contrast-agent 6.1.0 → 6.1.1

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -20,131 +20,131 @@ module Contrast
       # InputAnalyzer will extract input form current request context and will analyze it.
       # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
       module InputAnalyzer
-        DISPOSITION_NAME = 'name'
-        DISPOSITION_FILENAME = 'filename'
-
-        class << self
-          include Contrast::Agent::Reporting::InputType
-          include Contrast::Agent::Reporting::ScoreLevel
-          include Contrast::Agent::Protect::Rule::SqliWorthWatching
-          include Contrast::Utils::ObjectShare
-          include Contrast::Agent::Protect::Rule::CmdiWorthWatching
-
-          PROTECT_RULES = {
-              sqli: {
-                  rule_name: 'sql-injection',
-                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
-              },
-              cmdi: {
-                  rule_name: 'cmd-injection',
-                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
-              },
-              method_tampering: {
-                  rule_name: 'method-tampering',
-                  classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
-              },
-              unsafe_file_upload: {
-                  rule_name: 'unsafe-file-upload',
-                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
-              },
-              nosqli: {
-                  rule_name: 'nosql-injection',
-                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
-              }
-          }.cs__freeze
-
-          # This method with analyze the user input from the context of the
-          # current request and run each of the protect rules against all
-          # found input types
-          #
-          # @param request [Contrast::Agent::Request] current request context.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def analyse request
-            return unless Contrast::PROTECT.enabled?
-            return if request.nil?
-
-            inputs = extract_input request
-            return unless inputs
-
-            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
-            input_analysis.request = request
-            # each rule against each input
-            input_classification inputs, input_analysis
-            input_analysis
-          end
-
-          private
-
-          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
-          #
-          # @param inputs [String, Array<String>] user input to be analysed.
-          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
-          #                                                       for each protect rule.
-          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
-          def input_classification inputs, input_analysis
-            # key = input type, value = user_input
-            inputs.each do |input_type, value|
-              next if value.nil? || value.empty?
-
-              PROTECT_RULES.each do |_key, rule|
-                protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
-                logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
-
-                # check if rule is enabled
-                next unless protect_rule&.enabled?
-
-                # method tampering doesn't take value
-                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
-                  rule[:classification].send(:classify, input_type, input_analysis)
-                else
-                  rule[:classification].send(:classify, input_type, value, input_analysis)
-                end
-              end
-            end
-            input_analysis
-          end
-
-          # Extract the inputs from the request context and label them with Protect
-          # input type tags. Each tag will contain one or more user inputs.
-          #
-          # This methods is to be expanded and modified as needed by other Protect rules
-          # and sub-rules for their requirements.
-          #
-          # @param request [Contrast::Agent::Request] current request context.
-          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          def extract_input request
-            inputs = {}
-            inputs[BODY] = request.body
-            inputs[COOKIE_NAME] = request.cookies.keys
-            inputs[COOKIE_VALUE] = request.cookies.values
-            inputs[HEADER] = request.headers
-            inputs[PARAMETER_NAME] = request.parameters.keys
-            inputs[PARAMETER_VALUE] = request.parameters.values
-            inputs[QUERYSTRING] = request.query_string
-            inputs[METHOD] = request.request_method
-            extract_multipart inputs, request
-            inputs.compact!
-            inputs
-          end
-
-          # Extract the filename and name of the  Content Disposition Header.
-          #
-          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
-          # @param request [Contrast::Agent::Request] current request context.
-          def extract_multipart inputs, request
-            disposition = request.rack_request.env['Content-Disposition']
-            disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
-            return unless disposition
-
-            pairs = {}
-            disposition.split(SEMICOLON).each do |elem|
-              new_pair = elem.strip.split(EQUALS, 2)
-              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
-            end
-            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
-            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
-          end
-        end
+        # DISPOSITION_NAME = 'name'
+        # DISPOSITION_FILENAME = 'filename'
+        #
+        # class << self
+        #   include Contrast::Agent::Reporting::InputType
+        #   include Contrast::Agent::Reporting::ScoreLevel
+        #   include Contrast::Agent::Protect::Rule::SqliWorthWatching
+        #   include Contrast::Utils::ObjectShare
+        #   include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+        #
+        #   PROTECT_RULES = {
+        #       sqli: {
+        #           rule_name: 'sql-injection',
+        #           classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+        #       },
+        #       cmdi: {
+        #           rule_name: 'cmd-injection',
+        #           classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+        #       },
+        #       method_tampering: {
+        #           rule_name: 'method-tampering',
+        #           classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+        #       },
+        #       unsafe_file_upload: {
+        #           rule_name: 'unsafe-file-upload',
+        #           classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+        #       },
+        #       nosqli: {
+        #           rule_name: 'nosql-injection',
+        #           classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+        #       }
+        #   }.cs__freeze
+        #
+        #   # This method with analyze the user input from the context of the
+        #   # current request and run each of the protect rules against all
+        #   # found input types
+        #   #
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+        #   def analyse request
+        #     return unless Contrast::PROTECT.enabled?
+        #     return if request.nil?
+        #
+        #     inputs = extract_input request
+        #     return unless inputs
+        #
+        #     input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+        #     input_analysis.request = request
+        #     # each rule against each input
+        #     input_classification inputs, input_analysis
+        #     input_analysis
+        #   end
+        #
+        #   private
+        #
+        #   # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+        #   #
+        #   # @param inputs [String, Array<String>] user input to be analysed.
+        #   # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+        #   #                                                       for each protect rule.
+        #   # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+        #   def input_classification inputs, input_analysis
+        #     # key = input type, value = user_input
+        #     inputs.each do |input_type, value|
+        #       next if value.nil? || value.empty?
+        #
+        #       PROTECT_RULES.each do |_key, rule|
+        #         protect_rule = Contrast::PROTECT.rule(rule[:rule_name])
+        #         logger.debug("Rule #{ rule[:rule_name] } not recognised in Protect rules") if protect_rule.nil?
+        #
+        #         # check if rule is enabled
+        #         next unless protect_rule&.enabled?
+        #
+        #         # method tampering doesn't take value
+        #         if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+        #           rule[:classification].send(:classify, input_type, input_analysis)
+        #         else
+        #           rule[:classification].send(:classify, input_type, value, input_analysis)
+        #         end
+        #       end
+        #     end
+        #     input_analysis
+        #   end
+        #
+        #   # Extract the inputs from the request context and label them with Protect
+        #   # input type tags. Each tag will contain one or more user inputs.
+        #   #
+        #   # This methods is to be expanded and modified as needed by other Protect rules
+        #   # and sub-rules for their requirements.
+        #   #
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+        #   def extract_input request
+        #     inputs = {}
+        #     inputs[BODY] = request.body
+        #     inputs[COOKIE_NAME] = request.cookies.keys
+        #     inputs[COOKIE_VALUE] = request.cookies.values
+        #     inputs[HEADER] = request.headers
+        #     inputs[PARAMETER_NAME] = request.parameters.keys
+        #     inputs[PARAMETER_VALUE] = request.parameters.values
+        #     inputs[QUERYSTRING] = request.query_string
+        #     inputs[METHOD] = request.request_method
+        #     extract_multipart inputs, request
+        #     inputs.compact!
+        #     inputs
+        #   end
+        #
+        #   # Extract the filename and name of the  Content Disposition Header.
+        #   #
+        #   # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+        #   # @param request [Contrast::Agent::Request] current request context.
+        #   def extract_multipart inputs, request
+        #     disposition = request.rack_request.env['Content-Disposition']
+        #     disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
+        #     return unless disposition
+        #
+        #     pairs = {}
+        #     disposition.split(SEMICOLON).each do |elem|
+        #       new_pair = elem.strip.split(EQUALS, 2)
+        #       pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+        #     end
+        #     inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+        #     inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+        #   end
+        # end
       end
     end
   end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -55,9 +55,9 @@ module Contrast
             end
 
