contrast-agent 3.8.4 → 6.9.0

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -1,19 +1,33 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# This could be useful for making patterns maybe?
-# https://github.com/cr0hn/nosqlinjection_wordlists
-# https://www.owasp.org/index.php/Testing_for_NoSQL_injection
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/sql_sample_builder'
+require 'contrast/agent/reporting/input_analysis/input_type'
+
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect NoSQL Injection rule.
         class NoSqli < Contrast::Agent::Protect::Rule::BaseService
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          include SqlSampleBuilder::NoSqliSample
+          # Defining build_attack_with_match method
+          include SqlSampleBuilder::AttackBuilder
+          include Contrast::Agent::Reporting::InputType
+
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
-
-          def name
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER,
+            PARAMETER_NAME, PARAMETER_VALUE, JSON_VALUE,
+            MULTIPART_VALUE, MULTIPART_FIELD_NAME,
+            XML_VALUE, DWR_VALUE
+          ].cs__freeze
+
+          def rule_name
             NAME
           end
 
@@ -21,45 +35,43 @@ module Contrast
             BLOCK_MESSAGE
           end
 
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
+
+          # @raise [Contrast::SecurityException] if the attack is blocked
+          #   raised with BLOCK_MESSAGE
           def infilter context, database, query_string
-            return nil unless infilter?(context)
+            return unless infilter?(context)
 
             result = find_attacker(context, query_string, database: database)
-            return nil unless result
+            return unless result
 
             append_to_activity(context, result)
 
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
 
-          def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
+          def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
             return result if mode == :NO_ACTION || mode == :PERMIT
 
-            attack_string = input_analysis_result.value
-            regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
-            return nil unless query_string.match?(regexp)
-
-            scanner = select_scanner
-            ss = StringScanner.new(query_string)
-            length = attack_string.length
-            while ss.scan_until(regexp)
-              # the pos of StringScanner is at the end of the regexp (input string),
-              # we need the beginning
-              idx = ss.pos - attack_string.length
-              last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
-              next unless last_boundary && boundary
-
-              kwargs[:start_idx] = idx
-              kwargs[:end_idx] = idx + length
-              kwargs[:boundary_overrun_idx] = boundary
-              kwargs[:input_boundary_idx] = last_boundary
-
-              result ||= build_attack_result(context)
-              update_successful_attack_response(context, input_analysis_result, result, query_string)
-              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
+            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
+            result
+          end
+
+          # @param context [Contrast::Agent::RequestContext]
+          def infilter? context
+            return false unless enabled?
+            return false unless context&.agent_input_analysis&.results&.any? do |result|
+              result.rule_id == rule_name
             end
 
-            result
+            return false if protect_excluded_by_code?
+
+            true
           end
 
           protected
@@ -70,30 +82,12 @@ module Contrast
               begin
                 potential_attack_string = JSON.generate(potential_attack_string).to_s
               rescue JSON::GeneratorError
-                logger.debug("Error in JSON::generate from input #{ potential_attack_string }")
+                logger.trace('Error in JSON::generate', input: potential_attack_string)
+                nil
               end
             end
             super(context, potential_attack_string, **kwargs)
           end
-
-          def build_sample context, input_analysis_result, candidate_string, **kwargs
-            input = input_analysis_result.value
-
-            sample = build_base_sample(context, input_analysis_result)
-            sample.no_sqli = Contrast::Api::Dtm::NoSqlInjectionDetails.new
-            sample.no_sqli.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
-            sample.no_sqli.start_idx = sample.no_sqli.query.index(input).to_i
-            sample.no_sqli.boundary_overrun_idx = sample.no_sqli.start_idx + input.length
-            sample.no_sqli.input_boundary_idx = kwargs[:boundary].to_i
-            sample.no_sqli.input_boundary_idx = kwargs[:last_boundary].to_i
-            sample
-          end
-
-          private
-
-          def select_scanner
-            @_select_scanner ||= Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
-          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_input_classification.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/input_classification_base'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Path Traversal rule
+        # Input classification
+        module PathTraversalInputClassification
+          PATH_TRAVERSAL_MATCH = 'path-traversal-input-tracing-v1'
+          WORTHWATCHING_MATCH = 'path-traversal-worth-watching-v2'
+
+          THRESHOLD = 90.cs__freeze
+          class << self
+            include InputClassificationBase
+
+            private
+
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new isntance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def create_new_input_result request, rule_id, input_type, value
+              return unless Contrast::AGENT_LIB
+
+              input_eval = Contrast::AGENT_LIB.eval_input(value,
+                                                          convert_input_type(input_type),
+                                                          Contrast::AGENT_LIB.rule_set[rule_id],
+                                                          Contrast::AGENT_LIB.eval_option[:WORTHWATCHING])
+
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              score = input_eval&.score || 0
+              if score >= THRESHOLD
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << PATH_TRAVERSAL_MATCH
+              elsif score == 10
+                # There is one pattern to match 10 and thus on its own will be reported as a probe.
+                # This rule can report WORTHWATCHING:
+                # https://protect-spec.prod.dotnet.contsec.com/rules/path-traversal.html#applicable-input-types
+                ia_result.score_level = WORTHWATCHING
+                ia_result.ids << WORTHWATCHING_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+              add_needed_key(request, ia_result, input_type, value)
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass.rb

