contrast-agent 3.8.4 → 6.9.0

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -1,6 +1,10 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/reporting/details/untrusted_deserialization_details'
+require 'contrast/components/logger'
+
 module Contrast
   module Agent
     module Protect
@@ -9,26 +13,27 @@ module Contrast
         # Deserialization Protect rule.
         class Deserialization < Contrast::Agent::Protect::Rule::Base
           # The TeamServer recognized name of this rule
+          include Contrast::Components::Logger::InstanceMethods
+          # Used to name this input since input analysis isn't done for this
+          # rule
+          INPUT_NAME = 'Serialized Gadget'
+
           NAME = 'untrusted-deserialization'
 
           # The rule specific reason for raising a security exception.
           BLOCK_MESSAGE = 'Untrusted Deserialization rule triggered. Deserialization blocked.'
 
           # Gadgets that map to ERB modules
-          ERB_GADGETS = %w[
-            object:ERB
-          ].cs__freeze
+          ERB_GADGETS = %W[object:ERB o:\bERB].cs__freeze
 
           # Gadgets that map to ActionDispatch modules
           ACTION_DISPATCH_GADGETS = %w[
             object:ActionDispatch::Routing::RouteSet::NamedRouteCollection
+            o:\bActionDispatch::Routing::RouteSet::NamedRouteCollection
           ].cs__freeze
 
           # Gadgets that map to Arel Modules
-          AREL_GADGETS = %w[
-            string:Arel::Nodes::SqlLiteral
-            object:Arel::Nodes
-          ].cs__freeze
+          AREL_GADGETS = %w[string:Arel::Nodes::SqlLiteral object:Arel::Nodes o:\bArel::Nodes].cs__freeze
 
           # Used to indicate to TeamServer the gadget is an ERB module
           ERB = 'ERB'
@@ -40,7 +45,7 @@ module Contrast
 
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
-          def name
+          def rule_name
             NAME
           end
 
@@ -53,9 +58,10 @@ module Contrast
           # Per the spec, this rule applies regardless of input. Only the mode
           # of the rule and code exclusions apply at this point.
           # @return [Boolean] should the rule apply to this call.
-          def infilter? _context
+          def infilter? context
             return false unless enabled?
             return false if protect_excluded_by_code?
+            return false if protect_excluded_by_url?(context)
 
             true
           end
@@ -80,7 +86,9 @@ module Contrast
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
 
-            raise Contrast::SecurityException.new(self, block_message) if blocked?
+            cef_logging(result, :successful_attack)
+
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
           end
 
           # Determine if the issued command was called while we're
@@ -90,38 +98,17 @@ module Contrast
           # @raise [Contrast::SecurityException] if attack detected while in
           #   block mode.
           def check_command_scope gadget_command
-            return unless deserializing?
+            # If we're within 'deserialization scope', then we've got a
+            # deserialization method in our call stack.
+            return unless in_deserialization_scope?
 
             context = Contrast::Agent::REQUEST_TRACKER.current
             kwargs = { COMMAND_SCOPE: true }
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-          end
-
-          # I don't know a better way to do this without introducing another
-          # scope.
-          # The policy files are designed around using the Module names, not
-          # the file names, but stack is built using filenames. These are the
-          # files and methods we patch for this rule.
-          #
-          # There's not real test for this since I can't figure out how to get
-          # a command to execute from within the .load methods
-          # Assuming someone else does, this should just work (tested with
-          # Screener and the combination "%w[erb.rb `result']")
-          DESERIALIZER_STACK = [
-            %w[/psych.rb: `load'],
-            %w[/marshal.rb: `load']
-          ].cs__freeze
-          # We're considered deserializing if the call stack includes a
-          # reference to the file in which a serializer is defined and
-          # the method of that serializer responsible for deserializing.
-          # @return [Boolean] if the caller indicates deserialization.
-          def deserializing?
-            Kernel.caller.product(DESERIALIZER_STACK).find do |(frame, (class_signature_form, method_signature_form))|
-              frame.end_with?(method_signature_form) && frame.include?(class_signature_form)
-            end
+            cef_logging(result, :successful_attack, value: gadget_command)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
 
           protected
@@ -129,7 +116,7 @@ module Contrast
           # Build the RaspRuleSample for the detected Deserialization attack.
           # @param context [Contrast::Agent::RequestContext] the request
           #   context in which this attack is occurring.
-          # @param input_analysis_result [Contrast::Api::Settings::InputAnalysisResult]
+          # @param input_analysis_result [Contrast::Agent::Reporting::InputAnalysis]
           #   the result of the analysis done by this rule.
           # @param _candidate_string [nil] unused.
           # @param kwargs [Hash, nil] Hash of inputs used by this rule to flesh
@@ -139,33 +126,30 @@ module Contrast
           #   to render this attack event in TeamServer.
           def build_sample context, input_analysis_result, _candidate_string, **kwargs
             sample = build_base_sample(context, input_analysis_result)
-            sample.untrusted_deserialization = Contrast::Api::Dtm::UntrustedDeserializationDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::UntrustedDeserializationDetails.new
 
