RubyGems - contrast-agent - Versions diffs - 4.13.1 → 5.1.0 - Mend

contrast-agent 4.13.1 → 5.1.0

Files changed (399) hide show

data/lib/contrast/agent/reporting/settings/server_features.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/settings/assess_server_feature'
+require 'contrast/agent/reporting/settings/protect_server_feature'
+module Contrast
+  module Agent
+    module Reporting
+      # This module will hold all the settings from the TS responce
+      module Settings
+        # All of the settings from TeamServer that apply at the server level.
+        # At least one, but not necessarily all, setting will differ from the agent's current set.
+        # agents are able to replace all server settings with those in this message.
+        class ServerFeatures
+          # The level at which the agent should log. Overridden by agent.logger.level
+          # if set in a local configuration
+          #
+          # @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
+          def log_level
+            @_log_level ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+          # set the log level
+          #
+          # @param log_level [String]
+          # @return log_level [String] [ ERROR, WARN, INFO, DEBUG, TRACE ]
+          def log_level= log_level
+            @_log_level = log_level if log_level.is_a? String
+          end
+          # Where to log the agent's log file, if set by the user. Overridden by agent.logger.path
+          # if set in a local configuration.
+          #
+          # @return log_file [String] path
+          def log_file
+            @_log_file ||= Contrast::Utils::ObjectShare::EMPTY_STRING
+          end
+          # Set the log file
+          #
+          # @param log_file [String] path
+          # @return log_file [String] path
+          def log_file= log_file
+            @_log_file = log_file if log_file.is_a? String
+          end
+          # Controls for the reporting of telemetry events from the agent to TeamServer.
+          # This is NOT for the agent telemetry feature collecting metrics sent to other services.
+          #
+          # @return telemetry [Boolean]
+          def telemetry
+            @_telemetry
+          end
+          # sets the telemetry value
+          #
+          # @param telemetry [Boolean]
+          # @return telemetry [Boolean]
+          def telemetry= telemetry
+            @_telemetry = telemetry if !!telemetry == telemetry
+          end
+          # @return assess [Contrast::Agent::Reporting::Settings::AssessServerFeature]
+          def assess
+            @_assess ||= Contrast::Agent::Reporting::Settings::AssessServerFeature.new
+          end
+          # @return protect [Contrast::Agent::Reporting::Settings::ProtectServerFeature]
+          def protect
+            @_protect ||= Contrast::Agent::Reporting::Settings::ProtectServerFeature.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/request.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'resolv'
@@ -9,6 +9,7 @@ require 'contrast/utils/string_utils'
 require 'contrast/utils/hash_digest'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/request_utils'
 module Contrast
   module Agent
@@ -16,7 +17,14 @@ module Contrast
     # provides access to the original Rack::Request object as well as extracts
     # data in a format that the Agent expects, caching those transformations in
     # order to avoid repeatedly creating Strings & thrashing GC.
+    #
+    # @attr_reader rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
+    # @attr_accessor route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
+    # @attr_accessor observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage of this request
+    # @attr_accessor new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of
+    # this request
     class Request
+      include Contrast::Utils::RequestUtils
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
@@ -28,16 +36,31 @@ module Contrast
       LAST_NUMBER_MARKER = '/{n}'
       attr_reader :rack_request
-      attr_accessor :route, :observed_route
+      attr_accessor :route, :observed_route, :new_observed_route
       # Delegate calls to the following methods to the attribute @rack_request
       def_delegators :@rack_request, :base_url, :content_type, :cookies, :env, :ip, :path, :port, :query_string,
                      :request_method, :scheme, :url, :user_agent
+      # Initialize new Contrast Request
+      #
+      # @param rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
       def initialize rack_request
         @rack_request = rack_request
       end
+      # The HTTP version of this request
+      # @return [String]
+      def version
+        env = rack_request.env
+        return '1.1' unless env
+        version = env['HTTP_VERSION']
+        return '1.1' unless version
+        version.split('/')[-1]
+      end
       # Returns a normalized form of the URI. In "normal" URIs
       # this will return an unchanged String, but in REST-y
       # URIs this will normalize the digit path tokens, e.g.:
@@ -47,9 +70,11 @@ module Contrast
       # /accounts/{n}/view
       #
       # Should also handle the ;jsessionid.
+      #
+      # @return uri [String]
       def normalized_uri
         @_normalized_uri ||= begin
-          path = rack_request.path
+          path = rack_request.path_info
           uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
           uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
           uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
@@ -57,6 +82,9 @@ module Contrast
         end
       end
+      # Returns the request file type
+      #
+      # @return type [Symbol<:XML, :JSON, :NORMAL>]
       def document_type
         @_document_type ||= if /xml/i.match?(content_type) || body&.start_with?('<?xml')
                               :XML
@@ -68,6 +96,8 @@ module Contrast
       end
       # Header keys upcased and any underscores replaced with dashes
+      #
+      # @return headers [Hash]
       def headers
         @_headers ||= with_contrast_scope do
           hash = {}
@@ -83,6 +113,10 @@ module Contrast
         end
       end
+      # Try and read the body and return memorized object of the body.