@@ -0,0 +1,114 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
+require 'contrast/agent/request_context'
+require 'contrast/utils/string_utils'
+require 'contrast/agent_lib/api/path_semantic_file_security_bypass'
+require 'contrast/agent_lib/interface'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Path Traversal Semantic
+        # Bypass sub-rule. This rule should report the attack result
+        class PathTraversalSemanticBypass < Contrast::Agent::Protect::Rule::BaseService
+          NAME = 'path-traversal-semantic-file-security-bypass'
+          # There paths here will eventually be moved
+
+          def rule_name
+            NAME
+          end
+
+          def infilter context, method, path
+            return unless rule_violated?(path)
+
+            result = find_vulnerability(context, path)
+
+            return unless result
+
+            append_to_activity(context, result)
+            return unless blocked?
+
+            result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
+            cef_logging(result, :successful_attack, value: path)
+            exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
+            raise(Contrast::SecurityException.new(self, exception_messasge))
+          end
+
+          protected
+
+          # Check if semantic file security bypass is detected
+          #
+          # @param file_path [String] command to check.
+          # @param is_custom_code[String] whether the file is being accessed by custom (user) code,
+          #     rather than framework code
+          # @return result[Integer, nil] returns:
+          #     1 => security bypass is detected.
+          #     0 => no security bypass is detected.
+          def file_security_bypassed? file_path, is_custom_code = nil
+            return false unless (agent_lib = Contrast::AGENT_LIB) || file_path
+
+            custom_call = is_custom_code.nil? ? 0 : 1
+
+            agent_lib.check_path_semantic_security_bypass(file_path, custom_call) == 1
+          end
+
+          def rule_violated? path
+            is_custom_code = custom_code_accessing_system_file?(path)
+            is_custom_code || file_security_bypassed?(path, is_custom_code)
+          end
+
+          def find_vulnerability context, path
+            build_attack_with_match(context, nil, nil, path)
+          end
+
+          def build_sample context, _input_analysis_result, path, **_kwargs
+            sample = build_base_sample(context, nil)
+            sample.details = Contrast::Agent::Reporting::Details::PathTraversalSemanticAnalysisDetails.new
+            path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
+            sample.details.path = path
+
+            is_custom_code = custom_code_accessing_system_file?(path)
+            # This should catch all the types of security breaches in that sub-rule scope
+            # but apparently it's not, because some of the system files is being skipped and not detected,
+            # but for our previous logic - it was expected for certain files to be detected and blocked
+            security_bypassed = file_security_bypassed?(path, is_custom_code)
+
+            # if agent lib sub-rule returns true and is custom code -> assign and report
+            if security_bypassed
+              if is_custom_code
+                sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
+                sample.details.findings << :COMMON_FILE_EXPLOITS if common_file_exploits_enabled?
+              end
+              return sample
+            end
+
+            if is_custom_code
+              sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
+              return sample
+            end
+
+            nil
+          end
+
+          def custom_code_accessing_system_file? input
+            system_file?(input) && Contrast::Utils::StackTraceUtils.custom_code_context?
+          end
+
+          def system_file? path
+            return false unless path
+
+            Contrast::Agent::Protect::Rule::PathTraversal::SYSTEM_PATHS.any? { |sys_path| sys_path.include?(path) }
+          end
+
+          def common_file_exploits_enabled?
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -1,8 +1,14 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/utils/stack_trace_utils'
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/protect/rule/path_traversal/path_traversal_semantic_security_bypass'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/utils/stack_trace_utils'
+require 'contrast/agent/reporting/details/path_traversal_details'
+require 'contrast/agent/reporting/details/path_traversal_semantic_analysis_details'
+require 'contrast/utils/string_utils'
 
