RubyGems - contrast-agent - Versions diffs - 5.3.0 → 6.1.1 - Mend

contrast-agent 5.3.0 → 6.1.1

Files changed (306) hide show

data/lib/contrast/agent/protect/rule/base.rb CHANGED Viewed

@@ -3,6 +3,7 @@
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/api/decorators/response_type'
 module Contrast
   module Agent
@@ -179,9 +180,13 @@ module Contrast
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
           def cef_logging result, attack = :ineffective_attack, value = nil
-            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
-            outcome = Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
-            input_type = extract_input_type sample_to_json[:user_input].input_type
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
+            outcome = if result.response.cs__is_a?(Hash)
+                        Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
+                      else
+                        Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+                      end
+            input_type = extract_input_type(sample_to_json[:user_input].input_type)
             input_value = value || sample_to_json[:user_input].value
             cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
           end
@@ -226,7 +231,7 @@ module Contrast
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
           def find_attacker _context, _potential_attack_string, **_kwargs
-            raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
+            raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
           end
           def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -243,18 +248,23 @@ module Contrast
             result
           end
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          #   analysis of the input that was determined to be an attack
+          # @param result [Contrast::Api::Dtm::AttackResult] previous
+          #   attack result for this rule, if one exists, in the case of
+          #   multiple inputs being found to violate the protection criteria
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-              result.response = if ia_result&.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
-                                  # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
-                                  # and should be treated equivalent to Blocked mode if set
+              result.response = if blocked_rule?(ia_result)
                                   Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
                                 else
                                   Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
                                 end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+              result.response = assign_reporter_response_type(ia_result)
               log_rule_probed(context, ia_result)
             end
@@ -317,15 +327,49 @@ module Contrast
           # @param enum [Enumerable]
           # @return [Symbol]
           def extract_input_type enum
-            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag(enum)
           end
           private
+          # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+          # and should be treated equivalent to Blocked mode if set
+          def blocked_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::Sqli::NAME,
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            ].include?(ia_result&.rule_id)
+          end
           def log_rule_probed _context, ia_result
             logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
                                                                 name: ia_result&.key, input: ia_result&.value)
           end
+          # Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
+          # input tracing or other detection types that provide enough confidnece for a determination.
+          #
+          # @param ia_result
+          # @return [Boolean]
+          def suspicious_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
+              Contrast::Agent::Protect::Rule::Xss::NAME
+            ].include?(ia_result&.rule_id)
+          end
+          # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
+          # MONITORED mode.
+          #
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          def assign_reporter_response_type ia_result
+            if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
+              Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
+            else
+              Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/base_service.rb CHANGED Viewed

@@ -21,18 +21,23 @@ module Contrast
             'Contrast Security Protect Rule Triggered. Response blocked.'
           end
+          # @param context [Contrast::Agent::RequestContext]
           def infilter? context
-            return false unless context&.speedracer_input_analysis&.results
             return false unless enabled?
+            return false unless context&.speedracer_input_analysis&.results&.any? do |result|
+                                  result.rule_id == rule_name
+                                end
             return false if protect_excluded_by_code?
             true
           end
           # Override for rules that need the response
-          # Currently postfilter can be applied to streamed responses,
-          # if any logic within postfilter changes to modify the response
-          # streamed responses will break
+          # Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
+          # the response streamed responses will break
+          # @param context [Contrast::Agent::RequestContext]
+          # @raise [Contrast::SecurityException]
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
@@ -44,27 +49,38 @@ module Contrast
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
-            cef_logging result
+            cef_logging(result)
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
-            raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
+            raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
           end
           protected
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Array<Contrast::Api::Settings::InputAnalysis>]
           def gather_ia_results context
             context.speedracer_input_analysis.results.select do |ia_result|
               ia_result.rule_id == rule_name
             end
           end
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param **kwargs
+          # @return [Contrast::Api::Dtm::AttackResult]
           def find_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end
           # Allows for the InputAnalysis from service to be extracted early
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
+          # @param **kwargs
+          # @return [Contrast::Api::Dtm::AttackResult, nil]
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
             logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
@@ -84,15 +100,18 @@ module Contrast
           private
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @return [Contrast::Api::Dtm::AttackResult, nil]
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME
-                                         Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
-                                       else
-                                         # legacy implementation for DEFINITEATATACK
-                                         Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
-                                       end
+              required_level = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)
+                                 Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+                               else
+                                 Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
+                               end
+              ia_result.score_level == required_level
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/input_analysis/input_type'
 module Contrast
   module Agent
@@ -13,9 +14,27 @@ module Contrast
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+          ].cs__freeze
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  command: attack_sample.cmdi.command,
+                  startIndex: attack_sample.cmdi.start_idx,
+                  endIndex: attack_sample.cmdi.end_idx
+              }
+            end
+          end
           def rule_name
             NAME
@@ -39,13 +58,13 @@ module Contrast
             return unless result
             append_to_activity(context, result)
-            cef_logging result, :successful_attack
+            cef_logging(result, :successful_attack)
             return unless blocked?
-            raise Contrast::SecurityException.new(self,
+            raise(Contrast::SecurityException.new(self,
                                                   'Command Injection rule triggered. '\
-                                                  "Call to #{ classname }.#{ method } blocked.")
+                                                  "Call to #{ classname }.#{ method } blocked."))
           end
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -83,6 +102,7 @@ module Contrast
             command = candidate_string || input_analysis_result.value
             command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
             sample.cmdi.command = command
+            sample.cmdi.end_idx = command.length
             # This is a special case where the user input is UNKNOWN_USER_INPUT but
             # we want to send the attack value