-            deserializer = kwargs[:GADGET_TYPE]
-            sample.untrusted_deserialization.deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(deserializer)
+            deserializer = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:GADGET_TYPE])
+            sample.details.deserializer = deserializer
 
             command = !!kwargs[:COMMAND_SCOPE]
-            sample.untrusted_deserialization.command = command
+            sample.details.cmd = command
 
             sample
           end
 
           private
 
-          # Used to name this input since input analysis isn't done for this
-          # rule
-          INPUT_NAME = 'Serialized Gadget'
           # We know that this attack happened, so the result is always matched
           # and the level is always critical. Only variable is the Gadget
           # supplied by the attacker.
           # @param gadget_string [String] the input to be deserialized in which
           #   the gadget exists or the command that resulted from deserializing
           #   an input not detected in the initial infilter.
-          # @return [Contrast::Api::Settings::InputAnalysisResult] the result
+          # @return [Contrast::Agent::Reporting::InputAnalysisResult] the result
           #   of the analysis done by this rule.
           def build_evaluation gadget_string
-            ia_result = Contrast::Api::Settings::InputAnalysisResult.new
-            ia_result.rule_id = name
+            ia_result = Contrast::Agent::Reporting::InputAnalysisResult.new
+            ia_result.rule_id = rule_name
             ia_result.input_type = :UNKNOWN
             ia_result.key = INPUT_NAME
             ia_result.value = Contrast::Utils::StringUtils.protobuf_safe_string(gadget_string)

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb

@@ -0,0 +1,96 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/agent/reporting/attack_result/attack_result'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of HttpMethodTampering rule
+        # as a result input would be marked as DEFINETEATTACK or IGNORE,
+        # to be analyzed at the sink level.
+        module HttpMethodTamperingInputClassification
+          # class << self
+          #   include InputClassificationBase
+          #
+          #   # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
+          #   #
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+          #   # analysis from the current request.
+          #   def classify input_type, input_analysis
+          #     return unless input_analysis.request
+          #     return unless input_type == METHOD
+          #
+          #     rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+          #
+          #     ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
+          #     input_analysis.results << ia_result
+          #
+          #     return input_analysis if ia_result.score_level == IGNORE
+          #
+          #     attack_result = build_attack_result ia_result, rule_id
+          #
+          #     if :BLOCK != Contrast::PROTECT.rule_mode(rule_id)
+          #       attack_result.response = :EXPLOITED
+          #       Contrast::Agent::EXPLOITS.push attack_result
+          #       return input_analysis
+          #     end
+          #
+          #     attack_result.response = :BLOCKED
+          #     context.activity.results << attack_result
+          #     raise Contrast::SecurityException.new(self,
+          #                                           'HTTP Method Tampering rule triggered. '\
+          #                                           "Call to #{ input_analysis.request.path } with " \
+          #                                           "#{ input_analysis.request.request_method } blocked.")
+          #   end
+          #
+          #   private
+          #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   def method_tampering_exploited? request
+          #     !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
+          #   end
+          #
+          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+          #   # key if needed and Creates new instance of InputAnalysisResult.
+          #   #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   # @param rule_id [String] The name of the Protect Rule.
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   #
+          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          #   def method_tampering_new_input_analysis request, rule_id, input_type
+          #     ia_result = new_ia_result rule_id, input_type, request.path
+          #     if method_tampering_exploited? request
+          #       ia_result.score_level = DEFINITEATTACK
+          #       ia_result.ids << rule_id
+          #     else
+          #       ia_result.score_level = IGNORE
+          #     end
+          #
+          #     ia_result
+          #   end
+          #
+          #   def build_attack_result ia_result, rule_id
+          #     rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
+          #     result = Contrast::Agent::Reporting::AttackResult.new
+          #     result.rule_id = rule_id
+          #     result.samples << rasp_rule_sample
+          #     result
+          #   end
+          #
+          #   def context
+          #     Contrast::Agent::REQUEST_TRACKER.current
+          #   end
+          # end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -1,6 +1,8 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
+require 'contrast/agent/protect/rule/base_service'
+
 module Contrast
   module Agent
     module Protect
@@ -8,71 +10,72 @@ module Contrast
         # The Ruby implementation of the Protect HTTP Method Tampering rule.
         class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
           NAME = 'method-tampering'
-          STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          # STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          #
+          # APPLICABLE_METHODS_INPUTS = %w[
+          #   ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
+          #   DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
+          #   MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
+          #   PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
+          #   UNLOCK UPDATE VERSION-CONTROL
+          # ].cs__freeze
 