 module Contrast
   module Agent
@@ -11,10 +17,13 @@ module Contrast
         # This class handles our implementation of the Path Traversal
         # Protect rule.
         class PathTraversal < Contrast::Agent::Protect::Rule::BaseService
-          include Contrast::Components::Interface
-          access_component :logging, :agent
+          include Contrast::Agent::Reporting::InputType
 
           NAME = 'path-traversal'
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_NAME, COOKIE_VALUE, HEADER, PARAMETER_VALUE, PARAMETER_NAME,
+            JSON_VALUE, MULTIPART_VALUE, MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE, URI
+          ].cs__freeze
           SYSTEM_PATHS = %w[
             /proc/self
             etc/passwd
@@ -28,12 +37,21 @@ module Contrast
             /windows/repair/
           ].cs__freeze
 
-          KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
-
-          def name
+          def rule_name
             NAME
           end
 
+          # Array of sub_rules
+          #
+          # @return [Array]
+          def sub_rules
+            @_sub_rules ||= [Contrast::Agent::Protect::Rule::PathTraversalSemanticBypass.new].cs__freeze
+          end
+
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
+
           def infilter context, method, path
             return unless infilter?(context)
 
@@ -43,9 +61,10 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
-            raise Contrast::SecurityException.new(
-                self,
-                "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            result_rule_name = Contrast::Utils::StringUtils.transform_string(result.rule_id)
+            cef_logging(result, :successful_attack, value: path)
+            exception_messasge = "#{ result_rule_name } rule triggered. Call to File.#{ method } blocked."
+            raise(Contrast::SecurityException.new(self, exception_messasge))
           end
 
           protected
@@ -53,41 +72,50 @@ module Contrast
           def find_attacker context, path
             attack_result = nil
             attack_result = super(context, path) if infilter?(context)
-            attack_result = check_rep_features(context, path, attack_result)
-            attack_result
+            check_rep_features(context, path, attack_result)
           end
 
           # Build a subclass of the RaspRuleSample using the query string and the
           # evaluation
           def build_sample context, input_analysis_result, path, **_kwargs
             sample = build_base_sample(context, input_analysis_result)
-            sample.path_traversal = Contrast::Api::Dtm::PathTraversalDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::PathTraversalDetails.new
             path ||= input_analysis_result.value
-            sample.path_traversal.path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
+            sample.details.path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
             sample
           end
 
+          # @param context [Contrast::Agent::RequestContext]
+          def infilter? context
+            return false unless enabled?
+            return false unless context&.agent_input_analysis&.results&.any? do |result|
+              # When a file is being accessed, the agent should see if any of its worth-watching inputs appear in
+              # the file path. If so, the input is considered a confirmed attack and should be reported or blocked.
+              # If the score level is ignore we don't need to report it.
+              result.rule_id == rule_name && result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
+            end
+
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
           private
 
           # Build a subclass of the RaspRuleSample if the sample matches
-          # TODO: SPEED-? delete me when implemented in Speedracer.
-          #   this implementation duplicates logic that is moving to Speedracer
-          #   the reason it is still here is Speedracer doesn't yet have a method to correlate
-          #   and (update) attack results that are generated because the evaluation results
-          #   from REP, it can only forward the attack results are generated by the agent.
           def build_rep_sample context, path
             sample = build_base_sample(context, nil)
-            sample.path_traversal_semantic = Contrast::Api::Dtm::PathTraversalSemanticAnalysisDetails.new
+            sample.details = Contrast::Agent::Reporting::Details::PathTraversalSemanticAnalysisDetails.new
             path = Contrast::Utils::StringUtils.protobuf_safe_string(path)
-            sample.path_traversal_semantic.path = path
+            sample.details.path = path
 
             if custom_code_access_sysfile_enabled? && custom_code_accessing_system_file?(path)
-              sample.path_traversal_semantic.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
+              sample.details.findings << :CUSTOM_CODE_ACCESSING_SYSTEM_FILES
               return sample
             end
 
             if common_file_exploits_enabled? && contains_known_attack_signatures?(path)
-              sample.path_traversal_semantic.findings << :COMMON_FILE_EXPLOITS
+              sample.details.findings << :COMMON_FILE_EXPLOITS
               return sample
             end
 