+      # If body contains file, do not parse it, otherwiseBody might be nil
+      #
+      # @return @_body [String, nil] The body of the Rack::Request
       def body
         # Memoize a flag indicating whether we've tried to read the body or not
         # (can't use body because it might be nil)
@@ -119,10 +153,16 @@ module Contrast
         @_dtm ||= Contrast::Api::Dtm::HttpRequest.build(self)
       end
+      # flattened hash of request params
+      #
+      # @return parameters [Hash]
       def parameters
         @_parameters ||= with_contrast_scope { normalize_params(rack_request.params) }
       end
+      # returns multipart filenames
+      #
+      # @return file_names [Hash]
       def file_names
         @_file_names ||= begin
           names = {}
@@ -134,6 +174,9 @@ module Contrast
         end
       end
+      # returns or fenerates the hash checksum for the request
+      #
+      # @return @_hash_id [String] Contrast::Utils::HashDigest generated string checksum
       def hash_id
         @_hash_id ||= Contrast::Utils::HashDigest.generate_request_hash(self)
       end
@@ -152,87 +195,6 @@ module Contrast
         accepts.start_with?(*MEDIA_TYPE_MARKERS)
       end
-      private
-      # Return a flattened hash of params with realized paths for keys, in
-      # addition to a separate, valueless, entry for each nest key.
-      # See RUBY-621 for more details.
-      # { key : { nested_key : ['x','y','z' ] } }
-      # becomes
-      # {
-      #   key[nested_key][0] : 'x'
-      #   key[nested_key][1] : 'y'
-      #   key[nested_key][2] : 'z'
-      #   key :                ''
-      #   nested_key :         ''
-      # }
-      def normalize_params val, prefix: nil
-        # In non-recursive invocations, val should always be a Hash
-        # (rather than breaking this out into two methods)
-        case val
-        when Tempfile
-          # Skip if it's the auto-generated value from rails when it handles
-          # file uploads. The file name will still be sent to SR for analysis.
-          {}
-        when Hash
-          res = val.each_with_object({}) do |(k, v), hash|
-            k = Contrast::Utils::StringUtils.force_utf8(k)
-            nested_prefix = prefix.nil? ? k : "#{ prefix }[#{ k }]"
-            hash[k] = Contrast::Utils::ObjectShare::EMPTY_STRING
-            hash.merge! normalize_params(v, prefix: nested_prefix)
-          end
-          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
-          res
-        when Enumerable
-          idx = 0
-          res = {}
-          while idx < val.length
-            res.merge! normalize_params(val[idx], prefix: "#{ prefix }[#{ idx }]")
-            idx += 1
-          end
-          res[prefix] = Contrast::Utils::ObjectShare::EMPTY_STRING if prefix
-          res
-        else
-          { prefix => Contrast::Utils::StringUtils.force_utf8(val) }
-        end
-      end
-      def read_body body
-        return body if body.is_a?(String)
-        begin
-          can_rewind = Contrast::Utils::DuckUtils.quacks_to?(body, :rewind)
-          # if we are after a middleware that failed to rewind
-          body.rewind if can_rewind
-          body.read
-        rescue StandardError => e
-          logger.error('Error in attempt to read body', message: e.message)
-          logger.trace('With Stack', e)
-          body.to_s
-        ensure
-          # be a good citizen and rewind
-          body.rewind if can_rewind
-        end
-      end
-      def traverse_parsed_multipart multipart_data, current_names
-        return current_names unless multipart_data
-        multipart_data.each_value do |data_value|
-          next unless data_value.is_a?(Hash)
-          tempfile = data_value[:tempfile]
-          if tempfile.nil?
