contrast-agent 6.6.3 → 6.7.0

data/lib/contrast/agent/middleware.rb

@@ -180,7 +180,6 @@ module Contrast
           else
             request_handler.ruleset.postfilter
             request_handler.report_activity
-            request_handler.send_activity_messages # TODO: RUBY-1438 -- remove
           end
         end
       # unsuccessful attack

data/lib/contrast/agent/protect/policy/applies_command_injection_rule.rb

@@ -33,6 +33,10 @@ module Contrast
               clazz = object.is_a?(Module) ? object : object.cs__class
               class_name = clazz.cs__name
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              # invoke cmdi sub-rules.
+              rule.sub_rules.each do |sub_rule|
+                sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, class_name, method, command)
+              end
             end
 
             protected

data/lib/contrast/agent/protect/policy/applies_sqli_rule.rb

@@ -30,6 +30,7 @@ module Contrast
 
               sql = args[index]
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, database, sql)
+              rule.sub_rules.each { |sub_rule| sub_rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, sql) }
             end
 
             protected

data/lib/contrast/agent/protect/rule/base.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/utils/object_share'
 require 'contrast/api/decorators/response_type'
 
 module Contrast
@@ -34,6 +35,11 @@ module Contrast
                                                Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED,
                                                Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
                                              ]).cs__freeze
+          SUSPICIOUS_REPORTING_RULES = %w[
+            unsafe-file-upload
+            reflected-xss
+            sql-injection-semantic-dangerous-functions
+          ].cs__freeze
 
           attr_reader :mode
 
@@ -47,6 +53,12 @@ module Contrast
             cs__class.cs__name
           end
 
+          # Should return list of all sub_rules.
+          # Extend for each main rule any sub-rules.
+          def sub_rules
+            Contrast::Utils::ObjectShare::EMPTY_ARRAY
+          end
+
           def enabled?
             # 1. it is not enabled because protect is not enabled
             return false unless ::Contrast::AGENT.enabled?
@@ -169,9 +181,9 @@ module Contrast
           #
           # @param context [Contrast::Agent::RequestContext] the context of the
           #   request in which this input is evaluated.
-          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param result [Contrast::Agent::Reporting::AttackResult]
           def append_to_activity context, result
-            context.activity.results << result if result
+            context.activity.attach_defend(result) if result
           end
 
           # With this we log to CEF
@@ -179,15 +191,11 @@ module Contrast
           # @param result [Contrast::Api::Dtm::AttackResult]
           # @param attack [Symbol] the type of message we want to send
           # @param value [String] the input value we want to log
-          def cef_logging result, attack = :ineffective_attack, value = nil
-            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash(result.samples[0])
-            outcome = if result.response.cs__is_a?(Hash)
-                        Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
-                      else
-                        Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
-                      end
-            input_type = extract_input_type(sample_to_json[:user_input].input_type)
-            input_value = value || sample_to_json[:user_input].value
+          def cef_logging result, attack = :ineffective_attack, value: nil
+            sample = result.samples[0]
+            outcome = result.response.to_s
+            input_type = sample.user_input.input_type.to_s
+            input_value = sample.user_input.value || value
             cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
           end
 
@@ -219,6 +227,12 @@ module Contrast
             for_rule.any? { |ex| ex.match_code?(stack) }
           end
 
+          # @param context [Contrast::Agent::RequestContext] the context of the
+          #   request in which this input is evaluated.
+          def protect_excluded_by_url? context
+            Contrast::SETTINGS.excluder.protect_excluded_by_url?(context.request)
+          end
+
           # By default, rules do not have to find attackers as they do not have
           # Input Analysis. Any attack for the standard rule will be evaluated
           # at execution time. As such, those rules are expected to implement
@@ -238,9 +252,14 @@ module Contrast
           def update_successful_attack_response context, ia_result, result, attack_string = nil
             case mode
             when Contrast::Api::Settings::ProtectionRule::Mode::MONITOR
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::MONITORED
+              # We are checking the result as the ia_result would not contain the sub-rules.
+              result.response = if SUSPICIOUS_REPORTING_RULES.include?(result&.rule_id)
+                                  Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+                                else
+                                  Contrast::Agent::Reporting::ResponseType::MONITORED
+                                end
             when Contrast::Api::Settings::ProtectionRule::Mode::BLOCK
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+              result.response = Contrast::Agent::Reporting::ResponseType::BLOCKED
             end
 