@@ -104,7 +132,7 @@ module Contrast
           end
 
           def custom_code_access_sysfile_enabled?
-            AGENT.report_custom_code_sysfile_access?
+            ::Contrast::PROTECT.report_custom_code_sysfile_access?
           end
 
           def custom_code_accessing_system_file? input
@@ -121,6 +149,8 @@ module Contrast
             false
           end
 
+          # TODO: RUBY-318
+          # KNOWN_SECURITY_BYPASS_MARKERS = ['::$DATA', '::$Index', '', '\x00'].cs__freeze
           def contains_known_attack_signatures? input
             utf8 = Contrast::Utils::StringUtils.force_utf8(input)
             _ = CGI.unescape(utf8)
@@ -133,7 +163,8 @@ module Contrast
             #     return 'NUL' in str(e) or 'null byte' in str(e) or (PY34 and 'embedded NUL character' == str(e))
             #   except Exception as e:
             #     return 'null byte' in str(e).lower()
-            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
+            #   return return any([bypass_markers.lower().rstrip('/') in realpath for bypass_markers in
+            #   PathTraversalREPMixin.KNOWN_SECURITY_BYPASS_MARKERS])
             false
           end
         end

data/lib/contrast/agent/protect/rule/sql_sample_builder.rb

@@ -0,0 +1,155 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base'
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/reporting/details/sqli_details'
+require 'contrast/agent/reporting/details/no_sqli_details'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        module SqlSampleBuilder
+          # Generate a sample for the SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to TeamServer to tell the story of the attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
+          module SqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              sqli_sample = build_base_sample(context, input_analysis_result)
+              sqli_sample.details = Contrast::Agent::Reporting::Details::SqliDetails.new
+              sqli_sample.details.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              sqli_sample.details.start_idx = kwargs[:start_idx]
+              sqli_sample.details.end_idx = kwargs[:end_idx]
+              sqli_sample.details.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              sqli_sample.details.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              sqli_sample
+            end
+          end
+
+          # Generate a sample for the No-SQL injection detection rule, allowing for reporting to and rendering
+          # by TeamServer
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for the current request
+          # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
+          #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+          # @candidate_string [String] the value of the input which may be an attack
+          # @kwargs [Hash] key - value pairs of context individual rules need to build out details
+          #   to send to TeamServer to tell the story of the attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample] the sample from this attack
+          module NoSqliSample
+            def build_sample context, input_analysis_result, candidate_string, **kwargs
+              no_sqli_sample = build_base_sample(context, input_analysis_result)
+              no_sqli_sample.details = Contrast::Agent::Reporting::Details::NoSqliDetails.new
+              no_sqli_sample.details.query = Contrast::Utils::StringUtils.protobuf_safe_string(candidate_string)
+              no_sqli_sample.details.start_idx = kwargs[:start_idx].to_i
+              no_sqli_sample.details.end_idx = kwargs[:end_idx].to_i
+              no_sqli_sample.details.boundary_overrun_idx = kwargs[:boundary_overrun_idx].to_i
+              no_sqli_sample.details.input_boundary_idx = kwargs[:input_boundary_idx].to_i
+              no_sqli_sample
+            end
+          end
+
+          # This Module is how we apply the attack fo NoSQL and SQL Injection rule.
+          # It includes methods for building attack with match and database scanners
+          module AttackBuilder
+            # Set up an attack result and assigns Database scanner for the No-SQL and SQLI injection detection rules
+            #
+            # @param context [Contrast::Agent::RequestContext] the context for the current request
+            # @param input_analysis_result [Contrast::Agent::Reporting, nil] previous attack result for this rule,
+            #   if one exists, in the case of multiple inputs being found to violate the protection criteria
+            # @param result [Contrast::Agent::Reporting, nil] previous attack result for this rule, if one exists,
+            #   in the case of multiple inputs being found to violate the protection criteria
