contrast-agent 3.9.1 → 6.15.3

data/lib/contrast/agent/protect/rule/base.rb

@@ -1,7 +1,13 @@
-# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 
-cs__scoped_require 'contrast/components/interface'
+require 'contrast/components/logger'
+require 'contrast/components/scope'
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/attack_result/response_type'
+require 'contrast/agent/reporting/attack_result/attack_result'
+require 'contrast/agent/protect/rule/utils/builders'
+require 'contrast/agent/protect/rule/utils/filters'
 
 module Contrast
   module Agent
@@ -10,159 +16,191 @@ module Contrast
         # This is a basic rule for Protect. It's the abstract class which all other
         # protect rules extend in order to function.
         #
-        # @abstract Subclass and override {#prefilter}, {#infilter}, {#find_attacker}, {#postfilter} and {#build_details} to implement
+        # @abstract Subclass and override {#prefilter}, {#infilter}, {#find_attacker}, {#postfilter} to implement
         class Base
-          include Contrast::Components::Interface
-
-          access_component :logging, :analysis, :settings, :scope
-
-          UNKNOWN_USER_INPUT = Contrast::Api::Dtm::UserInput.new.tap do |user_input|
-            user_input.input_type = :UNKNOWN
-          end.cs__freeze
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Components::Scope::InstanceMethods
+          include Contrast::Agent::Protect::Rule::Builders
+          include Contrast::Agent::Protect::Rule::Filters
 
+          RULE_NAME = 'base-rule'
           BLOCKING_MODES = Set.new(%i[BLOCK BLOCK_AT_PERIMETER]).cs__freeze
-          PREFILTER_MODES = Set.new(%i[BLOCK_AT_PERIMETER]).cs__freeze
-          POSTFILTER_MODES = Set.new(%i[BLOCK PERMIT MONITOR]).cs__freeze
-          STACK_COLLECTION_RESULTS = Set.new(%i[BLOCKED MONITORED]).cs__freeze
-
+          STACK_COLLECTION_RESULTS = Set.new([
+                                               Contrast::Agent::Reporting::ResponseType::BLOCKED,
+                                               Contrast::Agent::Reporting::ResponseType::MONITORED
+                                             ]).cs__freeze
+          SUSPICIOUS_REPORTING_RULES = %w[
+            unsafe-file-upload
+            reflected-xss
+            cmd-injection-semantic-dangerous-paths
+            cmd-injection-semantic-chained-commands
+            path-traversal-semantic-file-security-bypass
+            sql-injection-semantic-dangerous-functions
+          ].cs__freeze
+
+          # @return [Symbol]
           attr_reader :mode
 
-          def initialize default_mode = :NO_ACTION
-            SETTINGS.protect_rules[name] = self
-            @mode = mode_from_settings || default_mode
+          # Initializes new rule and sets it mode from settings
+          #
+          # @return mode [Symbol]
+          def initialize
+            ::Contrast::PROTECT.defend_rules[rule_name] = self
+            @mode = mode_from_settings
+          end
+
+          # Message to display when the rule is triggered.
+          #
+          # @return [String]
+          def block_message
+            "Contrast Security Protect #{ rule_name } Triggered. Response blocked."
           end
 
           # Should return the name as it is known to Teamserver; defaults to class
-          def name
-            cs__class.name
+          #
+          # @return [String]
+          def rule_name
+            RULE_NAME
+          end
+
+          # Should return list of all sub_rules.
+          # Extend for each main rule any sub-rules.
+          #
+          # @return [Array]
+          def sub_rules
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
           end
 
-          OFF = 'off'
+          # The classification module used for each specific rule to
+          # classify input data and score it. Extend for each rule.
+          #
+          # @return [Module]
+          def classification; end
+
+          # Generic method forwarder, shorthand for classification:
+          # Input Classification stage is done to determine if an user input is DEFINITEATTACK or to be ignored.
+          #
+          # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          # @param value [Hash<String>] the value of the input.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+          #                                                       agent analysis from the current
+          #                                                       Request.
+          # @return ia [Contrast::Agent::Reporting::InputAnalysis, nil] with updated results.
+          def classify input_type, value, input_analysis
+            classification.classify(rule_name, input_type, value, input_analysis)
+          end
 
+          # Check if rule is enabled.
+          #
+          # @return [Boolean]
           def enabled?
             # 1. it is not enabled because protect is not enabled
-            return false unless PROTECT.enabled?
-
-            rule_configs = Contrast::Agent::FeatureState.instance.protect_rule_config
-            unless rule_configs.nil?
-              # 2. it is not enabled because it is in the list of disabled protect rules
-              disabled_rules = rule_configs.disabled_rules
-              return false if disabled_rules&.include?(name)
+            return false unless ::Contrast::AGENT.enabled?
+            return false unless ::Contrast::PROTECT.enabled?
 
