RubyGems - tcell_agent - Versions diffs - 1.1.3 → 1.1.4 - Mend

tcell_agent 1.1.3 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

checksums.yaml +4 -4
data/bin/tcell_agent +10 -2
data/lib/tcell_agent.rb +3 -3
data/lib/tcell_agent/agent.rb +42 -52
data/lib/tcell_agent/agent/event_processor.rb +129 -162
data/lib/tcell_agent/agent/fork_pipe_manager.rb +57 -62
data/lib/tcell_agent/agent/policy_manager.rb +83 -104
data/lib/tcell_agent/agent/policy_types.rb +24 -29
data/lib/tcell_agent/agent/route_manager.rb +36 -46
data/lib/tcell_agent/agent/static_agent.rb +19 -21
data/lib/tcell_agent/api.rb +23 -28
data/lib/tcell_agent/appsensor/injections_reporter.rb +7 -11
data/lib/tcell_agent/authlogic.rb +7 -7
data/lib/tcell_agent/cmdi.rb +22 -23
data/lib/tcell_agent/config/unknown_options.rb +71 -69
data/lib/tcell_agent/configuration.rb +187 -191
data/lib/tcell_agent/devise.rb +13 -15
data/lib/tcell_agent/hooks/login_fraud.rb +1 -1
data/lib/tcell_agent/instrumentation.rb +120 -124
data/lib/tcell_agent/logger.rb +29 -45
data/lib/tcell_agent/patches.rb +5 -5
data/lib/tcell_agent/policies/dataloss_policy.rb +263 -288
data/lib/tcell_agent/policies/http_redirect_policy.rb +25 -37
data/lib/tcell_agent/policies/http_tx_policy.rb +48 -52
data/lib/tcell_agent/policies/login_fraud_policy.rb +15 -20
data/lib/tcell_agent/policies/policy.rb +0 -2
data/lib/tcell_agent/policies/rust_policies.rb +24 -29
data/lib/tcell_agent/rails.rb +2 -3
data/lib/tcell_agent/rails/auth/authlogic.rb +2 -2
data/lib/tcell_agent/rails/auth/devise.rb +2 -2
data/lib/tcell_agent/rails/auth/doorkeeper.rb +2 -2
data/lib/tcell_agent/rails/better_ip.rb +12 -16
data/lib/tcell_agent/rails/csrf_exception.rb +4 -7
data/lib/tcell_agent/rails/dlp.rb +208 -107
data/lib/tcell_agent/rails/dlp/process_request.rb +37 -47
data/lib/tcell_agent/rails/dlp_handler.rb +9 -11
data/lib/tcell_agent/rails/js_agent_insert.rb +11 -14
data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +8 -7
data/lib/tcell_agent/rails/middleware/context_middleware.rb +4 -5
data/lib/tcell_agent/rails/middleware/global_middleware.rb +5 -8
data/lib/tcell_agent/rails/middleware/headers_middleware.rb +24 -27
data/lib/tcell_agent/rails/on_start.rb +5 -5
data/lib/tcell_agent/rails/responses.rb +7 -9
data/lib/tcell_agent/rails/routes.rb +62 -81
data/lib/tcell_agent/rails/routes/grape.rb +25 -30
data/lib/tcell_agent/rails/routes/route_id.rb +9 -14
data/lib/tcell_agent/rails/settings_reporter.rb +44 -33
data/lib/tcell_agent/rails/tcell_body_proxy.rb +15 -18
data/lib/tcell_agent/routes/table.rb +31 -33
data/lib/tcell_agent/rust/{libtcellagent-1.3.0.dylib → libtcellagent-1.3.1.dylib} +0 -0
data/lib/tcell_agent/rust/{libtcellagent-1.3.0.so → libtcellagent-1.3.1.so} +0 -0
data/lib/tcell_agent/rust/{libtcellagent-alpine-1.3.0.so → libtcellagent-alpine-1.3.1.so} +0 -0
data/lib/tcell_agent/rust/models.rb +32 -37
data/lib/tcell_agent/rust/tcellagent-1.3.1.dll +0 -0
data/lib/tcell_agent/rust/whisperer.rb +101 -104
data/lib/tcell_agent/sensor_events/app_config.rb +7 -7
data/lib/tcell_agent/sensor_events/appsensor_event.rb +26 -27
data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +20 -88
data/lib/tcell_agent/sensor_events/command_injection.rb +52 -80