-            traverse_parsed_multipart(data_value, current_names)
-          else
-            name = data_value[:name].to_s
-            file_name = data_value[:filename].to_s
-            current_names[name] = file_name
-          end
-        end
-        current_names
-      end
     end
   end
 end

data/lib/contrast/agent/request_context.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
 # frozen_string_literal: true
 require 'contrast/utils/timer'
@@ -7,6 +7,9 @@ require 'contrast/agent/response'
 require 'contrast/agent/inventory/database_config'
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/request_utils'
+require 'contrast/agent/request_context_extend'
+require 'contrast/agent/reporting/reporting_events/observed_route'
 module Contrast
   module Agent
@@ -24,14 +27,18 @@ module Contrast
     # @attr_reader server_activity [Contrast::Api::Dtm::ServerActivity] the server activity found in this request
     # @attr_reader route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
     # @attr_reader observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage, of this request
+    # @attr_reader new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of this
+    # request
     class RequestContext
       include Contrast::Components::Logger::InstanceMethods
       include Contrast::Components::Scope::InstanceMethods
+      include Contrast::Utils::RequestUtils
+      include Contrast::Agent::RequestContextExtend
       EMPTY_INPUT_ANALYSIS_PB = Contrast::Api::Settings::InputAnalysis.new
-      attr_reader :activity, :logging_hash, :observed_route, :request, :response, :route, :speedracer_input_analysis,
-                  :server_activity, :timer
+      attr_reader :activity, :logging_hash, :observed_route, :new_observed_route, :request, :response, :route,
+                  :speedracer_input_analysis, :server_activity, :timer
       def initialize rack_request, app_loaded = true
         with_contrast_scope do
@@ -47,8 +54,6 @@ module Contrast
           @server_activity = Contrast::Api::Dtm::ServerActivity.new
-          @observed_route = Contrast::Api::Dtm::ObservedRoute.new
           # build analyzer
           @do_not_track = false
           @speedracer_input_analysis = EMPTY_INPUT_ANALYSIS_PB
@@ -64,7 +69,7 @@ module Contrast
             @sample_req, @sample_res = Contrast::Utils::Assess::SamplingUtil.instance.sample?(@request)
           end
-          append_route_coverage(Contrast::Agent.framework_manager.get_route_dtm(@request))
+          handle_routes
         end
       end
@@ -100,98 +105,6 @@ module Contrast
         ::Contrast::ASSESS.enabled?
       end
-      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
-      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
-      #
-      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
-      #   framework
-      def append_route_coverage route
-        return unless route
-        # For our findings
-        @route = route
-        # For SR findings
-        @activity.routes << route
-        # For TS routes
-        @observed_route.signature  = route.route
-        @observed_route.verb       = route.verb
-        @observed_route.url        = route.url if route.url
-        @request.route = route
-        @request.observed_route = @observed_route
-      end
-      # Collect the results for the given rule with the given action
-      #
-      # @param rule [String] the id of the rule to which the results apply
-      # @param response_type [Symbol] the result of the response, matching a value of
-      #   Contrast::Api::Dtm::AttackResult::ResponseType
-      # @return [Array<Contrast::Api::Dtm::AttackResult>]
-      def results_for rule, response_type = nil
-        if response_type.nil?
-          activity.results.select { |r| r.rule_id == rule }
-        else
-          activity.results.select { |r| r.rule_id == rule && r.response == response_type }
-        end
-      end
-      def service_extract_request
-        return false unless ::Contrast::AGENT.enabled?
-        return false unless ::Contrast::PROTECT.enabled?
-        return false if @do_not_track
-        service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
-        return false unless service_response
-        handle_protect_state(service_response)
-        ia = service_response.input_analysis
-        if ia
-          if logger.trace?
-            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
-            logger.trace('Results', input_analysis: ia.inspect)
-          end
-          @speedracer_input_analysis = ia
-          speedracer_input_analysis.request = request
-        else
-          logger.trace('Analysis from Contrast Service was empty.')
-          false
-        end
-      rescue Contrast::SecurityException => e
-        raise e
-      rescue StandardError => e
-        logger.warn('Unable to extract Contrast Service information from request', e)
-        false
-      end
-      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
-      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
-      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
-      #
-      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
-      def handle_protect_state agent_settings
-        return unless agent_settings&.protect_state
-        state = agent_settings.protect_state
-        @uuid = state.uuid
-        @do_not_track = true unless state.track_request
-        return unless state.security_exception
-        # If Contrast Service has NOT handled the input analysis, handle them here
-        build_attack_results(agent_settings)
-        logger.debug('Contrast Service said to block this request')
-        raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
-      end
-      # append anything we've learned to the request seen message this is the sum-total of all inventory information
-      # that has been accumulated since the last request
-      def extract_after rack_response
-        @response = Contrast::Agent::Response.new(rack_response)
-        activity.http_response = @response.dtm if @sample_res
-      rescue StandardError => e
-        logger.error('Unable to extract information after request', e)
-      end
       def add_property key, value
         @_properties[key] = value
       end
@@ -203,43 +116,19 @@ module Contrast
       def reset_activity
         @activity = Contrast::Api::Dtm::Activity.new(http_request: request.dtm)
         @server_activity = Contrast::Api::Dtm::ServerActivity.new
-        @observed_route = Contrast::Api::Dtm::ObservedRoute.new
+        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
+        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
       end
       private
-      # Generate attack results directly from any evaluations on the agent settings object.