             ia_result.attack_count = ia_result.attack_count + 1 if ia_result
@@ -259,9 +278,9 @@ module Contrast
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
               result.response = if blocked_rule?(ia_result)
-                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+                                  Contrast::Agent::Reporting::ResponseType::BLOCKED
                                 else
-                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+                                  Contrast::Agent::Reporting::ResponseType::BLOCKED_AT_PERIMETER
                                 end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
@@ -276,13 +295,16 @@ module Contrast
           #
           # @param _context [Contrast::Agent::RequestContext] the context of
           #   the current request
-          # @return [Contrast::Api::Dtm::AttackResult]
+          # @return [Contrast::Agent::Reporting::AttackResult]
           def build_attack_result _context
-            result = Contrast::Api::Dtm::AttackResult.new
+            result = Contrast::Agent::Reporting::AttackResult.new
             result.rule_id = rule_name
             result
           end
 
+          # @param sample [Contrast::Agent::Reporting::RaspRuleSample]
+          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
+          #   in the case of multiple inputs being found to violate the protection criteria
           def append_stack sample, result
             return unless sample
             return unless STACK_COLLECTION_RESULTS.include?(result&.response)
@@ -293,6 +315,16 @@ module Contrast
             sample.stack_trace_elements += stack
           end
 
+          # @param context [Contrast::Agent::RequestContext] the context of the request in which this input is
+          #   evaluated.
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          # @param result [Contrast::Api::Dtm::AttackResult, nil] previous attack result for this rule, if one exists,
+          #   in the case of multiple inputs being found to violate the protection criteria
+          # @param candidate_string [String] the value of the input which may be an attack
+          # @param kwargs [Hash] key - value pairs of context individual rules
+          #   need to build out details to send to the Service to tell the
+          #   story of the attack
           def append_sample context, ia_result, result, candidate_string, **kwargs
             return unless result
 
@@ -306,12 +338,23 @@ module Contrast
 
           # Override if rule can make use of the candidate string or kwargs to
           # build rasp rule sample.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          # @param _candidate_string [String] potential attack value/ input containing attack value
+          # @param _kwargs [Hash]
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def build_sample context, ia_result, _candidate_string, **_kwargs
             build_base_sample(context, ia_result)
           end
 
+          # @param context [Contrast::Agent::RequestContext]
+          # @param ia_result [Contrast::Api::Settings::InputAnalysisResult] the analysis of the input that was
+          #   determined to be an attack
+          # @return [Contrast::Agent::Reporting::RaspRuleSample]
           def build_base_sample context, ia_result
-            Contrast::Api::Dtm::RaspRuleSample.build(context, ia_result)
+            Contrast::Agent::Reporting::RaspRuleSample.build(context, ia_result)
           end
 
           def log_rule_matched _context, ia_result, response, _matched_string = nil
@@ -353,10 +396,7 @@ module Contrast
           # @param ia_result
           # @return [Boolean]
           def suspicious_rule? ia_result
-            [
-              Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME,
-              Contrast::Agent::Protect::Rule::Xss::NAME
-            ].include?(ia_result&.rule_id)
+            SUSPICIOUS_REPORTING_RULES.include?(ia_result&.rule_id)
           end
 
           # Handles the Response type for different Protect rules. Some rules need to report SUSPICIOUS over PROBED in
@@ -366,9 +406,9 @@ module Contrast
           #   determined to be an attack
           def assign_reporter_response_type ia_result
             if suspicious_rule?(ia_result) && Contrast::CONTRAST_SERVICE.use_agent_communication?
-              Contrast::Api::Dtm::AttackResult::ResponseType::SUSPICIOUS
+              Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
             else
-              Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+              Contrast::Agent::Reporting::ResponseType::PROBED
             end
           end
         end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -29,6 +29,7 @@ module Contrast
                                 end
 
             return false if protect_excluded_by_code?
+            return false if protect_excluded_by_url?(context)
 
             true
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -6,40 +6,36 @@ require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
 require 'contrast/components/logger'
 require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/cmdi/cmdi_base_rule'
+require 'contrast/agent/protect/rule/cmdi/cmdi_backdoors'
 