data/lib/tcell_agent/sensor_events/discovery.rb +27 -27
data/lib/tcell_agent/sensor_events/dlp.rb +50 -56
data/lib/tcell_agent/sensor_events/honeytokens.rb +9 -9
data/lib/tcell_agent/sensor_events/metrics.rb +20 -21
data/lib/tcell_agent/sensor_events/patches.rb +10 -12
data/lib/tcell_agent/sensor_events/sensor.rb +32 -36
data/lib/tcell_agent/sensor_events/server_agent.rb +130 -127
data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +60 -80
data/lib/tcell_agent/sensor_events/util/utils.rb +3 -5
data/lib/tcell_agent/servers/passenger.rb +5 -9
data/lib/tcell_agent/servers/puma.rb +18 -27
data/lib/tcell_agent/servers/rails_server.rb +5 -9
data/lib/tcell_agent/servers/thin.rb +2 -4
data/lib/tcell_agent/servers/unicorn.rb +18 -27
data/lib/tcell_agent/servers/webrick.rb +2 -4
data/lib/tcell_agent/settings_reporter.rb +126 -0
data/lib/tcell_agent/sinatra.rb +24 -26
data/lib/tcell_agent/start_background_thread.rb +21 -142
data/lib/tcell_agent/system_info.rb +4 -3
data/lib/tcell_agent/tcell_context.rb +150 -0
data/lib/tcell_agent/userinfo.rb +3 -3
data/lib/tcell_agent/utils/io.rb +19 -24
data/lib/tcell_agent/utils/params.rb +9 -15
data/lib/tcell_agent/utils/queue_with_timeout.rb +26 -32
data/lib/tcell_agent/utils/strings.rb +4 -6
data/lib/tcell_agent/version.rb +1 -1
data/spec/lib/tcell_agent/agent/policy_manager_spec.rb +5 -5
data/spec/lib/tcell_agent/agent/static_agent_spec.rb +7 -7
data/spec/lib/tcell_agent/cmdi_spec.rb +21 -21
data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +29 -24
data/spec/lib/tcell_agent/instrumentation_spec.rb +4 -4
data/spec/lib/tcell_agent/patches_spec.rb +8 -8
data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +23 -23
data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +2 -2
data/spec/lib/tcell_agent/rails/csrf_exception_spec.rb +69 -0
data/spec/lib/tcell_agent/rails/dlp_spec.rb +1039 -0
data/spec/lib/tcell_agent/rails/js_agent_insert_spec.rb +271 -0
data/spec/lib/tcell_agent/rails/logger_spec.rb +5 -5
data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +3 -3
data/spec/lib/tcell_agent/rails/middleware/dlp_middleware_spec.rb +4 -4
data/spec/lib/tcell_agent/rails/middleware/global_middleware_spec.rb +5 -5
data/spec/lib/tcell_agent/rails/middleware/redirect_middleware_spec.rb +1 -1
data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +11 -8
data/spec/lib/tcell_agent/rails/responses_spec.rb +2 -2
data/spec/lib/tcell_agent/rails/routes/grape_spec.rb +2 -2
data/spec/lib/tcell_agent/rails/routes/route_id_spec.rb +1 -1
data/spec/lib/tcell_agent/rails/routes/routes_spec.rb +4 -4
data/spec/lib/tcell_agent/rust/models_spec.rb +83 -75
data/spec/lib/tcell_agent/rust/whisperer_spec.rb +14 -14
data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +19 -70
data/spec/lib/tcell_agent/sensor_events/sessions_metric_spec.rb +1 -1
data/spec/lib/tcell_agent/settings_reporter_spec.rb +162 -0
data/spec/lib/tcell_agent/tcell_context_spec.rb +154 -0
data/spec/spec_helper.rb +5 -0
metadata +18 -10
data/lib/tcell_agent/appsensor/meta_data.rb +0 -132
data/lib/tcell_agent/patches/meta_data.rb +0 -59
data/lib/tcell_agent/rust/tcellagent-1.3.0.dll +0 -0
data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +0 -71