-              # 3. it is not enabled because it has been turned "off" explicitly
-              rule_config = rule_configs.send(name)
+            # 2. it is not enabled because it is in the list of disabled protect rules
+            return false if ::Contrast::PROTECT.rule_config&.disabled_rules&.include?(rule_name)
 
-              return rule_config.mode != OFF unless rule_config.mode.nil?
-            end
-
-            # 4. it is not enabled because it's mode is :NO_ACTION
+            # 3. it is enabled so long as its mode is not NO_ACTION
             @mode != :NO_ACTION
           end
 
-          # this rule is excluded if any of the given exclusions have a protection rule that matches this rule name
+          # Check if the rule is excluded by checking inside array of exclusions
+          #
+          # @param exclusions [Array<Contrast::Agent::Reporting::Settings::ExclusionBase>]
           def excluded? exclusions
             Array(exclusions).any? do |ex|
-              ex.protection_rule?(name)
+              ex.protection_rule?(rule_name)
             end
           end
 
-          def infilter? _context
-            false
-          end
-
-          # return false for rules that modify or inspect the response body
+          # Return false for rules that modify or inspect the response body
           # during postfilter
           #
-          # @return [Boolean] if the rule can safely be evaluated in streaming
-          #   requests
+          # @return [Boolean] if the rule can safely be evaluated in streaming requests
           def stream_safe?
             true
           end
 
-          # Actions required for the rules that have to happen before the
-          # application has completed its processing of the request.
-          #
-          # For most rules, these actions are performed within the analysis
-          # engine and communicated as an input analysis result. Those that
-          # require specific action need to provide that action.
-          #
-          # @param _context [Contrast::Agent::RequestContext] the context for
-          #   the current request
-          def prefilter _context; end
-
-          # This should only ever be called directly from patched code and will
-          # have a different implementation based on the rule. As such, there
-          # is not parent implementation.
-          #
-          # @param _context [Contrast::Agent::RequestContext] the context for
-          #   the current request
-          # @param _match_string [String] the input that violated the rule and
-          #   matched the attack detection logic
-          # @param _kwargs [Hash] key-value pairs used by the rule to build a
-          #   report.
-          def infilter _context, _match_string, **_kwargs; end
-
-          # Actions required for the rules that have to happen after the
-          # application has completed its processing of the request.
+          # Attach the given result to the current request's context to report
+          # it to TeamServer
           #
-          # Any implementation here needs to account for the fact that
-          # responses may be streaming and, as such, transformations of the
-          # response itself may not be permissible.
-          #
-          # @param _context [Contrast::Agent::RequestContext] the context for
-          #    the current request
-          def postfilter _context; end
-
-          def build_attack_with_match context, ia_result, result, candidate_string, **kwargs
-            result ||= build_attack_result(context)
-            update_successful_attack_response(context, ia_result, result, candidate_string)
-            append_sample(context, ia_result, result, candidate_string, **kwargs)
-
-            result
-          end
-
-          def build_attack_without_match context, ia_result, result, **kwargs
-            result ||= build_attack_result(context)
-            update_perimeter_attack_response(context, ia_result, result)
-            append_sample(context, ia_result, result, nil, **kwargs)
-
-            result
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param result [Contrast::Agent::Reporting::AttackResult]
+          def append_to_activity context, result
+            context.activity.attach_defend(result) if result
           end
 
-          def append_to_activity context, result
-            context.activity.results << result if result
+          # With this we log to CEF
+          #
+          # @param result [Contrast::Agent::Reporting::AttackResult]
+          # @param attack [Symbol] the type of message we want to send
+          # @param value [String] the input value we want to log
+          def cef_logging result, attack = :ineffective_attack, value: nil
+            sample = result.samples[0]
+            outcome = result.response.to_s
+            input_type = sample.user_input.input_type.to_s
+            input_value = sample.user_input.value || value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
           end
 
           protected
 
-          def build_details _input_string, _ia_result
-            raise Contrast::InternalException, "Rule #{ name } did not implement build_details"
-          end
-
+          # Assign the mode from active settings.
+          #
+          # @return mode [Symbol]
           def mode_from_settings
-            SETTINGS.protect_rule_mode(name).tap do |mode|
-              logger.debug("rule #{ name } mode = #{ mode }")
+            ::Contrast::PROTECT.rule_mode(rule_name).tap do |mode|
+              logger.trace('Retrieving rule mode', rule: rule_name, mode: mode)
             end
           end
 