             def extract_mongo_data operation
-              if operation.cs__respond_to? :selector
+              if operation.cs__respond_to?(:selector)
                 operation.selector
-              elsif operation.cs__respond_to? :documents
+              elsif operation.cs__respond_to?(:documents)
                 operation.documents
               end
             end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -69,7 +69,7 @@ module Contrast
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
             rescue Contrast::SecurityException => e
-              raise e
+              raise(e)
             rescue StandardError => e
               logger.error('Error applying path traversal', e, module: object.cs__class.cs__name, method: method)
             end

data/lib/contrast/agent/protect/policy/applies_xxe_rule.rb

@@ -111,7 +111,7 @@ module Contrast
                 end
               end
             rescue Contrast::SecurityException => e
-              raise e
+              raise(e)
             rescue StandardError => e
               parser ||= Contrast::Utils::ObjectShare::UNKNOWN
               logger.error('Error applying xxe', e, module: potential_parser.cs__class.cs__name, method: method,

data/lib/contrast/agent/protect/policy/rule_applicator.rb

@@ -38,7 +38,7 @@ module Contrast
           def apply_rule method, exception, properties, object, args
             invoke(method, exception, properties, object, args)
           rescue Contrast::SecurityException => e
-            raise e
+            raise(e)
           rescue StandardError => e
             logger.error('Error applying protect rule', e, module: object.cs__class.cs__name, method: method,
                                                            rule: rule_name)
@@ -64,14 +64,14 @@ module Contrast
           # @raise [Contrast::SecurityException] on block, will pass the
           #   exception from the rule
           def invoke _method, _exception, _properties, _object, _args
-            raise NoMethodError, 'This is abstract, override it.'
+            raise(NoMethodError, 'This is abstract, override it.')
           end
 
