingAnalyzer] thread could not process result because of:', e)
             end
           end
         end
 
-        # param Contrast::Agent::Reporting::InputAnalysis
+        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
         def add_to_queue input_analysis
-          return if input_analysis&.results&.empty?
+          return unless input_analysis
 
           if queue.size >= QUEUE_SIZE
-            logger.debug('WorthWatching queue at max size, skip input_result')
+            logger.debug('[WorthWatchingAnalyzer] queue at max size, skip input_result')
             return
           end
-          input_analysis.results.select { |val| val.score_level == WORTHWATCHING }.
-              each do |ia_result|
-            queue << ia_result
-          end
+          # There will be no results here because of the delay of the protect rule analysis,
+          # we need to save the ia which contains the request and saved extracted user inputs to
+          # be evaluated on the thread rather than building results here. This way we allow the
+          # request to continue and will build the attack results later.
+          queue << input_analysis
         end
 
         private
 
+        # This method will build the attack results from the saved ia.
+        #
+        # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis]
+        # @return attack_results [array<Contrast::Agent::Reporting::InputAnalysisResult>] all the results
+        # from the input analysis.
+        def build_results input_analysis
+          # Construct the input analysis for the all the infilter rules that were not triggered.
+          # There is a set timeout for each rule to be analyzed in. The infilter flag will make
+          # sure that if a rule is already triggered during the infilter phase it will not be analyzed
+          # now, making sure we don't report same rule twice.
+          Contrast::Agent::Protect::InputAnalyzer.input_classification(input_analysis, infilter: true)
+          results = []
+          input_analysis.results.reject { |val| val.score_level == SCORE_LEVEL::IGNORE }.
+              each do |ia_result|
+            results << ia_result
+          end
+
+          results
+        end
+
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the WorthWatching InputAnalysisResult
-        # @return [Contrast::Agent::Reporting::InputAnalysisResult, nil] InputAnalysisResult updated Result or nil
+        # @return [Contrast::Agent::Reporting::AttackResult, nil] InputAnalysisResult updated Result or nil
         def eval_input ia_result
-          return if ia_result.nil?
-
-          if ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
-            logger.debug("Skip anaylsis: Input size is larger than #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
-            return
-          end
+          return build_attack_result(ia_result) unless ia_result.value.to_s.bytesize >= INPUT_BYTESIZE_THRESHOLD
 
-          begin
-            input_eval = Timeout.timeout(AGENTLIB_TIMEOUT) do
-              Contrast::AGENT_LIB.eval_input(ia_result.value,
-                                             convert_input_type(ia_result.input_type),
-                                             Contrast::AGENT_LIB.rule_set[ia_result.rule_id],
-                                             Contrast::AGENT_LIB.eval_option[:NONE])
-            end
-            score = input_eval&.score || 0
-            return if score <= THRESHOLD
-
-            ia_result.score_level = DEFINITEATTACK
-            build_attack_result(ia_result)
-          rescue Timeout::Error => e
-            logger.warn('AgentLib timed out when processing WORTHWATCHING InputAnalysisResult', e, ia_result)
-            nil
-          end
+          logger.debug("[WorthWatchingAnalyzer] Skipping analysis: Input size is larger than
+                      #{ INPUT_BYTESIZE_THRESHOLD / 1024 }KB")
+          nil
         end
 
         # @param ia_result Contrast::Agent::Reporting::InputAnalysisResult the updated InputAnalysisResult

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -32,6 +32,8 @@ module Contrast
 
               clazz = object.is_a?(Module) ? object : object.cs__class
               class_name = clazz.cs__name
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
               # invoke cmdi sub-rules.
               rule.sub_rules.each do |sub_rule|

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -20,6 +20,8 @@ module Contrast
               return unless valid_input?(args)
               return if skip_analysis?
 
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               database = properties['database']
               operations = args[0]
               context = Contrast::Agent::REQUEST_TRACKER.current
@@ -48,10 +50,11 @@ module Contrast
             end
 
             def handle_operation context, database, _action, operation
-              data = extract_mongo_data(operation)
-              return unless data && !data.empty?
+              # TODO: RUBY-1991 Expand NoSQLI triggers
+              # data = extract_mongo_data(operation)
+              # return unless data && !data.empty?
 
-              rule.infilter(context, database, data)
+              rule.infilter(context, database, operation)
             end
 
             def extract_mongo_data operation

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -29,6 +29,9 @@ module Contrast
               write_marker = write?(action, *args)
               possible_write = write_marker && possible_write?(write_marker)
 
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
+
               # Invoke semantic rules from here, not in a separate protect policy
               invoke_semantic_rules(path, possible_write, object, method)
               path_traversal_rule(path, possible_write, object, method)

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -29,6 +29,9 @@ module Contrast
               return if skip_analysis?
 
               sql = args[index]
+
+              # Get the ia for current rule:
+              apply_classification(rule_name, Contrast::Agent::REQUEST_TRACKER.current)
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
               rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
             end

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/components/logger'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
 
 module Contrast
   module Agent
@@ -44,6 +45,17 @@ module Contrast
                                                            rule: rule_name)
           end
 
+          # applies input_analysis for the invoked rule
+          #
+          # @param rule_id [String] name of the rule
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          def apply_classification rule_id, context
+            return unless context
+            return unless (ia = context.agent_input_analysis)
+
+            Contrast::Agent::Protect::InputAnalyzer.input_classification_for(rule_id, ia)
+          end
+
           protected
 