+          # Rule blocked check
+          #
+          # @return [Boolean]
           def blocked?
             enabled? && BLOCKING_MODES.include?(mode)
           end
 
-          # Determine if there's an exclusion that matches an item in the call
-          # stack
+          # Check if the protect rules is excluded by url from the exclusion rules for this application.
           #
-          # @return [Boolean] if an exclusion was applicable to this request
-          #   for this rule
-          def protect_excluded_by_code?
-            exclusions = Contrast::Agent::FeatureState.instance.code_exclusions
-            return false unless exclusions
+          # @param rule_id [String]
+          # @param request_path [String] Current request path
+          def protect_excluded_by_url? rule_id, request_path
+            Contrast::SETTINGS.excluder.protect_excluded_by_url?(rule_id, request_path)
+          end
 
-            for_rule = exclusions.select { |ex| ex.protection_rule?(name) }
-            return false if for_rule.empty?
+          # Check if the protect rules is excluded by input from the exclusion rules for this application.
+          #
+          # @param results [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          # @param request_path [String] Current request path
+          def protect_excluded_by_input? results, request_path
+            Contrast::SETTINGS.excluder.protect_excluded_by_input?(results, request_path)
+          end
 
-            stack = caller_locations
-            for_rule.any? { |ex| ex.match_code?(stack) }
+          # Allows for the InputAnalysis from Agent Library to be extracted early
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param ia_results [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          # @param **kwargs
+          # @return [Contrast::Agent::Reporting, nil]
+          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
+
+            result = nil
+            ia_results.each do |ia_result|
+              if potential_attack_string
+                idx = potential_attack_string.index(ia_result.value)
+                next unless idx
+
+                result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
+              else
+                result = build_attack_without_match(context, ia_result, result, **kwargs)
+              end
+            end
+            result
           end
 
           # By default, rules do not have to find attackers as they do not have
@@ -170,21 +208,38 @@ module Contrast
           # at execution time. As such, those rules are expected to implement
           # this custom behavior
           #
-          # @param _context [Contrast::Agent::RequestContext] the context for
+          # @param context [Contrast::Agent::RequestContext] the context for
           #   the current request
-          # @param _potential_attack_string [String] the input that may violate
+          # @param potential_attack_string [String] the input that may violate
           #   the rule and matched the attack detection logic
-          # @param _kwargs [Hash] key-value pairs used by the rule to build a
+          # @param **kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
-          def find_attacker _context, _potential_attack_string, **_kwargs
-            raise Contrast::InternalException, "Rule #{ name } did not implement find_attack"
+          def find_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end
 
+          # Update the message's response type to be send to TS, depending on
+          # the attack results, and rule policy. The match with rules is also
+          # logged, and if an attack counter of the ia_result is increased.
+          #
+          # @param context [Contrast::Agent::RequestContext] the context for
+          #   the current request
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
+          # @param result [Contrast::Agent::Reporting::AttackResult]
+          # @param attack_string [String] Potential attack vector
+          # @return [Contrast::Agent::Reporting::AttackResult]
           def update_successful_attack_response context, ia_result, result, attack_string = nil
-            if mode == :MONITOR
-              result.response = :MONITORED
-            elsif mode == :BLOCK
-              result.response = :BLOCKED
+            case mode
+            when :MONITOR
+              # We are checking the result as the ia_result would not contain the sub-rules.
+              result.response = if SUSPICIOUS_REPORTING_RULES.include?(result&.rule_id)
+                                  Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+                                else
+                                  Contrast::Agent::Reporting::ResponseType::MONITORED
+                                end
+            when :BLOCK
+              result.response = Contrast::Agent::Reporting::ResponseType::BLOCKED
             end
 
             ia_result.attack_count = ia_result.attack_count + 1 if ia_result
@@ -193,105 +248,151 @@ module Contrast
             result
           end
 