+            # @param query_string [String] the value of the input which may be an attack
+            # @param kwargs [Hash] key - value pairs of context individual rules need to build out details to send
+            #   to TeamServer to tell the story of the attack
+            # @return [Contrast::Agent::Reporting] the result from this attack
+            def build_attack_with_match context, input_analysis_result, result, query_string, **kwargs
+              return result if mode == :NO_ACTION || mode == :PERMIT
+
+              attack_string = input_analysis_result.value
+              regexp = Regexp.new(Regexp.escape(attack_string), Regexp::IGNORECASE)
+              # extract struct result from kwargs
+              agent_lib_struct_result = kwargs[:result_struct]
+              return unless query_string.match?(regexp)
+
+              database = kwargs[:database]
+              scanner = select_scanner(database)
+              ss = StringScanner.new(query_string)
+              length = attack_string.length
+              while ss.scan_until(regexp)
+                # the pos of StringScanner is at the end of the regexp (input string), we need the beginning
+                idx = ss.pos - attack_string.length
+                last_boundary, boundary = scanner.crosses_boundary(query_string, idx, input_analysis_result.value)
+                next unless last_boundary && boundary
+
+                result ||= build_attack_result(context)
+
+                # if the struct actually has the needed data in it - use it
+                if agent_lib_struct_result.cs__is_a?(Hash)
+                  record_agent_lib_match(agent_lib_struct_result, length, kwargs)
+                else
+                  record_match(idx, length, boundary, last_boundary, kwargs)
+                end
+
+                append_match(context, input_analysis_result, result, query_string, **kwargs)
+              end
+
+              result
+            end
+
+            def select_scanner database
+              @scanners ||= {
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_MYSQL =>
+                  Contrast::Agent::Protect::Rule::Sqli::MysqlSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_PG =>
+                  Contrast::Agent::Protect::Rule::Sqli::PostgresSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesSqliRule::DATABASE_SQLITE =>
+                  Contrast::Agent::Protect::Rule::Sqli::SqliteSqlScanner.new,
+                  Contrast::Agent::Protect::Policy::AppliesNoSqliRule::DATABASE_NOSQL =>
+                  Contrast::Agent::Protect::Rule::NoSqli::MongoNoSqlScanner.new
+              }.cs__freeze
+
+              @default_scanner ||= Contrast::Agent::Protect::Rule::Sqli::DefaultSqlScanner.new
+              @scanners[database.to_s] || @default_scanner
+            end
+
+            def record_match idx, length, boundary, last_boundary, kwargs
+              kwargs[:start_idx] = idx
+              kwargs[:end_idx] = idx + length
+              kwargs[:boundary_overrun_idx] = boundary
+              kwargs[:input_boundary_idx] = last_boundary
+            end
+
+            # all the agent_lib checks methods needed
+
+            # @param struct[ResultingStruct] The struct including all the data from the agent_lib scan
+            def record_agent_lib_match struct, length, kwargs
+              kwargs[:start_idx] = struct[:start_index]
+              kwargs[:end_idx] = if (struct[:end_index]).zero?
+                                   struct[:start_index] + length
+                                 else
+                                   struct[:end_index]
+                                 end
+              kwargs[:boundary_overrun_idx] = struct[:boundary_overrun_index]
+              kwargs[:input_boundary_idx] = struct[:input_boundary_index]
+            end
+
+            def append_match context, input_analysis_result, result, query_string, **kwargs
+              input_analysis_result.attack_count = input_analysis_result.attack_count + 1
+              update_successful_attack_response(context, input_analysis_result, result, query_string)
+              append_sample(context, input_analysis_result, result, query_string, **kwargs)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/sqli/default_sql_scanner.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast

data/lib/contrast/agent/protect/rule/sqli/mysql_sql_scanner.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 # This class is the concrete implementation of the DefaultSqlScanner designed

data/lib/contrast/agent/protect/rule/sqli/postgres_sql_scanner.rb

@@ -1,7 +1,7 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
 module Contrast