data/lib/tcell_agent/sensor_events/app_config.rb CHANGED

@@ -4,20 +4,20 @@ module TCellAgent
   module SensorEvents
     class AppConfigSettingEvent < TCellSensorEvent
       def initialize(package, section, prefix, name, value)
-        super("app_config_setting")
-        self["package"] = package
-        self["section"] = section
+        super('app_config_setting')
+        self['package'] = package
+        self['section'] = section
-        self["name"] = name
-        self["value"] = value.to_s
+        self['name'] = name
+        self['value'] = value.to_s
-        self["prefix"] = prefix if prefix
+        self['prefix'] = prefix if prefix
       end
     end
     class TCellAgentSettingEvent < AppConfigSettingEvent
       def initialize(name, value)
-        super("tcell", "config", nil, name, value)
+        super('tcell', 'config', nil, name, value)
       end
     end
   end

data/lib/tcell_agent/sensor_events/appsensor_event.rb CHANGED

@@ -1,6 +1,5 @@
 require 'tcell_agent/sensor_events/sensor'
 module TCellAgent
   module SensorEvents
     class TCellAppSensorEvent < TCellSensorEvent
@@ -16,36 +15,36 @@ module TCellAgent
                      payload,
                      pattern,
                      full_uri)
-        super("as")
-        self["dp"] = detection_point
+        super('as')
+        self['dp'] = detection_point
-        self["param"] = param.to_s if param
-        self["m"] = method.to_s if method
-        self["pattern"] = pattern if pattern
-        self["meta"] = meta if meta
-        self["rid"] = route_id.to_s if route_id
-        self["full_uri"] = full_uri if full_uri
-        self["uri"] = location if location
-        self["uid"] = user_id.to_s if user_id
-        self["sid"] = hmac_session_id if hmac_session_id
-        self["remote_addr"] = remote_address.to_s if remote_address
-        self["payload"] = payload if payload
+        self['param'] = param.to_s if param
+        self['m'] = method.to_s if method
+        self['pattern'] = pattern if pattern
+        self['meta'] = meta if meta
+        self['rid'] = route_id.to_s if route_id
+        self['full_uri'] = full_uri if full_uri
+        self['uri'] = location if location
+        self['uid'] = user_id.to_s if user_id
+        self['sid'] = hmac_session_id if hmac_session_id
+        self['remote_addr'] = remote_address.to_s if remote_address
+        self['payload'] = payload if payload
       end
       def self.build_from_native_lib_event(event)
-        return TCellAppSensorEvent.new(
-          event["uri"],
-          event["detection_point"],
-          event["method"],
-          event["remote_address"],
-          event["parameter"],
-          event["route_id"],
-          event["meta"],
-          event["session_id"],
-          event["user_id"],
-          event["payload"],
-          event["pattern"],
-          event["full_uri"]
+        TCellAppSensorEvent.new(
+          event['uri'],
+          event['detection_point'],
+          event['method'],
+          event['remote_address'],
+          event['parameter'],
+          event['route_id'],
+          event['meta'],
+          event['session_id'],
+          event['user_id'],
+          event['payload'],
+          event['pattern'],
+          event['full_uri']
         )
       end
     end