data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb ADDED Viewed

@@ -0,0 +1,83 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+require 'contrast/components/logger'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of CMD Injection rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module CmdiInputClassification
+          class << self
+            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+            include Contrast::Components::Logger::InstanceMethods
+            WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
+            CMDI_KEYS_NEEDED = [
+              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
+            ].cs__freeze
+            # This method will determine actually if the user input is WORTHWATCHING
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+            # @param value [String, Array<String>] the value of the input
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+            # analysis from the current request.
+            def classify input_type, value, input_analysis
+              return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
+              return unless super
+              rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+              input_analysis
+            rescue StandardError => e
+              logger.debug('An Error was recorded in the input classification of the cmdi.')
+              logger.debug(e)
+            end
+            private
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def cmdi_create_new_input_result request, rule_id, input_type, value
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if cmdi_worth_watching?(value)
+                ia_result.score_level = WORTHWATCHING
+                ia_result.ids << WORTHWATCHING_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+              add_needed_key(request, ia_result, input_type, value) if CMDI_KEYS_NEEDED.include?(input_type)
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb ADDED Viewed

@@ -0,0 +1,64 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/utils/object_share'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module implements the cmdi-worth-watching-v2 check to determine whether input
+        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
+        # https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection.html#input-tracing
+        module CmdiWorthWatching
+          POSSIBLE_CHAINING_ELEMENTS = %w[& ; | $ < > `].cs__freeze
+          UNIX_COMMANDS = %w[
+            uname echo cat ping nestat nc whoami wget curl dir ls ps rm chmod cp kill
+            grep sleep mkdir pwd shutdown system touch timeout fetch bash sh
+          ].cs__freeze
+          UNIX_PATHS = %w[tmp opt etc home mnt proc lib bin sbin sys usr var root run].cs__freeze
+          WINDOWS_COMMANDS = %w[
+            sc net reg cmd query cmd.exe powershell powershell.exe hostname ifconfig ipconfig netsh
+            netstat systeminfo sysinfo whoami wscript cscript wmic PowerShell_ISE pskill psexec qprocess
+            regedit regini rename winrm wpeutil ntdsutil taskkill certutil mapisend shellrunas
+          ].cs__freeze
+          # This method will determine if a user input is Worth watching and return true if it is.
+          # This is done by running checks, and if the inputs is worth to watch it would be
+          # saved for the later sink cmdi input analysis.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def cmdi_worth_watching? input
+            return false if input.nil? || input.empty? || input.length < 3
+            exploitable?(input) && worth_watching?(input)
+          end
+          private
+          # This method will check if the input is exploitable
+          #
+          # @param input [String] the user input to be inspected
+          def exploitable? input
+            contains_substring?(input, POSSIBLE_CHAINING_ELEMENTS)
+          end
+          def worth_watching? input
+            return true if contains_substring?(input, UNIX_COMMANDS)
+            return true if contains_substring?(input, UNIX_PATHS)
+            return true if contains_substring?(input, WINDOWS_COMMANDS)
+            false
+          end
+          def contains_substring? input, values
+            return true if values.any? { |val| input.include?(val) }
+            return true if values.include?(Contrast::Utils::ObjectShare::SPACE)
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/default_scanner.rb CHANGED Viewed