           # The name of the rule, as expected by the Contrast Service and Contrast UI.
           #
           # @return [String]
           def rule_name
-            raise NoMethodError, 'This is abstract, override it.'
+            raise(NoMethodError, 'This is abstract, override it.')
           end
 
           # The rule for which this applicator applies. It'll be a concrete
@@ -80,7 +80,7 @@ module Contrast
           #
           # @return [Contrast::Agent::Protect::Rule::Base]
           def rule
-            ::Contrast::PROTECT.rule rule_name
+            ::Contrast::PROTECT.rule(rule_name)
           end
 
           # Should we skip analysis for this rule for this method invocation?

data/lib/contrast/agent/protect/rule/base.rb

@@ -180,13 +180,13 @@ module Contrast
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
           def cef_logging result, attack = :ineffective_attack, value = nil
-            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
-            outcome = if result.response.cs__is_a? Hash
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
+            outcome = if result.response.cs__is_a?(Hash)
                         Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
                       else
                         Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
                       end
-            input_type = extract_input_type sample_to_json[:user_input].input_type
+            input_type = extract_input_type(sample_to_json[:user_input].input_type)
             input_value = value || sample_to_json[:user_input].value
             cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
           end
@@ -231,7 +231,7 @@ module Contrast
           # @param _kwargs [Hash] key-value pairs used by the rule to build a
           #   report.
           def find_attacker _context, _potential_attack_string, **_kwargs
-            raise NoMethodError, "Rule #{ rule_name } did not implement find_attack"
+            raise(NoMethodError, "Rule #{ rule_name } did not implement find_attack")
           end
 
           def update_successful_attack_response context, ia_result, result, attack_string = nil
@@ -248,6 +248,13 @@ module Contrast
             result
           end
 
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the
+          #   analysis of the input that was determined to be an attack
+          # @param result [Contrast::Api::Dtm::AttackResult] previous
+          #   attack result for this rule, if one exists, in the case of
+          #   multiple inputs being found to violate the protection criteria
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
@@ -257,7 +264,7 @@ module Contrast
                                 end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
-              result.response = assign_reporter_response_type ia_result
+              result.response = assign_reporter_response_type(ia_result)
               log_rule_probed(context, ia_result)
             end
 
@@ -320,7 +327,7 @@ module Contrast
           # @param enum [Enumerable]
           # @return [Symbol]
           def extract_input_type enum
-            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag(enum)
           end
 
           private
@@ -339,21 +346,26 @@ module Contrast
                                                                 name: ia_result&.key, input: ia_result&.value)
           end
 
-          # Handles the Response type for different Protect rules.
-          # Some rules need to report SUSPICIOUS over PROBED in
+          # Some rules are reported as suspicious, rather than exploited or probed, b/c they don't actually follow
+          # input tracing or other detection types that provide enough confidnece for a determination.
+          #
+          # @param ia_result
+          # @return [Boolean]
+          def suspicious_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
+              Contrast::Agent::Protect::Rule::Xss::NAME
+            ].include?(ia_result&.rule_id)
+          end
+
+          # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
           # MONITORED mode.
           #
-          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
-          # @return [Contrast::Agent::Reporting::ResponseType,
-          # Contrast::Api::Dtm::AttackResult::ResponseType]
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
           def assign_reporter_response_type ia_result
-            if (ia_result&.rule_id == Contrast::Agent::Protect::Rule::Xss::NAME ||
-                  Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME) &&
-                  Contrast::CONTRAST_SERVICE.use_agent_communication?
-
-              # Here we'll have xss or unsafe file upload in monitoring mode
-              # and we have to report it as SUSPICIOUS, not as PROBED.
-              Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+            if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
+              Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
             else
               Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
             end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -21,18 +21,23 @@ module Contrast
             'Contrast Security Protect Rule Triggered. Response blocked.'
           end
 
+          # @param context [Contrast::Agent::RequestContext]
           def infilter? context
-            return false unless context&.speedracer_input_analysis&.results
             return false unless enabled?
+            return false unless context&.speedracer_input_analysis&.results&.any? do |result|
+                                  result.rule_id == rule_name
+                                end
+
             return false if protect_excluded_by_code?
 