-          def name
+          def rule_name
             NAME
           end
 
-          def postfilter context
-            return unless enabled? && POSTFILTER_MODES.include?(mode)
-
-            logger.debug("#{ name } postfilter...")
-            return if normal_request?(context)
-
-            # The only way to be here in postfilter with a result is if the rule mode was MONITOR
-            ia_results = gather_ia_results(context)
-            return if ia_results.empty?
-
-            # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
-            response_code = context&.response&.response_code
-            return unless response_code
-
-            method = ia_results.first.value
-            result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(
-                           context,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
-                     else
-                       build_attack_with_match(
-                           context,
-                           nil,
-                           nil,
-                           nil,
-                           method: method,
-                           response_code: response_code)
-                     end
-            append_to_activity(context, result) if result
-          end
-
-          protected
-
-          def build_sample context, evaluation, _candidate_string, **kwargs
-            sample = build_base_sample(context, evaluation)
-            sample.user_input.value = kwargs[:method]
-
-            sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
-            sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
-            code = kwargs[:response_code] || -1
-            sample.method_tampering.response_code = code.to_i
-            sample
-          end
-
-          def build_user_input _evaluation
-            input = Contrast::Api::Dtm::UserInput.new
-            input.input_type = :METHOD
-            input
-          end
-
-          private
-
-          def normal_request? context
-            method = context.request.request_method
-            context.request.static_request? || method.nil? || STANDARD_METHODS.include?(method.upcase)
-          end
+          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
+          # agent with protect library, we should re-enable these tests and that rule.
+          # TODO: RUBY-1574
+          # def enabled?
+          #   super && false
+          # end
+          #
+          # def postfilter context
+          #   return unless enabled? && POSTFILTER_MODES.include?(mode)
+          #   return if normal_request?(context)
+          #
+          #   # The only way to be here in postfilter with a result is if the rule mode was MONITOR
+          #   ia_results = gather_ia_results(context)
+          #   return if ia_results.empty?
+          #
+          #   # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
+          #   response_code = context&.response&.response_code
+          #   return unless response_code
+          #
+          #   method = ia_results.first.value
+          #   result = if response_code.to_s.start_with?('4', '5')
+          #              build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
+          #            else
+          #              build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
+          #            end
+          #
+          #   return unless result
+          #
+          #   append_to_activity(context, result)
+          #   cef_logging result, :ineffective_attack
+          # end
+          #
+          # protected
+          #
+          # def build_sample context, evaluation, _candidate_string, **kwargs
+          #   sample = build_base_sample(context, evaluation)
+          #   sample.user_input.value = kwargs[:method]
+          #   sample.user_input.input_type = :METHOD
+          #
+          #   sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
+          #   sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
+          #   code = kwargs[:response_code] || -1
+          #   sample.method_tampering.response_code = code.to_i
+          #   sample
+          # end
+          #
+          # private
+          #
+          # def normal_request? context
+          #   method = context.request.request_method
+          #   context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/no_sqli/mongo_no_sql_scanner.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast
@@ -14,8 +14,7 @@ module Contrast
             # Is the current & next character '//' or are the current and
             # subsequent characters '<--' ?
             def start_line_comment? char, index, query
-              if char == Contrast::Utils::ObjectShare::SLASH &&
-                    query[index + 1] == Contrast::Utils::ObjectShare::SLASH
+              if char == Contrast::Utils::ObjectShare::SLASH && query[index + 1] == Contrast::Utils::ObjectShare::SLASH
                 return true
               end
 