 module Contrast
   module Agent
     module Protect
       module Rule
         # The Ruby implementation of the Protect Command Injection rule.
-        class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
+        class CmdInjection < Contrast::Agent::Protect::Rule::CmdiBaseRule
           include Contrast::Components::Logger::InstanceMethods
           include Contrast::Agent::Reporting::InputType
-
           NAME = 'cmd-injection'
-          CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
-          APPLICABLE_USER_INPUTS = [
-            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
-            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
-            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
-          ].cs__freeze
-
-          class << self
-            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
-            # @return [Hash] the details for this specific rule
-            def extract_details attack_sample
-              {
-                  command: attack_sample.cmdi.command,
-                  startIndex: attack_sample.cmdi.start_idx,
-                  endIndex: attack_sample.cmdi.end_idx
-              }
-            end
-          end
+          SUB_RULES = [Contrast::Agent::Protect::Rule::CmdiBackdoors.new].cs__freeze
 
           def rule_name
             NAME
           end
 
+          def sub_rules
+            SUB_RULES
+          end
+
+          # CMDI infilter:
+          #
+          # @param context [Contrast::Agent::RequestContext] current request context
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @param command [String] potential dangerous command executed.
+          # @raise [Contrast::SecurityException] if the rule mode is set
+          # to BLOCK and valid cdmi is detected.
           def infilter context, classname, method, command
             return unless infilter?(context)
 
@@ -62,90 +58,8 @@ module Contrast
 
             return unless blocked?
 