+          # Update the response type for perimeter rules ( BAP ).
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the
+          #   analysis of the input that was determined to be an attack
+          # @param result [Contrast::Agent::Reporting::AttackResult] previous
+          #   attack result for this rule, if one exists, in the case of
+          #   multiple inputs being found to violate the protection criteria
+          # @return [Contrast::Agent::Reporting::AttackResult]
           def update_perimeter_attack_response context, ia_result, result
             if mode == :BLOCK_AT_PERIMETER
-              result.response = :BLOCKED_AT_PERIMETER
+              result.response = if blocked_rule?(ia_result)
+                                  Contrast::Agent::Reporting::ResponseType::BLOCKED
+                                else
+                                  Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER
+                                end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
-              result.response = :PROBED
+              result.response = assign_reporter_response_type(ia_result)
               log_rule_probed(context, ia_result)
             end
 
             result
           end
 
-          def build_attack_result _context
-            result = Contrast::Api::Dtm::AttackResult.new
-            result.rule_id = name
-            result
-          end
-
+          # Builds a caller's stack and appends it to a passed Rasp rule sample.
+          #
+          # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one
+          #   exists, in the case of multiple inputs being found to violate the protection criteria
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def append_stack sample, result
             return unless sample
             return unless STACK_COLLECTION_RESULTS.include?(result&.response)
 
-            stack = Contrast::Utils::StackTraceUtils.build(ignore: true, class_lookup: true, depth: 50)
+            stack = Contrast::Utils::StackTraceUtils.build_protect_report_stack_array
             return unless stack
 
-            sample.stack_trace_elements += stack
+            sample.stack.concat(stack)
           end
 
+          # Appends an attack sample to existing attack results.
+          #
+          # @param context [Contrast::Agent::RequestContext] the context of the request in which this input is
+          #   evaluated.
+          # @param ia_result [Contrast::Agent::Reporting::Settings::InputAnalysisResult] the analysis of the input that
+          #   was determined to be an attack
+          # @param result [Contrast::Agent::Reporting::AttackResult, nil] previous attack result for this rule, if one
+          #   exists, in the case of multiple inputs being found to violate the protection criteria
+          # @param candidate_string [String] the value of the input which may be an attack
+          # @param kwargs [Hash] key - value pairs of context individual rules
+          #   need to build out details to send to TeamServer to tell the
+          #   story of the attack
           def append_sample context, ia_result, result, candidate_string, **kwargs
-            return nil unless result
+            return unless result
 
             sample = build_sample(context, ia_result, candidate_string, **kwargs)
-            return nil unless sample
+            return unless sample
 
             append_stack(sample, result)
 
             result.samples << sample
           end
 
-          # Override if rule can make use of the candidate string or kwargs to
-          # build rasp rule sample.
-          def build_sample context, ia_result, _candidate_string, **_kwargs
-            build_base_sample(context, ia_result)
+          # Logs if a rule have matched an attack vector and it's being triggered.
+          #
+          def log_rule_matched _context, ia_result, response, _matched_string = nil
+            logger.debug('A successful attack was detected',
+                         rule: rule_name,
+                         type: ia_result&.input_type || '',
+                         name: ia_result&.key || '',
+                         input: ia_result&.value || '',
+                         result: response)
           end
 
-          def build_user_input ia_result
-            return UNKNOWN_USER_INPUT unless ia_result
-
-            input = Contrast::Api::Dtm::UserInput.new
-            input.input_type = ia_result.input_type.to_sym
-            input.matcher_ids = ia_result.ids
-            input.path = ia_result.path.to_s
-            input.key = ia_result.key.to_s
-            input.value = ia_result.value.to_s
-            input
-          end
+          # This method will check against the current context IA and find any results that match
+          # the rule id.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          def gather_ia_results context
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
 
-          def build_base_sample context, ia_result
-            sample = Contrast::Api::Dtm::RaspRuleSample.new
-            sample.timestamp_ms = context.timer.start_ms
-            sample.user_input = build_user_input(ia_result)
-            sample.user_input.document_type = context.request.dtm.document_type unless sample.user_input.cs__frozen?
-            sample
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name && ia_result.score_level != Contrast::Agent::Reporting::ScoreLevel::IGNORE
+            end
           end
 
-          def log_rule_matched _context, ia_result, response, _matched_string = nil
-            return unless ia_result
-
-            # Log to agent logger
-            message = if ia_result
-                        log_msg(ia_result, true)
-                      else
-                        "An effective attack was detected against #{ name }."
-                      end
+          # Check to if result is blocked. Used for raise check.
+          #
+          # @param result [Contrast::Agent::Reporting::AttackResult]
+          def blocked_violation? result
+            return false unless result
 