data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb CHANGED

@@ -1,113 +1,45 @@
-# encoding: utf-8
-# See the file "LICENSE" for the full license governing this code.
-require 'tcell_agent/sensor_events/sensor'
 require 'tcell_agent/agent'
 require 'tcell_agent/agent/policy_types'
-require 'tcell_agent/appsensor/meta_data'
-require 'tcell_agent/utils/params'
-# Some Rules Originate from ModSecurity
-#   ModSecurity for Apache 2.x, http://www.modsecurity.org/
-#   Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+require 'tcell_agent/tcell_context'
+require 'tcell_agent/sensor_events/sensor'
 module TCellAgent
   module SensorEvents
-    class AppSensorMetaEvent < TCellAgent::AppSensor::MetaData
+    class AppSensorMetaEvent < TCellAgent::SensorEvents::TCellSensorEvent
       class << self
         def build(request, response_content_length, response_code, response_headers)
-          tcell_context = request.env[TCellAgent::Instrumentation::TCELL_ID]
-          meta_event = AppSensorMetaEvent.new(
-            tcell_context.request_method,
-            tcell_context.ip_address,
-            tcell_context.route_id,
-            tcell_context.hmac_session_id,
-            tcell_context.user_id,
-            tcell_context.transaction_id,
-            tcell_context.uri
-          )
-          meta_event.csrf_exception_name = tcell_context.csrf_exception_name
-          meta_event.user_agent = tcell_context.user_agent
-          meta_event.request_content_bytes_len = (request.content_length || 0).to_i
-          meta_event.response_content_bytes_len = response_content_length
-          # use uri stored in tcell_context because
-          # rails modifies original request.url
-          # to always return /404 (or whatever error code
-          # it encountered)
-          meta_event.location = tcell_context.uri
-          meta_event.path = tcell_context.path
+          meta_data = TCellAgent::MetaData.from_request(request)
-          meta_event.get_dict = request.GET
-          meta_event.cookie_dict = request.cookies
-          meta_event.set_headers_dict(request.env)
-          # don't enqueue parameter values of unknown type to avoid any serialization issues
-          meta_event.post_dict = TCellAgent::Utils::Params.flatten(request.POST)
-          meta_event.path_parameters = tcell_context.path_parameters
-          meta_event.response_code = response_code
-          meta_event.response_headers = response_headers
-          meta_event.sql_exceptions = tcell_context.sql_exceptions
-          meta_event.database_result_sizes = tcell_context.database_result_sizes
-          # Positions strio to the beginning of input, resetting lineno to zero.
-          # rails 4.1 seems to read the stringIO directly and so body.gets is empty
-          # this is called
-          request.body.rewind
+          tcell_context = request.env[TCellAgent::Instrumentation::TCELL_ID]
+          meta_data.csrf_exception_name = tcell_context.csrf_exception_name
+          meta_data.user_agent = tcell_context.user_agent
+          meta_data.path_parameters = tcell_context.path_parameters
+          meta_data.sql_exceptions = tcell_context.sql_exceptions
+          meta_data.database_result_sizes = tcell_context.database_result_sizes
-          meta_event.set_body_dict(
-            meta_event.request_content_bytes_len,
-            request.content_type,
-            request.body.gets
-          )
+          meta_data.response_content_bytes_len = response_content_length
-          meta_event
-        end
+          meta_data.response_code = response_code
+          meta_data.response_headers = response_headers
-        def build_basic(appsensor_meta)
-          AppSensorMetaEvent.new(
-            appsensor_meta.method,
-            appsensor_meta.remote_address,
-            appsensor_meta.route_id,
-            appsensor_meta.session_id,
-            appsensor_meta.user_id,
-            appsensor_meta.transaction_id,
-            appsensor_meta.location
-          )
+          AppSensorMetaEvent.new(meta_data)
         end
       end
+      attr_accessor :meta_data
-      attr_accessor :request_content_bytes_len, :response_content_bytes_len,
-        :response_code, :user_agent, :response_headers, :csrf_exception_name, :path,
-        :sql_exceptions, :database_result_sizes
-      def initialize(method, remote_address, route_id, session_id, user_id, transaction_id, location)
-        super(method, remote_address, route_id, session_id, user_id, transaction_id, location)
+      def initialize(meta_data)
+        @send = false
-        @request_content_bytes_len = 0
-        @response_content_bytes_len = 0
-        @user_agent = nil
+        @meta_data = meta_data
       end
       def post_process
-        rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::Rust)
+        rust_policies = TCellAgent.policy(TCellAgent::PolicyTypes::RUST)
         return unless rust_policies
-        rust_policies.check_appfirewall_injections(self)
-      end
-      def flattened_post_dict
-        @post_dict
+        rust_policies.check_appfirewall_injections(@meta_data)
       end
     end
   end
 end