-            raise(Contrast::SecurityException.new(self,
-                                                  'Command Injection rule triggered. '\
-                                                  "Call to #{ classname }.#{ method } blocked."))
-          end
-
-          def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
-            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
-                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
-
-              return result
-            end
-
-            result ||= build_attack_result(context)
-            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
-            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
-            result
-          end
-
-          protected
-
-          # Because results are not necessarily on the context across
-          # processes; extract early and pass into the method
-          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
-            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
-            result = super(context, potential_attack_string, ia_results, **kwargs)
-            if result.nil? && potential_attack_string
-              result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
-            end
-            result
-          end
-
-          # Build a subclass of the RaspRuleSample using the query string and the
-          # evaluation
-          def build_sample context, input_analysis_result, candidate_string, **_kwargs
-            sample = build_base_sample(context, input_analysis_result)
-            sample.cmdi = Contrast::Api::Dtm::CmdInjectionDetails.new
-
-            command = candidate_string || input_analysis_result.value
-            command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
-            sample.cmdi.command = command
-            sample.cmdi.end_idx = command.length
-
-            # This is a special case where the user input is UNKNOWN_USER_INPUT but
-            # we want to send the attack value
-            if input_analysis_result.nil?
-              ui = Contrast::Api::Dtm::UserInput.new
-              ui.input_type = :UNKNOWN
-              ui.value = command
-              sample.user_input = ui
-            end
-
-            sample
-          end
-
-          private
-
-          def report_command_execution context, command, **kwargs
-            return unless report_any_command_execution?
-            return if protect_excluded_by_code?
-
-            build_attack_with_match(context, nil, nil, command, **kwargs)
-          end
-
-          def find_probable_attacker context, potential_attack_string, ia_results, **kwargs
-            return unless chained_command?(potential_attack_string)
-
-            likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
-            return unless likely_attacker
-
-            build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
-          end
-
-          def chained_command? command
-            CHAINED_COMMAND_CHARS.match(command)
-          end
-
-          # Part of the Hardening for Command Injection detection is the
-          # ability to detect and prevent any command execution from within the
-          # application. This check determines if that hardening has been
-          # enabled.
-          # @return [Boolean] if the agent should report all command
-          #   executions.
-          def report_any_command_execution?
-            ::Contrast::PROTECT.report_any_command_execution?
+            # Raise cmdi error
+            raise_error(classname, method)
           end
         end
       end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_backdoors.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/protect/rule/base_service'
+require 'contrast/agent/request_context'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/cmdi/cmdi_base_rule'
+require 'contrast/agent/protect/rule/cmd_injection'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Command Injection Command
+        # Backdoors sub-rule.
+        class CmdiBackdoors < Contrast::Agent::Protect::Rule::CmdiBaseRule
+          NAME = 'cmd-injection-command-backdoors'
+          MATCHES = %w[/bin/bash-c /bin/sh-c sh-c bash-c].cs__freeze
+
+          def rule_name
+            NAME
+          end
+
+          # CMDI Backdoors infilter:
+          # This rule does not have input classification.
+          # If a value matches the CMDI applicable input types and it's length is > 2
+          # we can check if it's used as command backdoors.
+          #
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @param command [String] potential dangerous command executed.
+          # @raise [Contrast::SecurityException] if the rule mode ise set
+          # to BLOCK and valid cdmi is detected.
+          def infilter context, classname, method, command
+            return unless (ia_results = gather_ia_results(context))
+            return unless backdoors_match?(command)
+            return unless (likely_attacker = match_applicable_input_type(ia_results, command))
+            return if protect_excluded_by_code?
+            return unless (result = build_attack_with_match(context, likely_attacker, nil, command,
+                                                            **{ classname: classname, method: method }))
+
+            append_to_activity(context, result)
+            cef_logging(result, :successful_attack)
+            return unless blocked?
+
+            raise_error(classname, method)
+          end
+
+          # @param context [Contrast::Agent::RequestContext]
+          def infilter? context
+            return false unless enabled?
+            # This rule does not have input tracing stage so we need to check the results of
+            # the main rule instead.
+            return false unless context&.speedracer_input_analysis&.results&.any? do |result|
+              result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
+            end
+
+            return false if protect_excluded_by_code?
+
+            true
+          end
+
+          protected
+
+          # Used to customize the raised error message.
+          #
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @raise [Contrast::SecurityException]
+          def raise_error classname, method
+            raise(Contrast::SecurityException.new(self,
+                                                  'Command Injection Command Backdoor rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked."))
+          end
+
+          private
+
+          # Check to see if value is backdoor match
+          #
+          # @param potential_attack_string [String]
+          def backdoors_match? potential_attack_string
+            return false unless potential_attack_string && potential_attack_string.length > 2
+            return false unless matches_shell_parameter?(potential_attack_string)
+
+            true
+          end
+
+          # Checks to see if input is used as parameter for a shell cmd.
+          #
+          # @param cmd [String]
+          # @return [Boolean]
+          def matches_shell_parameter? cmd
+            normalize_cmd = cmd.delete(Contrast::Utils::ObjectShare::SPACE)
+            MATCHES.each do |match|
+              return true if normalize_cmd.include?(match)
+            end
+            false
+          end
+
+          # Check to see if the user input is one of the applicable types.
+          # With Agent_ia if we are here and CMDI is being analyzed then
+          # the applicable input type is already checked before input
+          # classification. Only thing left is the match check.
+          #
+          # @param ia_results [Contrast::Api::Settings::InputAnalysisResult] gathered results
+          # @param cmd [String] potential attack vector
+          # @return [Contrast::Api::Settings::InputAnalysisResult, nil] matched input_type
+          def match_applicable_input_type ia_results, cmd
+            ia_results.each do |ia_result|
+              return ia_result if ia_result.value == cmd
+            end
+            nil
+          end
+
+          # Backdoors does not have input classification so we check for match within the
+          # result for the main rule - CMDI.
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          def gather_ia_results context
+            context.speedracer_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_base_rule.rb

