Improve attack detection with header analysis

- Include headers in pattern detection (Referer, etc.)
- Add HAS_REFERER flag for requests with Referer header
- Include Referer content in payload analysis
- Fix redirect URL handling in downloader for HuggingFace CDN
- Increase payload snippet size to 300 chars

This enables detection of SQLi attacks hidden in Referer headers,
a common attack vector found in real-world nginx logs.

Author: khasinski

.gitignore

@@ -22,3 +22,4 @@ pkg/
 
 # macOS
 .DS_Store
+test_app/

lib/ai_bouncer/classifier.rb

@@ -73,11 +73,22 @@ def self.request_to_text(method:, path:, body: "", user_agent: "", params: {}, h
         parts << "BODY_SIZE:#{size_bucket}"
       end
 
-      # Header count
-      parts << "HEADERS:#{headers.size}" if headers.any?
+      # Header analysis
+      if headers.any?
+        parts << "HEADERS:#{headers.size}"
+        # Include header values for pattern detection
+        headers.each do |name, value|
+          next if value.nil? || value.empty?
+          # Flag suspicious header names
+          if name.downcase == "referer" || name.downcase == "referrer"
+            parts << "HAS_REFERER"
+          end
+        end
+      end
 
-      # Suspicious pattern detection
-      combined = "#{path} #{body} #{params.values.join(' ')}"
+      # Suspicious pattern detection - include headers in combined text
+      header_values = headers.values.compact.join(' ')
+      combined = "#{path} #{body} #{params.values.join(' ')} #{header_values}"
 
       if combined =~ /\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|OR\s+\d|--|')/i
         parts << "FLAG:SQL_KEYWORDS"
@@ -95,9 +106,17 @@ def self.request_to_text(method:, path:, body: "", user_agent: "", params: {}, h
         parts << "FLAG:CMD_INJECTION"
       end
 
-      # Include payload snippet
-      payload = body.to_s.empty? ? params.to_s : body.to_s
-      parts << "PAYLOAD:#{payload[0, 200]}" unless payload.empty?
+      # Include payload snippet (body, params, and suspicious headers)
+      payload_parts = []
+      payload_parts << body.to_s unless body.to_s.empty?
+      payload_parts << params.to_s unless params.empty?
+      # Include Referer if present (common attack vector)
+      if headers["Referer"] || headers["referer"]
+        referer = headers["Referer"] || headers["referer"]
+        payload_parts << "REFERER:#{referer}" unless referer.empty?
+      end
+      payload = payload_parts.join(" ")
+      parts << "PAYLOAD:#{payload[0, 300]}" unless payload.empty?
 
       parts.join(" ")
     end

lib/ai_bouncer/downloader.rb

@@ -76,6 +76,8 @@ def download_file(url, dest_path, max_redirects: 5)
 
         uri = URI.parse(url)
 
+        raise DownloadError, "Invalid URL: #{url}" unless uri.host
+
         Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
           http.read_timeout = 300  # 5 minutes for large files
           http.open_timeout = 30
@@ -93,6 +95,11 @@ def download_file(url, dest_path, max_redirects: 5)
               end
             when Net::HTTPRedirection
               new_url = response["location"]
+              # Handle relative redirects
+              new_uri = URI.parse(new_url)
+              if new_uri.relative?
+                new_url = URI.join("#{uri.scheme}://#{uri.host}:#{uri.port}", new_url).to_s
+              end
               download_file(new_url, dest_path, max_redirects: max_redirects - 1)
             else
               raise DownloadError, "HTTP #{response.code}: #{response.message} for #{url}"