contrast-agent 6.0.0 → 6.1.2

data/lib/contrast/agent/patching/policy/patch_status.rb

@@ -99,10 +99,17 @@ module Contrast
               :CONTRAST_PATCH_POLICY_STATUS
             end
 
+            # @param mod [Module or Class] the entity on which the patch has been placed
+            # @param method [Symbol] the method being patched
+            # @param ret [Contrast::Agent::Patching::Policy::MethodPolicy] the policy of the patched method
             def update_holder mod, method, ret
-              mod.instance_variable_set(method_info_key, {}) unless mod.instance_variable_defined?(method_info_key)
-              holder = mod.instance_variable_get(method_info_key)
-              holder[method] = ret
+              unless mod.instance_variable_defined?(method_info_key) &&
+                    (holder = mod.instance_variable_get(method_info_key))
+
+                holder = {}
+                mod.instance_variable_set(method_info_key, holder)
+              end
+              holder[method] = ret # rubocop:disable Lint/UselessSetterCall
             end
 
             def find_info_for candidates, method

data/lib/contrast/agent/patching/policy/patcher.rb

@@ -207,7 +207,7 @@ module Contrast
             def patch_into_instance_methods module_data, module_policy
               mod = module_data.mod
               methods = all_instance_methods(mod, private: true)
-              methods.delete(:initialize) if mod.to_s.starts_with?('RSpec') && mod.to_s.include?('Matchers')
+              methods.delete(:initialize) if mod.to_s.start_with?('RSpec') && mod.to_s.include?('Matchers')
               patch_into_methods(mod, methods, module_policy, true)
             end
 

data/lib/contrast/agent/patching/policy/policy.rb

@@ -20,6 +20,19 @@ module Contrast
         class Policy
           include Singleton
           include Contrast::Components::Logger::InstanceMethods
+          SOURCES_KEY = 'sources'
+          PROPAGATION_KEY = 'propagators'
+          RULES_KEY = 'rules'
+          TRIGGERS_KEY = 'triggers'
+          def initialize
+            @sources = []
+            @propagators = []
+            @triggers = []
+            @providers = {}
+
+            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
+            from_hash_string(json)
+          end
 
           # Indicates the folder in `resources` where this policy lives.
           def self.policy_folder
@@ -38,25 +51,10 @@ module Contrast
 
           attr_reader :sources, :propagators, :triggers, :providers
 
-          SOURCES_KEY =          'sources'
-          PROPAGATION_KEY =      'propagators'
-          RULES_KEY = 'rules'
-          TRIGGERS_KEY = 'triggers'
-
           def self.policy_json
             File.join(policy_folder, 'policy.json').cs__freeze
           end
 
-          def initialize
-            @sources = []
-            @propagators = []
-            @triggers = []
-            @providers = {}
-
-            json = Contrast::Utils::ResourceLoader.load(cs__class.policy_json)
-            from_hash_string(json)
-          end
-
           # Our policy for patching rules is a 'dope ass' JSON file. Rather than hard code in a bunch of things to
           # monkey patch, we let the JSON file define the conditions in which modifications are applied. This let's us
           # be flexible and extensible.

data/lib/contrast/agent/patching/policy/policy_node.rb

@@ -14,6 +14,23 @@ module Contrast
         # @abstract
         class PolicyNode
           include Contrast::Components::Scope::InstanceMethods
+          JSON_METHOD_VISIBILITY = 'method_visibility'
+          JSON_PROPERTIES = 'properties'
+          JSON_METHOD_NAME = 'method_name'
+          JSON_METHOD_SCOPE = 'scope'
+          # The keys used to read from policy.json to create the individual
+          # policy nodes. These are common across node types
+          JSON_CLASS_NAME = 'class_name'
+          JSON_INSTANCE_METHOD = 'instance_method'
+          def initialize policy_hash = {}
+            @class_name = policy_hash[JSON_CLASS_NAME]
+            @instance_method = policy_hash[JSON_INSTANCE_METHOD]
+            @method_name = policy_hash[JSON_METHOD_NAME]
+            @method_scope = policy_hash[JSON_METHOD_SCOPE]
+            @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
+            @properties = policy_hash[JSON_PROPERTIES]
+            symbolize
+          end
 