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -0,0 +1,226 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of NoSQLI rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module NoSqliInputClassification
+          class << self
+            include InputClassificationBase
+
+            NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
+            NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
+            NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
+
+            ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
+            QUOTE_REGEXP = /['"’‘]/.cs__freeze
+            NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
+            COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
+            NOSQL_QUOTED_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+            /x.cs__freeze
+            NOSQL_NUMERIC_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+            /x.cs__freeze
+
+            NOSQL_DEFINITE_THRESHOLD = 3
+            NOSQL_WORTH_WATCHING_THRESHOLD = 1
+            NOSQL_CONFIDENCE_THRESHOLD = 3
+            MAX_DISTANCE = 10
+            DEFAULT_RULE_DEFINITIONS = [
+              {
+                  keywords: [],
+                  name: 'nosql-injection',
+                  patterns: [
+                    {
+                        caseSensitive: false,
+                        id: 'NO-SQLI-1',
+                        score: 1,
+                        value: '(?:\\{\\s*\".*\"\\s*:.*\\})'
+                    },
+                    {
+                        id: 'NO-SQLI-2',
+                        caseSensitive: true,
+                        score: 3,
+                        value: "(?:\"|')?\\$(?:gte|gt|lt|lte|eq|ne|in|nin|where|mod|all|size|exists|type|slice|or)(?:\"|')?\\s*:.*" # rubocop:disable Layout/LineLength
+                    }
+                  ]
+              }
+            ].cs__freeze
+
+            private
+
+            # Creates a new instance of InputAnalysisResult with basic info.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
+            # @param value [String, Array<String>] the value of the input.
+            # @param path [String] the path of the current request context.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def new_ia_result rule_id, input_type, score_level, path, value
+              super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
+            end
+
+            # This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
+            # and creates a new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              score = evaluate_patterns(value)
+              score = evaluate_rules(value, score)
+
+              score_level = if definite_attack?(score)
+                              DEFINITEATTACK
+                            elsif worth_watching?(score)
+                              WORTHWATCHING
+                            else
+                              IGNORE
+                            end
+              result = new_ia_result(rule_id, input_type, score_level, request.path, value)
+              add_needed_key(request, result, input_type, value)
+              result
+            end
+
+            # This method evaluates the patterns relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all patterns matched is
+            # returned, unless the individual matching pattern score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param total_score [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_patterns value, total_score = 0
+              applicable_patterns = nosqli_patterns
+              return total_score if applicable_patterns.nil?
+
+              total_patterns_score = 0
+              applicable_patterns.each do |pattern|
+                next unless value.match?(pattern[:value])
+
+                total_patterns_score += pattern[:score].to_i
+                total_score += pattern[:score].to_i
+
+                if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+                  return total_score
+                end
+              end
+
+              total_score
+            end
+
+            def evaluate_comment_rule value
+              (value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
+            end
+
+            # This method evaluates the searcher rules relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all rules matched is
+            # returned, unless the individual matching rukle score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param total_score [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_rules value, total_score = 0
+              total_rules_score = 0
+              %i[evaluate_comment_rule evaluate_or_rule].each do |method|
+                rule_score = send(method, value)
+                total_rules_score += rule_score
+                total_score += rule_score
+
+                return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+              end
+
+              total_score
+            end
+
+            # This method evaluates the input value for NoSQL Or searches. Each possible match is
+            # checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
+            # be returned, depending on whether the regexp for finding comments is also matched.
+            #
+            # @param value [String] the value of the input.
+            #
+            # @return res [Integer]
+            def evaluate_or_rule value
+              score = 0
+
+              locs = matches_by_position(value, NOSQL_OR_REGEXP)
+              return score if locs.empty?
+
+              locs.each do |loc|
+                [NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
+                  pattern_locs = matches_by_position(value[loc[1]..], pattern)
+                  next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
+
+                  return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
+
+                  score = 3 # High
+                  break
+                end
+              end
+
+              score
+            end
+
+            # This method returns the patterns to be checked against the input value.
+            #
+            # @return res [Array, nil]
+            def nosqli_patterns
+              server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
+              rule_definitions = server_features&.protect&.rule_definition_list
+              rule_definitions = DEFAULT_RULE_DEFINITIONS if rule_definitions.empty?
+              rule_definitions.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
+            end
+
+            def matches_by_position value, pattern
+              value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
+            end
+
+            def definite_attack? score
+              score >= NOSQL_DEFINITE_THRESHOLD
+            end
+
+            def worth_watching? score
+              score >= NOSQL_WORTH_WATCHING_THRESHOLD
+            end
+          end
+        end
+      end
+    end
+  end
+end