@@ -0,0 +1,169 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/details/cmd_injection_details'
+require 'contrast/agent/reporting/attack_result/user_input'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # The Ruby implementation of the Protect Command Injection Semantic
+        # Dangerous Path sub-rule. This rule should report
+        class CmdiBaseRule < Contrast::Agent::Protect::Rule::BaseService
+          include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
+
+          CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+          ].cs__freeze
+
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  command: attack_sample.cmdi.command,
+                  startIndex: attack_sample.cmdi.start_idx,
+                  endIndex: attack_sample.cmdi.end_idx
+              }
+            end
+          end
+
+          # CMDI infilter:
+          #
+          # @param context [Contrast::Agent::RequestContext] current request contest
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @param command [String] potential dangerous command executed.
+          # @raise [Contrast::SecurityException] if the rule mode ise set
+          # to BLOCK and valid cdmi is detected.
+          def infilter context, classname, method, command
+            if ::Contrast::APP_CONTEXT.in_new_process?
+              logger.trace('Running cmd-injection infilter within new process - creating new context')
+              context = Contrast::Agent::RequestContext.new(context.request.rack_request)
+              Contrast::Agent::REQUEST_TRACKER.update_current_context(context)
+            end
+            return unless infilter?(context)
+
+            result = find_attacker_with_results(context, command, nil, **{ classname: classname, method: method })
+            result ||= report_command_execution(context, command, **{ classname: classname, method: method })
+            return unless result
+
+            append_to_activity(context, result)
+            cef_logging(result, :successful_attack)
+            return unless blocked?
+
+            raise_error(classname, method)
+          end
+
+          def build_attack_with_match(context,
+                                      input_analysis_result,
+                                      result,
+                                      candidate_string,
+                                      **kwargs)
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
+
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
+            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
+            result
+          end
+
+          protected
+
+          # Used to customize the raised error message.
+          #
+          # @param classname [String] Name of the class
+          # @param method [String] name of the method triggering the rule
+          # @raise [Contrast::SecurityException]
+          def raise_error classname, method
+            raise(Contrast::SecurityException.new(self,
+                                                  'Command Injection Rule triggered. '\
+                                                  "Call to #{ classname }.#{ method } blocked."))
+          end
+
+          # Allows for the InputAnalysis from service to be extracted early.
+          # Because results are not necessarily on the context across
+          # processes; extract early and pass into the method
+          #
+          # @param context [Contrast::Agent::RequestContext]
+          # @param potential_attack_string [String, nil]
+          # @param ia_results [Array<Contrast::Api::Settings::InputAnalysis>]
+          # @param **kwargs
+          # @return [Contrast::Api::Dtm::AttackResult, nil]
+          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
+            logger.trace('Checking vectors for attacks', rule: rule_name, input: potential_attack_string)
+            result = super(context, potential_attack_string, ia_results, **kwargs) if ia_results
+            if result.nil? && potential_attack_string
+              result = find_probable_attacker(context, potential_attack_string, ia_results, **kwargs)
+            end
+            result
+          end
+
+          # Build a subclass of the RaspRuleSample using the query string and the
+          # evaluation
+          def build_sample context, input_analysis_result, candidate_string, **_kwargs
+            sample = build_base_sample(context, input_analysis_result)
+            sample.details = Contrast::Agent::Reporting::Details::CmdInjectionDetails.new
+
+            command = candidate_string || input_analysis_result.value
+            command = Contrast::Utils::StringUtils.protobuf_safe_string(command)
+            sample.details.cmd = command
+            sample.details.end_idx = command.length
+
+            # This is a special case where the user input is UNKNOWN_USER_INPUT but
+            # we want to send the attack value
+            if input_analysis_result.nil?
+              ui = Contrast::Agent::Reporting::UserInput.new
+              ui.input_type = :UNKNOWN
+              ui.value = command
+              sample.user_input = ui
+            end
+
+            sample
+          end
+
+          private
+
+          def report_command_execution context, command, **kwargs
+            return unless report_any_command_execution?
+            return if protect_excluded_by_code?
+
+            build_attack_with_match(context, nil, nil, command, **kwargs)
+          end
+
+          def find_probable_attacker context, potential_attack_string, ia_results, **kwargs
+            return unless chained_command?(potential_attack_string)
+
+            likely_attacker = ia_results.find { |input_analysis_result| chained_command?(input_analysis_result.value) }
+            return unless likely_attacker
+
+            build_attack_with_match(context, likely_attacker, nil, potential_attack_string, **kwargs)
+          end
+
+          def chained_command? command
+            CHAINED_COMMAND_CHARS.match(command)
+          end
+
+          # Part of the Hardening for Command Injection detection is the
+          # ability to detect and prevent any command execution from within the
+          # application. This check determines if that hardening has been
+          # enabled.
+          # @return [Boolean] if the agent should report all command
+          #   executions.
+          def report_any_command_execution?
+            ::Contrast::PROTECT.report_any_command_execution?
+          end
+        end
+      end
+    end
+  end
+end