-      #
-      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
-      def build_attack_results agent_settings
-        return unless agent_settings&.input_analysis&.results&.any?
-        attack_results_by_rule = {}
-        agent_settings.input_analysis.results.each do |ia_result|
-          rule_id = ia_result.rule_id
-          rule = ::Contrast::PROTECT.rule(rule_id)
-          next unless rule
-          if logger.debug?
-            logger.debug('Building attack result from Contrast Service input analysis result',
-                         result: ia_result.inspect)
-          end
-          attack_result = if rule.mode == :BLOCK
-                            # special case for rules (like reflected xss) that used to have an infilter / block mode
-                            # but now are just block at perimeter
-                            rule.build_attack_with_match(self, ia_result, attack_results_by_rule[rule_id],
-                                                         ia_result.value)
-                          else
-                            rule.build_attack_without_match(self, ia_result, attack_results_by_rule[rule_id])
-                          end
-          attack_results_by_rule[rule_id] = attack_result
-        end
-        attack_results_by_rule.each_pair do |_, attack_result|
-          logger.info('Blocking attack result', rule: attack_result.rule_id)
-          activity.results << attack_result
-        end
+      def handle_routes
+        @observed_route = Contrast::Api::Dtm::ObservedRoute.new # TODO: RUBY-1438 -- remove
+        @new_observed_route = Contrast::Agent::Reporting::ObservedRoute.new
+        route_dtm = Contrast::Agent.framework_manager.get_route_dtm(@request)
+        new_route_coverage_dtm = Contrast::Agent.framework_manager.get_route_information(@request)
+        append_route_coverage(route_dtm)
+        append_to_new_observed_route(new_route_coverage_dtm)
       end
     end
   end

data/lib/contrast/agent/request_context_extend.rb ADDED Viewed

@@ -0,0 +1,176 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/agent/assess/rule/response/autocomplete_rule'
+require 'contrast/agent/assess/rule/response/hsts_header_rule'
+require 'contrast/agent/assess/rule/response/cachecontrol_rule'
+require 'contrast/agent/assess/rule/response/clickjacking_rule'
+require 'contrast/agent/assess/rule/response/x_content_type_rule'
+require 'contrast/agent/assess/rule/response/parameters_pollution_rule'
+module Contrast
+  module Agent
+    # This class extends RequestContexts: this class acts to encapsulate information about the currently
+    # executed request, making it available to the Agent for the duration of the request in a standardized
+    # and normalized format which the Agent understands.
+    module RequestContextExtend
+      BUILD_ATTACK_LOGGER_MESSAGE = 'Building attack result from Contrast Service input analysis result'
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      # @param route [Contrast::Api::Dtm::RouteCoverage, nil] the route of the current request, as determined from the
+      #   framework
+      def append_route_coverage route
+        return unless route
+        # For our findings
+        @route = route
+        # For SR findings
+        @activity.routes << route
+        # For TS routes
+        @observed_route.signature  = route.route
+        @observed_route.verb       = route.verb
+        @observed_route.url        = route.url if route.url
+        @request.route = route
+        @request.observed_route = @observed_route
+      end
+      # Convert the discovered route for this request to appropriate forms and disseminate it to those locations
+      # where it is necessary for our route coverage and finding vulnerability discovery features to function.
+      #
+      def append_to_new_observed_route route
+        return unless route
+        @new_observed_route.signature  = route.route
+        @new_observed_route.verb       = route.verb
+        @new_observed_route.url        = route.url if route.url
+        @request.new_observed_route = @new_observed_route
+      end
+      # Collect the results for the given rule with the given action
+      #
+      # @param rule [String] the id of the rule to which the results apply
+      # @param response_type [Symbol] the result of the response, matching a value of
+      #   Contrast::Api::Dtm::AttackResult::ResponseType
+      # @return [Array<Contrast::Api::Dtm::AttackResult>]
+      def results_for rule, response_type = nil
+        if response_type.nil?