           # Name of the class in which the method is being invoked.
           attr_accessor :class_name
@@ -31,21 +48,11 @@ module Contrast
           attr_reader :method_scope
 
           def node_class
-            raise NoMethodError, 'specify the type of the feature for which this node patches'
+            raise(NoMethodError, 'specify the type of the feature for which this node patches')
           end
 
           def feature
-            raise NoMethodError, 'specify the name of the feature for which this node patches'
-          end
-
-          def initialize policy_hash = {}
-            @class_name = policy_hash[JSON_CLASS_NAME]
-            @instance_method = policy_hash[JSON_INSTANCE_METHOD]
-            @method_name = policy_hash[JSON_METHOD_NAME]
-            @method_scope = policy_hash[JSON_METHOD_SCOPE]
-            @method_visibility = policy_hash[JSON_METHOD_VISIBILITY]
-            @properties = policy_hash[JSON_PROPERTIES]
-            symbolize
+            raise(NoMethodError, 'specify the name of the feature for which this node patches')
           end
 
           def id
@@ -91,15 +98,6 @@ module Contrast
             @method_visibility = @method_visibility.to_sym if @method_visibility
             @method_scope = @method_scope.to_sym if @method_scope
           end
-
-          # The keys used to read from policy.json to create the individual
-          # policy nodes. These are common across node types
-          JSON_CLASS_NAME = 'class_name'
-          JSON_INSTANCE_METHOD = 'instance_method'
-          JSON_METHOD_NAME = 'method_name'
-          JSON_METHOD_SCOPE = 'scope'
-          JSON_METHOD_VISIBILITY = 'method_visibility'
-          JSON_PROPERTIES = 'properties'
         end
       end
     end

data/lib/contrast/agent/patching/policy/trigger_node.rb

@@ -24,6 +24,7 @@ module Contrast
           attr_reader :applicator, :applicator_method, :on_exception, :optional_properties, :required_properties,
                       :rule_id
 
+          NODE = 'Trigger'
           def initialize trigger_hash = {}, rule_hash = {}
             super(trigger_hash)
             @rule_id = rule_hash[JSON_NAME]
@@ -36,7 +37,6 @@ module Contrast
             @applicator_method = (trigger_hash[JSON_APPLICATOR_METHOD] || rule_hash[JSON_APPLICATOR_METHOD]).to_sym
           end
 
-          NODE = 'Trigger'
           def node_class
             NODE
           end