             true
           end
 
           # Override for rules that need the response
-          # Currently postfilter can be applied to streamed responses,
-          # if any logic within postfilter changes to modify the response
-          # streamed responses will break
+          # Currently postfilter can be applied to streamed responses, if any logic within postfilter changes to modify
+          # the response streamed responses will break
+          # @param context [Contrast::Agent::RequestContext]
+          # @raise [Contrast::SecurityException]
           def postfilter context
             return unless enabled? && POSTFILTER_MODES.include?(mode)
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
@@ -44,27 +49,38 @@ module Contrast
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
 
-            cef_logging result
+            cef_logging(result)
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
 
-            raise Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked.")
+            raise(Contrast::SecurityException.new(self, "#{ rule_name } triggered in postfilter. Response blocked."))
           end
 
           protected
 
+          # @param context [Contrast::Agent::RequestContext]
+          # @return [Array<Contrast::Api::Settings::InputAnalysis>]
           def gather_ia_results context
             context.speedracer_input_analysis.results.select do |ia_result|
               ia_result.rule_id == rule_name
             end
           end
 
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param **kwargs
+          # @return [Contrast::Api::Dtm::AttackResult]
           def find_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end
 
           # Allows for the InputAnalysis from service to be extracted early
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
+          # @param **kwargs
+          # @return [Contrast::Api::Dtm::AttackResult, nil]
           def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
             logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
 
@@ -84,17 +100,18 @@ module Contrast
 
           private
 
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @return [Contrast::Api::Dtm::AttackResult, nil]
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME ||
-                    ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
-
-                                         Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
-                                       else
-                                         # legacy implementation for DEFINITEATATACK
-                                         Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
-                                       end
+              required_level = if ia_result.cs__is_a?(Contrast::Api::Settings::InputAnalysisResult)
+                                 Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+                               else
+                                 Contrast::Agent::Reporting::ScoreLevel::DEFINITEATTACK
+                               end
+              ia_result.score_level == required_level
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -24,6 +24,18 @@ module Contrast
             MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
           ].cs__freeze
 
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  command: attack_sample.cmdi.command,
+                  startIndex: attack_sample.cmdi.start_idx,
+                  endIndex: attack_sample.cmdi.end_idx
+              }
+            end
+          end
+
           def rule_name
             NAME
           end
@@ -46,13 +58,13 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
-            cef_logging result, :successful_attack
+            cef_logging(result, :successful_attack)
 
             return unless blocked?
 
-            raise Contrast::SecurityException.new(self,
+            raise(Contrast::SecurityException.new(self,
                                                   'Command Injection rule triggered. '\
-                                                  "Call to #{ classname }.#{ method } blocked.")
+                                                  "Call to #{ classname }.#{ method } blocked."))
           end
 
           def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
@@ -90,6 +102,7 @@ module Contrast
             command = candidate_string || input_analysis_result.value
             command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
             sample.cmdi.command = command
+            sample.cmdi.end_idx = command.length
 
             # This is a special case where the user input is UNKNOWN_USER_INPUT but
             # we want to send the attack value
@@ -134,12 +147,6 @@ module Contrast
           def report_any_command_execution?
             ::Contrast::PROTECT.report_any_command_execution?
           end
-
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
-          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb

@@ -64,15 +64,15 @@ module Contrast
             #
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def cmdi_create_new_input_result request, rule_id, input_type, value
-              ia_result = new_ia_result rule_id, input_type, request.path, value
-              if cmdi_worth_watching? value
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if cmdi_worth_watching?(value)
                 ia_result.score_level = WORTHWATCHING
                 ia_result.ids << WORTHWATCHING_MATCH
               else
                 ia_result.score_level = IGNORE
               end
 
-              add_needed_key request, ia_result, input_type, value if CMDI_KEYS_NEEDED.include? input_type
+              add_needed_key(request, ia_result, input_type, value) if CMDI_KEYS_NEEDED.include?(input_type)
               ia_result
             end
           end

data/lib/contrast/agent/protect/rule/default_scanner.rb

@@ -7,6 +7,8 @@
 # @deprecated RUBY-356: this class and those that extend it are being phased out
 #   in favor of the more performant code in the Service.
 class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/ClassAndModuleChildren
+  OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
+
   # Potential states
   # :STATE_INSIDE_TOKEN
   # :STATE_INSIDE_NUMBER
@@ -220,7 +222,6 @@ class Contrast::Agent::Protect::Rule::DefaultScanner # rubocop:disable Style/Cla
     idx
   end
 
-  OPERATOR_PATTERN = %r{[+=*^/%><!-]}.cs__freeze
   def operator? char
     char.match?(OPERATOR_PATTERN)
   end