+          activity.results.select { |r| r.rule_id == rule }
+        else
+          activity.results.select { |r| r.rule_id == rule && r.response == response_type }
+        end
+      end
+      def service_extract_request
+        return false unless ::Contrast::AGENT.enabled?
+        return false unless ::Contrast::PROTECT.enabled?
+        return false if @do_not_track
+        service_response = Contrast::Agent.messaging_queue.send_event_immediately(@activity.http_request)
+        return false unless service_response
+        handle_protect_state(service_response)
+        ia = service_response.input_analysis
+        if ia
+          if logger.trace?
+            logger.trace('Analysis from Contrast Service', evaluations: ia.results.length)
+            logger.trace('Results', input_analysis: ia.inspect)
+          end
+          @speedracer_input_analysis = ia
+          speedracer_input_analysis.request = request
+        else
+          logger.trace('Analysis from Contrast Service was empty.')
+          false
+        end
+      rescue Contrast::SecurityException => e
+        raise e
+      rescue StandardError => e
+        logger.warn('Unable to extract Contrast Service information from request', e)
+        false
+      end
+      # NOTE: this method is only used as a backstop if Speedracer sends Input Evaluations when the protect state
+      # indicates a security exception should be thrown. This method ensures that the attack reports are generated.
+      # Normally these should be generated on Speedracer for any attacks detected during prefilter.
+      #
+      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
+      def handle_protect_state agent_settings
+        return unless agent_settings&.protect_state
+        state = agent_settings.protect_state
+        @uuid = state.uuid
+        @do_not_track = true unless state.track_request
+        return unless state.security_exception
+        # If Contrast Service has NOT handled the input analysis, handle them here
+        build_attack_results(agent_settings)
+        logger.debug('Contrast Service said to block this request')
+        raise Contrast::SecurityException.new(nil, (state.security_message || 'Blocking suspicious behavior'))
+      end
+      # append anything we've learned to the request seen message this is the sum-total of all inventory information
+      # that has been accumulated since the last request
+      def extract_after rack_response
+        @response = Contrast::Agent::Response.new(rack_response)
+        activity.http_response = @response.dtm if @sample_res
+        return unless Contrast::Agent::Reporter.enabled?
+        Contrast::Agent::Assess::Rule::Response::Autocomplete.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::HSTSHeader.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::Cachecontrol.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::XXssProtection.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::CspHeaderMissing.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::CspHeaderInsecure.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::Clickjacking.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::XContentType.new.analyze(@response)
+        Contrast::Agent::Assess::Rule::Response::ParametersPollution.new.analyze(@response)
+      rescue StandardError => e
+        logger.error('Unable to extract information after request', e)
+      end
+      private
+      # Generate attack results directly from any evaluations on the agent settings object.
+      #
+      # @param agent_settings [Contrast::Api::Settings::AgentSettings]
+      def build_attack_results agent_settings
+        return unless agent_settings&.input_analysis&.results&.any?
+        results_by_rule = {}
+        agent_settings.input_analysis.results.each do |ia_result|
+          rule_id = ia_result.rule_id
+          rule = ::Contrast::PROTECT.rule(rule_id)
+          next unless rule
+          logger.debug(BUILD_ATTACK_LOGGER_MESSAGE, result: ia_result.inspect) if logger.debug?
+          results_by_rule[rule_id] = attack_result rule, rule_id, ia_result, results_by_rule
+        end
+        results_by_rule.each_pair do |_, attack_result|
+          logger.info('Blocking attack result', rule: attack_result.rule_id)
+          activity.results << attack_result
+        end
+      end
+      # Generates the attack result
+      #
+      # @param rule [Contrast::Agent::Protect::Rule, Contrast::Agent::Assess::Rule]
+      # @param rule_id [String] String name of the rule
+      # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+      #   analysis of the input that was determined to be an attack
+      # @param results_by_rule [Hash] attack results from any evaluations on the agent settings object.
+      # @return [Contrast::Api::Dtm::AttackResult] the attack result from this input
+      def attack_result rule, rule_id, ia_result, results_by_rule
+        @_attack_result = if rule.mode == :BLOCK
+                            # special case for rules (like reflected xss) that used to have an infilter / block mode
+                            # but now are just block at perimeter
+                            rule.build_attack_with_match(self, ia_result, results_by_rule[rule_id], ia_result.value)
+                          else
+                            rule.build_attack_without_match(self, ia_result, results_by_rule[rule_id])
+                          end
+      end
+    end
+  end
+end