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -8,6 +8,7 @@ require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
 require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
 require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/components/logger'
 require 'contrast/utils/object_share'
 require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
 require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
@@ -19,128 +20,131 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
-        DISPOSITION_NAME = 'name'
-        DISPOSITION_FILENAME = 'filename'
-
-        class << self
-          include Contrast::Agent::Reporting::InputType
-          include Contrast::Agent::Reporting::ScoreLevel
-          include Contrast::Agent::Protect::Rule::SqliWorthWatching
-          include Contrast::Utils::ObjectShare
-          include Contrast::Agent::Protect::Rule::CmdiWorthWatching
-
-          PROTECT_RULES = {
-              sqli: {
-                  rule_name: 'sql-injection',
-                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-              },
-              cmdi: {
-                  rule_name: 'cmd-injection',
-                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-              },
-              method_tampering: {
-                  rule_name: 'method-tampering',
-                  classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-              },
-              unsafe_file_upload: {
-                  rule_name: 'unsafe-file-upload',
-                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-              },
-              nosqli: {
-                  rule_name: 'nosql-injection',
-                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-              }
-          }.cs__freeze
-
-          # This method with analyze the user input from the context of the
-          # current request and run each of the protect rules against all
-          # found input types
-          #
-          # @param request [Contrast::Agent::Request] current request context.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def analyse request
-            return unless Contrast::SETTINGS.protect_state.enabled
-            return if request.nil?
-
-            inputs = extract_input request
-            return unless inputs
-
-            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
-            input_analysis.request = request
-            # each rule against each input
-            input_classification inputs, input_analysis
-            input_analysis
-          end
-
-          private
-
-          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-          #
-          # @param inputs [String, Array<String>] user input to be analysed.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-          #                                                       for each protect rule.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def input_classification inputs, input_analysis
-            # key = input type, value = user_input
-            inputs.each do |input_type, value|
-              next if value.nil? || value.empty?
-
-              PROTECT_RULES.each do |_key, rule|
-                # check if rule is enabled
-                next unless Contrast::PROTECT.rule(rule[:rule_name]).enabled?
-
-                # method tampering doesn't take value
-                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-                  rule[:classification].send(:classify, input_type, input_analysis)
-                else
-                  rule[:classification].send(:classify, input_type, value, input_analysis)
-                end
-              end
-            end
-            input_analysis
-          end
-
-          # Extract the inputs from the request context and label them with Protect
-          # input type tags. Each tag will contain one or more user inputs.
-          #
-          # This methods is to be expanded and modified as needed by other Protect rules
-          # and sub-rules for their requirements.
-          #
-          # @param request [Contrast::Agent::Request] current request context.
-          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          def extract_input request
-            inputs = {}
-            inputs[BODY] = request.body
-            inputs[COOKIE_NAME] = request.cookies.keys
-            inputs[COOKIE_VALUE] = request.cookies.values
-            inputs[HEADER] = request.headers
-            inputs[PARAMETER_NAME] = request.parameters.keys
-            inputs[PARAMETER_VALUE] = request.parameters.values
-            inputs[QUERYSTRING] = request.query_string
-            inputs[METHOD] = request.request_method
-            extract_multipart inputs, request
-            inputs.compact!
-            inputs
-          end
-
-          # Extract the filename and name of the  Content Disposition Header.
-          #
-          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          # @param request [Contrast::Agent::Request] current request context.
-          def extract_multipart inputs, request
-            disposition = request.rack_request.env['Content-Disposition']
-            disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
-            return unless disposition
-
-            pairs = {}
-            disposition.split(SEMICOLON).each do |elem|
-              new_pair = elem.strip.split(EQUALS, 2)
-              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-            end
-            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
-          end
-        end
+        # DISPOSITION_NAME = 'name'
+        # DISPOSITION_FILENAME = 'filename'
+        #
+        # class << self
+        #   include Contrast::Agent::Reporting::InputType
+        #   include Contrast::Agent::Reporting::ScoreLevel
+        #   include Contrast::Agent::Protect::Rule::SqliWorthWatching
+        #   include Contrast::Utils::ObjectShare
+        #   include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+        #
+        #   PROTECT_RULES = {
+        #       sqli: {
+        #           rule_name: 'sql-injection',
+        #           classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+        #       },
+        #       cmdi: {
+        #           rule_name: 'cmd-injection',
+        #           classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+        #       },
+        #       method_tampering: {
+        #           rule_name: 'method-tampering',
+        #           classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+        #       },
+        #       unsafe_file_upload: {
+        #           rule_name: 'unsafe-file-upload',
+        #           classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+        #       },
+        #       nosqli: {
+        #           rule_name: 'nosql-injection',
+        #           classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+        #       }
+        #   }.cs__freeze
+        #
+        #   # This method with analyze the user input from the context of the
+        #   # current request and run each of the protect rules against all
+        #   # found input types
+        #   #
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+        #   def analyse request
+        #     return unless Contrast::PROTECT.enabled?
+        #     return if request.nil?
+        #
+        #     inputs = extract_input request
+        #     return unless inputs
+        #
+        #     input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+        #     input_analysis.request = request
+        #     # each rule against each input
+        #     input_classification inputs, input_analysis
+        #     input_analysis
+        #   end
+        #
+        #   private
+        #
+        #   # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+        #   #
+        #   # @param inputs [String, Array<String>] user input to be analysed.
+        #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+        #   #                                                       for each protect rule.
+        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+        #   def input_classification inputs, input_analysis
+        #     # key = input type, value = user_input
+        #     inputs.each do |input_type, value|
+        #       next if value.nil? || value.empty?
+        #
+        #       PROTECT_RULES.each do |_key, rule|
+        #         protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
+        #         logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
+        #
+        #         # check if rule is enabled
+        #         next unless protect_rule&.enabled?
+        #
+        #         # method tampering doesn't take value
+        #         if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+        #           rule[:classification].send(:classify, input_type, input_analysis)
+        #         else
+        #           rule[:classification].send(:classify, input_type, value, input_analysis)
+        #         end
+        #       end
+        #     end
+        #     input_analysis
+        #   end
+        #
+        #   # Extract the inputs from the request context and label them with Protect
+        #   # input type tags. Each tag will contain one or more user inputs.
+        #   #
+        #   # This methods is to be expanded and modified as needed by other Protect rules
+        #   # and sub-rules for their requirements.
+        #   #
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+        #   def extract_input request
+        #     inputs = {}
+        #     inputs[BODY] = request.body
+        #     inputs[COOKIE_NAME] = request.cookies.keys
+        #     inputs[COOKIE_VALUE] = request.cookies.values
+        #     inputs[HEADER] = request.headers
+        #     inputs[PARAMETER_NAME] = request.parameters.keys
+        #     inputs[PARAMETER_VALUE] = request.parameters.values
+        #     inputs[QUERYSTRING] = request.query_string
+        #     inputs[METHOD] = request.request_method
+        #     extract_multipart inputs, request
+        #     inputs.compact!
+        #     inputs
+        #   end
+        #
+        #   # Extract the filename and name of the  Content Disposition Header.
+        #   #
+        #   # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   def extract_multipart inputs, request
+        #     disposition = request.rack_request.env['Content-Disposition']
+        #     disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
+        #     return unless disposition
+        #
+        #     pairs = {}
+        #     disposition.split(SEMICOLON).each do |elem|
+        #       new_pair = elem.strip.split(EQUALS, 2)
+        #       pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+        #     end
+        #     inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+        #     inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+        #   end
+        # end
       end
     end
   end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -55,9 +55,9 @@ module Contrast
             end
 
             def extract_mongo_data operation
-              if operation.cs__respond_to? :selector
+              if operation.cs__respond_to?(:selector)
                 operation.selector
-              elsif operation.cs__respond_to? :documents
+              elsif operation.cs__respond_to?(:documents)
                 operation.documents
               end
             end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -69,7 +69,7 @@ module Contrast
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
             rescue Contrast::SecurityException => e
-              raise e
+              raise(e)
             rescue StandardError => e
               logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
             end