           # Calls the actual rule for this applicator, if required. Most rules

data/lib/contrast/agent/protect/rule/base.rb

@@ -5,6 +5,7 @@ require 'contrast/components/logger'
 require 'contrast/components/scope'
 require 'contrast/utils/object_share'
 require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/attack_result'
 
 module Contrast
   module Agent
@@ -51,6 +52,23 @@ module Contrast
             Contrast::Utils::ObjectShare::EMPTY_ARRAY
           end
 
+          # The classification module used for each specific rule to
+          # classify input data and score it. Extend for each rule.
+          def classification; end
+
+          # Input Classification stage is done to determine if an user input is
+          # DEFINITEATTACK or to be ignored.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [Hash<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify input_type, value, input_analysis
+            classification.classify(rule_name, input_type, value, input_analysis)
+          end
+
           def enabled?
             # 1. it is not enabled because protect is not enabled
             return false unless ::Contrast::AGENT.enabled?
@@ -288,11 +306,7 @@ module Contrast
           # @param _context [Contrast::Agent::RequestContext] the context of
           #   the current request
           # @return [Contrast::Agent::Reporting::AttackResult]
-          def build_attack_result _context
-            result = Contrast::Agent::Reporting::AttackResult.new
-            result.rule_id = rule_name
-            result
-          end
+          def build_attack_result _context; end
 
           # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
           # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -96,6 +96,12 @@ module Contrast
             end
           end
 
+          def build_attack_result _context
+            result = Contrast::Agent::Reporting::AttackResult.new
+            result.rule_id = rule_name
+            result
+          end
+
           # @param context [Contrast::Agent::RequestContext]
           # @param potential_attack_string [String, nil]
           # @param **kwargs

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification.rb

@@ -39,7 +39,7 @@ module Contrast
 
               value.each_value do |val|
                 result = create_new_input_result(input_analysis.request, rule.rule_name, input_type, val)
-                input_analysis.results << result if result
+                append_result(input_analysis, result)
               end
 
               input_analysis

data/lib/contrast/agent/protect/rule/bot_blocker.rb

@@ -6,6 +6,7 @@ require 'contrast/components/logger'
 require 'contrast/agent/reporting/input_analysis/input_type'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent_lib/interface'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
 
 module Contrast
   module Agent
@@ -27,6 +28,13 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # Bot blocker input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::BotBlockerInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::BotBlockerInputClassification.cs__freeze
+          end
+
           # BotBlocker prefilter:
           #
           # @param context [Contrast::Agent::RequestContext] current request contest

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/agent/reporting/details/cmd_injection_details'
 require 'contrast/agent/reporting/attack_result/user_input'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
 
 module Contrast
   module Agent
@@ -21,6 +22,13 @@ module Contrast
             MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
           ].cs__freeze
 
+          # CMDI input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::CmdiInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::CmdiInputClassification.cs__freeze
+          end
+
           # CMDI infilter:
           #
           # @param context [Contrast::Agent::RequestContext] current request contest

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -1,7 +1,7 @@
 # Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/reporting/details/untrusted_deserialization_details'
 require 'contrast/components/logger'
 
@@ -11,7 +11,7 @@ module Contrast
       module Rule
         # This class handles our implementation of the Untrusted
         # Deserialization Protect rule.
-        class Deserialization < Contrast::Agent::Protect::Rule::Base
+        class Deserialization < Contrast::Agent::Protect::Rule::BaseService
           # The TeamServer recognized name of this rule
           include Contrast::Components::Logger::InstanceMethods
           # Used to name this input since input analysis isn't done for this

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -4,6 +4,7 @@
 require 'contrast/agent/protect/rule/base_service'
 require 'contrast/agent/protect/rule/sql_sample_builder'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 
 module Contrast
   module Agent
@@ -39,6 +40,13 @@ module Contrast
             APPLICABLE_USER_INPUTS
           end
 
+          # NoSQLI input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::NoSqliInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::NoSqliInputClassification.cs__freeze
+          end
+
           # @raise [Contrast::SecurityException] if the attack is blocked
           #   raised with BLOCK_MESSAGE
           def infilter context, database, query_string
@@ -78,9 +86,14 @@ module Contrast
 
           def find_attacker context, potential_attack_string, **kwargs
             if potential_attack_string
-              # We need the query hash to be a JSON string to match on JSON input attacks
+              # We need the query hash to be a JSON string to match on JSON input attacks.
+              # Before that we need to check if a string is already in json form.
               begin
-                potential_attack_string = JSON.generate(potential_attack_string).to_s
+                potential_attack_string = if json?(potential_attack_string)
+                                            potential_attack_string
+                                          else
+                                            JSON.generate(potential_attack_string).to_s
+                                          end
               rescue JSON::GeneratorError
                 logger.trace('Error in JSON::generate', input: potential_attack_string)
                 nil
@@ -88,6 +101,15 @@ module Contrast
             end
             super(context, potential_attack_string, **kwargs)
           end
+
+          # Check to see if a string is in JSON form.
+          #
+          # @return [Boolean]
+          def json? string
+            return true if JSON.parse(string)
+          rescue StandardError
+            false
+          end
         end
       end
     end