data/lib/tcell_agent/sensor_events/command_injection.rb CHANGED

@@ -2,102 +2,74 @@ require 'tcell_agent/sensor_events/sensor'
 module TCellAgent
   module SensorEvents
     class CommandInjectionMatchEvent < Hash
       def initialize(rule_id, command)
-        self["rule_id"] = rule_id
-        if command
-          self["command"] = command
-        end
+        self['rule_id'] = rule_id
+        self['command'] = command if command
       end
     end
     class CommandInjectionEvent < TCellSensorEvent
       def self.build_from_native_lib_response_and_tcell_context(apply_response,
                                                                 tcell_context)
-        matches = apply_response.fetch("matches", [])
-        if matches && matches.size > 0
-          method, remote_address, route_id, session_id, user_id, uri = nil
-          if tcell_context
-            method = tcell_context.request_method
-            remote_address = tcell_context.ip_address
-            route_id = tcell_context.route_id
-            session_id = tcell_context.hmac_session_id
-            user_id = tcell_context.user_id
-            uri = tcell_context.uri
-          end
-          matches_without_emtpy_values = matches.map do |match|
-            CommandInjectionMatchEvent.new(
-              match["rule_id"], match["command"]
-            )
-          end
-          CommandInjectionEvent.new(
-            apply_response["commands"],
-            blocked=apply_response.fetch("blocked", false),
-            matches=matches_without_emtpy_values,
-            method=method,
-            remote_address=remote_address,
-            route_id=route_id,
-            session_id=session_id,
-            user_id=user_id,
-            uri=uri,
-            full_commandline=apply_response["full_commandline"])
+        matches = apply_response.fetch('matches', [])
+        return nil if !matches || matches.empty?
+        method, remote_address, route_id, session_id, user_id, uri = nil
+        if tcell_context
+          method = tcell_context.request_method
+          remote_address = tcell_context.ip_address
+          route_id = tcell_context.route_id
+          session_id = tcell_context.hmac_session_id
+          user_id = tcell_context.user_id
+          uri = tcell_context.uri
+        end
-        else
-          nil
+        matches_without_emtpy_values = matches.map do |match|
+          CommandInjectionMatchEvent.new(
+            match['rule_id'], match['command']
+          )
         end
-      end
+        CommandInjectionEvent.new(
+          apply_response['commands'],
+          apply_response.fetch('blocked', false),
+          matches_without_emtpy_values,
+          method,
+          remote_address,
+          route_id,
+          session_id,
+          user_id,
+          uri,
+          apply_response['full_commandline']
+        )
+      end
       def initialize(commands,
                      blocked,
                      matches,
-                     method=nil,
-                     remote_address=nil,
-                     route_id=nil,
-                     session_id=nil,
-                     user_id=nil,
-                     uri=nil,
-                     full_commandline=nil)
-        super("cmdi")
-        self["commands"] = commands
-        self["blocked"] = blocked
-        self["matches"] = matches
-        if method
-          self["m"] = method
-        end
-        if remote_address
-          self["remote_addr"] = remote_address
-        end
-        if route_id
-          self["rid"] = route_id
-        end
-        if session_id
-          self["sid"] = session_id
-        end
-        if user_id
-          self["uid"] = user_id
-        end
-        if full_commandline
-          self["full_commandline"] = full_commandline
-        end
-        if uri
-          self["uri"] = TCellAgent::SensorEvents::Util.strip_uri_values(uri)
-        end
+                     method = nil,
+                     remote_address = nil,
+                     route_id = nil,
+                     session_id = nil,
+                     user_id = nil,
+                     uri = nil,
+                     full_commandline = nil)
+        super('cmdi')
+        self['commands'] = commands
+        self['blocked'] = blocked
+        self['matches'] = matches
+        self['m'] = method if method
+        self['remote_addr'] = remote_address if remote_address
+        self['rid'] = route_id if route_id
+        self['sid'] = session_id if session_id
+        self['uid'] = user_id if user_id
+        self['full_commandline'] = full_commandline if full_commandline
+        self['uri'] = TCellAgent::SensorEvents::Util.strip_uri_values(uri) if uri
       end
     end
   end
 end

data/lib/tcell_agent/sensor_events/discovery.rb CHANGED

@@ -1,30 +1,30 @@
 require 'tcell_agent/sensor_events/sensor'
 module TCellAgent
-    module SensorEvents
-        class DiscoveryEvent < TCellSensorEvent
-            DATABASE_TYPE = "db"
-            def initialize(route_id=nil)
-                super("discovery")
-                if route_id
-                    self["rid"] = route_id
-                end
-            end
-            def for_database(database, schema, table, field)
-                self["type"] = "db"
-                self["db"] = database
-                self["schema"] = schema
-                self["table"] = table
-                self["field"] = field
-            end
-            def for_database_fields(database, schema, table, fields)
-                self["type"] = "db"
-                self["db"] = database
-                self["schema"] = schema
-                self["table"] = table
-                self["fields"] = fields
-                return self
-            end
-        end #/DiscoveryEvent
-    end #/SensorEvents
-end #/TCellAgent
+  module SensorEvents
+    class DiscoveryEvent < TCellSensorEvent
+      DATABASE_TYPE = 'db'.freeze
+      def initialize(route_id = nil)
+        super('discovery')
+        self['rid'] = route_id if route_id
+      end
+      def for_database(database, schema, table, field)
+        self['type'] = 'db'
+        self['db'] = database
+        self['schema'] = schema
+        self['table'] = table
+        self['field'] = field
+      end
+      def for_database_fields(database, schema, table, fields)
+        self['type'] = 'db'
+        self['db'] = database
+        self['schema'] = schema
+        self['table'] = table
+        self['fields'] = fields
+        self
+      end
+    end
+  end
+end