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -111,7 +111,7 @@ module Contrast
                 end
               end
             rescue Contrast::SecurityException => e
-              raise e
+              raise(e)
             rescue StandardError => e
               parser ||= Contrast::Utils::ObjectShare::UNKNOWN
               logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -38,7 +38,7 @@ module Contrast
           def apply_rule method, exception, properties, object, args
             invoke(method, exception, properties, object, args)
           rescue Contrast::SecurityException => e
-            raise e
+            raise(e)
           rescue StandardError => e
             logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
                                                            rule: rule_name)
@@ -64,14 +64,14 @@ module Contrast
           # @raise [Contrast::SecurityException] on block, will pass the
           #   exception from the rule
           def invoke _method, _exception, _properties, _object, _args
-            raise NoMethodError, 'This is abstract, override it.'
+            raise(NoMethodError, 'This is abstract, override it.')
           end
 
           # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
           def rule_name
-            raise NoMethodError, 'This is abstract, override it.'
+            raise(NoMethodError, 'This is abstract, override it.')
           end
 
           # The rule for which this applicator applies. It'll be a concrete
@@ -80,7 +80,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            ::Contrast::PROTECT.rule rule_name
+            ::Contrast::PROTECT.rule(rule_name)
           end
 
           # Should we skip analysis for this rule for this method invocation?

data/lib/contrast/agent/protect/rule/base.rb

@@ -180,13 +180,13 @@ module Contrast
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
           def cef_logging result, attack = :ineffective_attack, value = nil
-            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
-            outcome = if result.response.cs__is_a? Hash
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
+            outcome = if result.response.cs__is_a?(Hash)
                         Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
                       else
                         Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
                       end
-            input_type = extract_input_type sample_to_json[:user_input].input_type
+            input_type = extract_input_type(sample_to_json[:user_input].input_type)
             input_value = value || sample_to_json[:user_input].value
             cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
           end
@@ -231,7 +231,7 @@ module Contrast
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
           def find_attacker _context, _potential_attack_string, **_kwargs
-            raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
+            raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
           end
 
           def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -248,6 +248,13 @@ module Contrast
             result
           end
 
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          #   analysis of the input that was determined to be an attack
+          # @param result [Contrast::Api::Dtm::AttackResult] previous
+          #   attack result for this rule, if one exists, in the case of
+          #   multiple inputs being found to violate the protection criteria
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
@@ -257,7 +264,7 @@ module Contrast
                                 end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
-              result.response = assign_reporter_response_type ia_result
+              result.response = assign_reporter_response_type(ia_result)
               log_rule_probed(context, ia_result)
             end
 
@@ -320,7 +327,7 @@ module Contrast
           # @param enum [Enumerable]
           # @return [Symbol]
           def extract_input_type enum
-            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag(enum)
           end
 
           private
@@ -339,21 +346,26 @@ module Contrast
                                                                 name: ia_result&.key, input: ia_result&.value)
           end
 
-          # Handles the Response type for different Protect rules.
-          # Some rules need to report SUSPICIOUS over PROBED in
+          # Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
+          # input tracing or other detection types that provide enough confidnece for a determination.
+          #
+          # @param ia_result
+          # @return [Boolean]
+          def suspicious_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
+              Contrast::Agent::Protect::Rule::Xss::NAME
+            ].include?(ia_result&.rule_id)
+          end
+
+          # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
           # MONITORED mode.
           #
-          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
-          # @return [Contrast::Agent::Reporting::ResponseType,
-          # Contrast::Api::Dtm::AttackResult::ResponseType]
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
           def assign_reporter_response_type ia_result
-            if (ia_result&.rule_id == Contrast::Agent::Protect::Rule::Xss::NAME ||
-                  Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME) &&
-                  Contrast::CONTRAST_SERVICE.use_agent_communication?
-
-              # Here we'll have xss or unsafe file upload in monitoring mode
-              # and we have to report it as SUSPICIOUS, not as PROBED.
-              Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+            if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
+              Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
             else
               Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
             end