-            logger.debug([response, message].join)
+            result.response == Contrast::Agent::Reporting::ResponseType::BLOCKED
           end
 
           private
 
+          # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+          # and should be treated equivalent to Blocked mode if set
+          def blocked_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::Sqli::NAME,
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            ].include?(ia_result&.rule_id)
+          end
+
           def log_rule_probed _context, ia_result
-            message = if ia_result
-                        log_msg(ia_result, false)
-                      else
-                        "An unsuccessful attack was detected against #{ name }"
-                      end
+            logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
+                                                                name: ia_result&.key, input: ia_result&.value)
+          end
 
-            logger.debug(message)
+          # Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
+          # input tracing or other detection types that provide enough confidnece for a determination.
+          #
+          # @param ia_result
+          # @return [Boolean]
+          def suspicious_rule? ia_result
+            SUSPICIOUS_REPORTING_RULES.include?(ia_result&.rule_id)
           end
 
-          def log_msg ia_result, matched
-            key = ia_result.key ? ia_result.key.to_s + ' ' : ''
-            val = ia_result.value.to_s
-            typ = ia_result.input_type.to_s
-            if matched
-              "The #{ typ } #{ key } had a value that successfully exploited #{ name } - #{ val }."
+          # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
+          # MONITORED mode.
+          #
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis] the analysis of the input that was
+          #   determined to be an attack
+          def assign_reporter_response_type ia_result
+            if suspicious_rule?(ia_result)
+              Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
             else
-              "The #{ typ } #{ key } had a value that matched a signature for, but did not successfully exploit, #{ name } - #{ val }."
+              Contrast::Agent::Reporting::ResponseType::PROBED
+            end
+          end
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @return [Contrast::Agent::Reporting, nil]
+          def find_postfilter_attacker context, potential_attack_string, **kwargs
+            ia_results = gather_ia_results(context)
+            ia_results.select! do |ia_result|
+              ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
             end
+            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end
         end
       end

data/lib/contrast/agent/protect/rule/bot_blocker/bot_blocker.rb

@@ -0,0 +1,89 @@
+# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent_lib/interface'
+require 'contrast/agent/protect/rule/bot_blocker/bot_blocker_input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect BotBlocker rule.
+        class BotBlocker < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
+
+          NAME = 'bot-blocker'
+          APPLICABLE_USER_INPUTS = [HEADER].cs__freeze
+
+          def rule_name
+            NAME
+          end
+
+          def applicable_user_inputs
+            APPLICABLE_USER_INPUTS
+          end
+
+          # Bot blocker input classification
+          #
+          # @return [module<Contrast::Agent::Protect::Rule::BotBlockerInputClassification>]
+          def classification
+            @_classification ||= Contrast::Agent::Protect::Rule::BotBlockerInputClassification.cs__freeze
+          end
+
+          # BotBlocker prefilter:
+          #
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          # @raise [Contrast::SecurityException] if the rule mode ise set
+          # to BLOCK and valid bot is detected.
+          def prefilter context
+            return unless prefilter?(context)
+            # We expect only one result per request since the user-agent Header is one.
+            # And the IA analysis explicitly searches for the key match before starting
+            # the analysis.
+            return unless (ia_result = gather_ia_results(context)[0]) &&
+                ia_result.score_level == Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
+
+            result = build_attack_without_match(context, ia_result, nil)
+            append_to_activity(context, result) if result
+            cef_logging(result, :successful_attack) if result
+            return unless blocked?
+
+            # Raise BotBlocker error
+            exception_message = "#{ rule_name } rule triggered. Unsafe Bot blocked."
+            raise(Contrast::SecurityException.new(self, exception_message))
+          end
+
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Array<Contrast::Agent::Reporting::InputAnalysis>]
+          def gather_ia_results context
+            return Contrast::Utils::ObjectShare::EMPTY_ARRAY unless context&.agent_input_analysis&.results
+
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
+
+          # Adding bot blocker details
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysisResult]
+          # @param _candidate_string
+          # @param **_kwargs
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
+          def build_sample context, ia_result, _candidate_string, **_kwargs
+            sample = build_base_sample(context, ia_result)
+            sample.details = Contrast::Agent::Reporting::BotBlockerDetails.new
+            sample.details.bot = ia_result.value
+            sample.details.user_agent = context&.request&.user_agent
+            sample
+          end
+        end
+      end
+    end
+  end
+end