data/lib/tcell_agent/sensor_events/dlp.rb CHANGED

@@ -4,60 +4,54 @@ require 'tcell_agent/sensor_events/util/sanitizer_utilities'
 require 'tcell_agent/sensor_events/sensor'
 require 'tcell_agent/sensor_events/util/sanitizer_utilities'
 module TCellAgent
-    module SensorEvents
-        class DlpEvent < TCellSensorEvent
-            FOUND_IN_BODY = "body"
-            FOUND_IN_LOG = "log"
-            FOUND_IN_CONSOLE = "console"
-            FRAMEWORK_VARIABLE_SESSION_ID="session_id"
-            REQUEST_CONTEXT_FORM = "form"
-            REQUEST_CONTEXT_COOKIE = "cookie"
-            REQUEST_CONTEXT_HEADER = "header"
-            def initialize(route_id, raw_uri, found_in, id=nil, hmac_session_id=nil, user_id=nil)
-                super("dlp")
-                if route_id
-                    self["rid"] = route_id
-                end
-                self["found_in"] = found_in
-                @raw_uri = raw_uri
-                if hmac_session_id
-                    self["sid"] = hmac_session_id
-                end
-                if user_id
-                    self["uid"] = user_id
-                end
-                if id
-                    self["rule"] = id
-                end
-            end
-            def for_database(database, schema, table, field)
-                self["type"] = "db"
-                self["db"] = database
-                self["schema"] = schema
-                self["table"] = table
-                self["field"] = field
-                return self
-            end
-            def for_framework(variable)
-                self["type"] = "fw"
-                self["context"] = "framework"
-                self["variable"] = variable
-                return self
-            end
-            def for_request(variable_context, variable)
-                self["type"] = "req"
-                self["context"] = variable_context
-                self["variable"] = variable
-                return self
-            end
-            def post_process
-                if @raw_uri
-                    self["uri"] = Util.strip_uri_values(@raw_uri)
-                end
-            end
-        end
+  module SensorEvents
+    class DlpEvent < TCellSensorEvent
+      FOUND_IN_BODY = 'body'.freeze
+      FOUND_IN_LOG = 'log'.freeze
+      FOUND_IN_CONSOLE = 'console'.freeze
+      FRAMEWORK_VARIABLE_SESSION_ID = 'session_id'.freeze
+      REQUEST_CONTEXT_FORM = 'form'.freeze
+      REQUEST_CONTEXT_COOKIE = 'cookie'.freeze
+      REQUEST_CONTEXT_HEADER = 'header'.freeze
+      def initialize(route_id, raw_uri, found_in, id = nil, hmac_session_id = nil, user_id = nil)
+        super('dlp')
+        self['rid'] = route_id if route_id
+        self['found_in'] = found_in
+        @raw_uri = raw_uri
+        self['sid'] = hmac_session_id if hmac_session_id
+        self['uid'] = user_id if user_id
+        self['rule'] = id if id
+      end
+      def for_database(database, schema, table, field)
+        self['type'] = 'db'
+        self['db'] = database
+        self['schema'] = schema
+        self['table'] = table
+        self['field'] = field
+        self
+      end
+      def for_framework(variable)
+        self['type'] = 'fw'
+        self['context'] = 'framework'
+        self['variable'] = variable
+        self
+      end
+      def for_request(variable_context, variable)
+        self['type'] = 'req'
+        self['context'] = variable_context
+        self['variable'] = variable
+        self
+      end
+      def post_process
+        self['uri'] = Util.strip_uri_values(@raw_uri) if @raw_uri
+      end
     end
-end
+  end
+end