@@ -7,6 +7,8 @@
 # @deprecated RUBY-356: this class and those that extend it are being phased out
 #   in favor of the more performant code in the Service.
 class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/ClassAndModuleChildren
+  OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
   # Potential states
   # :STATE_INSIDE_TOKEN
   # :STATE_INSIDE_NUMBER
@@ -220,7 +222,6 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     idx
   end
-  OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
   def operator? char
     char.match?(OPERATOR_PATTERN)
   end

data/lib/contrast/agent/protect/rule/deserialization.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module Contrast
         class Deserialization < Contrast::Agent::Protect::Rule::Base
           # The TeamServer recognized name of this rule
           include Contrast::Components::Logger::InstanceMethods
+          # Used to name this input since input analysis isn't done for this
+          # rule
+          INPUT_NAME = 'Serialized Gadget'
           NAME = 'untrusted-deserialization'
@@ -39,6 +42,17 @@ module Contrast
           # Used to indicate to TeamServer the gadget is an Arel module
           AREL = 'Arel'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  command: attack_sample.untrusted_deserialization.command,
+                  deserializer: attack_sample.untrusted_deserialization.deserializer
+              }
+            end
+          end
           # Return the TeamServer understood id / name of this rule.
           # @return [String] the TeamServer understood id / name of this rule.
           def rule_name
@@ -81,9 +95,9 @@ module Contrast
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
-            cef_logging result, :successful_attack
+            cef_logging(result, :successful_attack)
-            raise Contrast::SecurityException.new(self, block_message) if blocked?
+            raise(Contrast::SecurityException.new(self, block_message)) if blocked?
           end
           # Determine if the issued command was called while we're
@@ -102,8 +116,8 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
-            cef_logging result, :successful_attack, gadget_command
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            cef_logging(result, :successful_attack, gadget_command)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
           protected
@@ -134,9 +148,6 @@ module Contrast
           private
-          # Used to name this input since input analysis isn't done for this
-          # rule
-          INPUT_NAME = 'Serialized Gadget'
           # We know that this attack happened, so the result is always matched
           # and the level is always critical. Only variable is the Gadget
           # supplied by the attacker.

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb ADDED Viewed

@@ -0,0 +1,96 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/agent/reporting/attack_result/attack_result'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/input_classification'
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of HttpMethodTampering rule
+        # as a result input would be marked as DEFINETEATTACK or IGNORE,
+        # to be analyzed at the sink level.
+        module HttpMethodTamperingInputClassification
+          # class << self
+          #   include InputClassificationBase
+          #
+          #   # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
+          #   #
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+          #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+          #   # analysis from the current request.
+          #   def classify input_type, input_analysis
+          #     return unless input_analysis.request
+          #     return unless input_type == METHOD
+          #
+          #     rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+          #
+          #     ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
+          #     input_analysis.results << ia_result
+          #
+          #     return input_analysis if ia_result.score_level == IGNORE
+          #
+          #     attack_result = build_attack_result ia_result, rule_id
+          #
+          #     if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
+          #       attack_result.response = :EXPLOITED
+          #       Contrast::Agent::EXPLOITS.push attack_result
+          #       return input_analysis
+          #     end
+          #
+          #     attack_result.response = :BLOCKED
+          #     context.activity.results << attack_result
+          #     raise Contrast::SecurityException.new(self,
+          #                                           'HTTP Method Tampering rule triggered. '\
+          #                                           "Call to #{ input_analysis.request.path } with " \
+          #                                           "#{ input_analysis.request.request_method } blocked.")
+          #   end
+          #
+          #   private
+          #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   def method_tampering_exploited? request
+          #     !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
+          #   end
+          #
+          #   # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+          #   # key if needed and Creates new instance of InputAnalysisResult.
+          #   #
+          #   # @param request [Contrast::Agent::Request] the current request context.
+          #   # @param rule_id [String] The name of the Protect Rule.
+          #   # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+          #   #
+          #   # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+          #   def method_tampering_new_input_analysis request, rule_id, input_type
+          #     ia_result = new_ia_result rule_id, input_type, request.path
+          #     if method_tampering_exploited? request
+          #       ia_result.score_level = DEFINITEATTACK
+          #       ia_result.ids << rule_id
+          #     else
+          #       ia_result.score_level = IGNORE
+          #     end
+          #
+          #     ia_result
+          #   end
+          #
+          #   def build_attack_result ia_result, rule_id
+          #     rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
+          #     result = Contrast::Agent::Reporting::AttackResult.new
+          #     result.rule_id = rule_id
+          #     result.samples << rasp_rule_sample
+          #     result
+          #   end
+          #
+          #   def context
+          #     Contrast::Agent::REQUEST_TRACKER.current
+          #   end
+          # end
+        end
+      end
+    end
+  end
+end